Satana[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Satana.zip
Size

58KB
MD5

8b1504d2aa1b16ebb5e18c8e17000774
SHA1

19ca98c3253a7d78be63a386dec992ae02f31f59
SHA256

08a5c7e314d1d7b05948df589b1682f887ddf7d91e7bf2427566b858801c2daa
SHA512

587793b55f8a758796ceef1a2632213459dcc17b47603a481a34868bd3cc2049e17ff3d2c7673dd5280e1fa7891b4215a5b5c39b59f1daf47321fff46532c6e1
SSDEEP

1536:xBfLHxIOBET2Uvk6w5yD5O92x2HtYli0kR5sJ7LNeeSLK/TF:xBf9IOXok6DODtY40kDsjiL65

Score

3^/10

Malware Config

Signatures

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack002/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
unpack002/unpacked.mem

Files

Satana.zip
.zip
Ransomware.Satana (1).zip
.zip

Password: infected
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
.exe windows:5 windows x86 arch:x86

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

vsprintf
memmove
NtYieldExecution
strchr
strncpy
_stricmp
memset

kernel32

GetLocalTime
OutputDebugStringA

user32

MessageBoxA

opengl32

glEnd
glEnable
glLineWidth
glPolygonMode
glColor3d
glBegin
glDisable
glClear
glPointSize
glLineStipple
glVertex3d

Sections

.text
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 930B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
unpacked.mem
.exe windows:5 windows x86 arch:x86

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlGetNtVersionNumbers
strrchr
wcsncmp
wcstombs
_vsnwprintf
wcsstr
wcsrchr
NtQueryInformationProcess
RtlGetCurrentPeb
NtYieldExecution
vsprintf
mbstowcs
sprintf
_stricmp
_chkstk
memset
memcpy
_allrem
RtlUnwind

msvcrt

??3@YAXPAX@Z
free
??2@YAPAXI@Z
malloc

kernel32

GetTempPathW
SwitchToThread
ExpandEnvironmentStringsW
CreateThread
DeleteFileA
SetFileAttributesW
ResumeThread
WriteProcessMemory
LocalFree
DeleteFileW
GetWindowsDirectoryW
CloseHandle
GetFullPathNameW
ExitProcess
GetCommandLineW
GetComputerNameA
CreateFileA
GetFileSize
SetPriorityClass
FindFirstFileW
SetFilePointer
GetLocaleInfoA
MapViewOfFile
UnmapViewOfFile
GetDriveTypeW
FreeLibrary
HeapAlloc
SetUnhandledExceptionFilter
InterlockedIncrement
MoveFileExW
InterlockedDecrement
GetCurrentProcess
GetLogicalDriveStringsW
HeapFree
WaitForSingleObject
GetSystemDefaultLCID
OutputDebugStringW
GetTickCount
GetProcessHeap
FormatMessageA
WriteFile
InitializeCriticalSection
GetSystemDirectoryW
Sleep
CopyFileW
LeaveCriticalSection
HeapCreate
CreateProcessA
ReadFile
CreateFileW
SetThreadPriority
FlushFileBuffers
OutputDebugStringA
GetFileSizeEx
GetLastError
GetProcAddress
QueueUserAPC
MoveFileW
EnterCriticalSection
VirtualAllocEx
FindClose
GetLocalTime
LoadLibraryA
CreateFileMappingA
LocalAlloc
DeviceIoControl
WaitForMultipleObjects
GetModuleFileNameA
GetModuleHandleA
FindNextFileW
GetShortPathNameW

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

ws2_32

WSAStartup
connect
send
gethostbyname
closesocket
socket
htons

user32

MessageBoxA
wsprintfW

advapi32

GetUserNameA
RegSetValueExW
RegCloseKey
GetCurrentHwProfileW
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegQueryValueExA

shell32

CommandLineToArgvW

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
mods do yomi hustle.txt

Sharing

General

Malware Config

Signatures

Files

Password: infected

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

user32

opengl32

Sections

.text Size: 8KB - Virtual size: 12KB

.data Size: 38KB - Virtual size: 40KB

.rsrc Size: 1024B - Virtual size: 4KB

.reloc Size: 1024B - Virtual size: 930B

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

msvcrt

kernel32

mpr

ws2_32

user32

advapi32

shell32

Sections

.text Size: 22KB - Virtual size: 21KB

.data Size: 8KB - Virtual size: 70KB

.tls Size: 512B - Virtual size: 12B

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 8KB - Virtual size: 12KB

.data
Size: 38KB - Virtual size: 40KB

.rsrc
Size: 1024B - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 930B

.text
Size: 22KB - Virtual size: 21KB

.data
Size: 8KB - Virtual size: 70KB

.tls
Size: 512B - Virtual size: 12B

.reloc
Size: 2KB - Virtual size: 2KB