satana

General

Target

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
Size

49KB
Sample

210208-n19bntl3ge
MD5

46bfd4f1d581d7c0121d2b19a005d3df
SHA1

5b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512

b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XtmxHRo8xkvaJ9FdNumLUARqsWvETHGCG5 here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Targets

- Target
  
  683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
- Size
  
  49KB
- MD5
  
  46bfd4f1d581d7c0121d2b19a005d3df
- SHA1
  
  5b063298bbd1670b4d39e1baef67f854b8dcba9d
- SHA256
  
  683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
- SHA512
  
  b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5
Score

10^/10

satana bootkit persistence ransomware spyware
- Satana
  Ransomware family which also encrypts the system's Master Boot Record (MBR).
  ransomware satana
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2