Satana[.]zip | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

Satana.zip
Size

114KB
MD5

4f901b9d6aacd99e24369c31d4245a00
SHA1

67dbc8b83e84a4b7fb373fbda1e4cadcc043486d
SHA256

fa5319c49d70b66f2d241ad3a651c2015842e5529e13da77dc11b5effdcc113c
SHA512

a7c56383cbb72404bf31770521c47a517fe676ee6fa835fe69b0dbe45a533730d6f690db74447f2e98eaa64404d2a280baa786838b3e1f46536de6201087c90f
SSDEEP

3072:GBf9IOXok6DODtY40kDsjiL6sm4liU0vM6eW4sz:2fuoh6It5biOmgFkheWhz

Score

3^/10

Malware Config

Signatures

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
unpack001/Satana/satana.bin
unpack001/Satana/unpacked.mem
unpack001/unpacked.mem

Files

Satana.zip
.zip

Password: infected
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96.bin
.exe windows:5 windows x86 arch:x86

Password: infected

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

vsprintf
memmove
NtYieldExecution
strchr
strncpy
_stricmp
memset

kernel32

GetLocalTime
OutputDebugStringA

user32

MessageBoxA

opengl32

glEnd
glEnable
glLineWidth
glPolygonMode
glColor3d
glBegin
glDisable
glClear
glPointSize
glLineStipple
glVertex3d

Sections

.text
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 930B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Satana/satana.bin
.exe windows:5 windows x86 arch:x86

Password: infected

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_ISOLATION
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

vsprintf
memmove
NtYieldExecution
strchr
strncpy
_stricmp
memset

kernel32

GetLocalTime
OutputDebugStringA

user32

MessageBoxA

opengl32

glEnd
glEnable
glLineWidth
glPolygonMode
glColor3d
glBegin
glDisable
glClear
glPointSize
glLineStipple
glVertex3d

Sections

.text
Size: 8KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 930B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Satana/unpacked.mem
.exe windows:5 windows x86 arch:x86

Password: infected

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlGetNtVersionNumbers
strrchr
wcsncmp
wcstombs
_vsnwprintf
wcsstr
wcsrchr
NtQueryInformationProcess
RtlGetCurrentPeb
NtYieldExecution
vsprintf
mbstowcs
sprintf
_stricmp
_chkstk
memset
memcpy
_allrem
RtlUnwind

msvcrt

??3@YAXPAX@Z
free
??2@YAPAXI@Z
malloc

kernel32

GetTempPathW
SwitchToThread
ExpandEnvironmentStringsW
CreateThread
DeleteFileA
SetFileAttributesW
ResumeThread
WriteProcessMemory
LocalFree
DeleteFileW
GetWindowsDirectoryW
CloseHandle
GetFullPathNameW
ExitProcess
GetCommandLineW
GetComputerNameA
CreateFileA
GetFileSize
SetPriorityClass
FindFirstFileW
SetFilePointer
GetLocaleInfoA
MapViewOfFile
UnmapViewOfFile
GetDriveTypeW
FreeLibrary
HeapAlloc
SetUnhandledExceptionFilter
InterlockedIncrement
MoveFileExW
InterlockedDecrement
GetCurrentProcess
GetLogicalDriveStringsW
HeapFree
WaitForSingleObject
GetSystemDefaultLCID
OutputDebugStringW
GetTickCount
GetProcessHeap
FormatMessageA
WriteFile
InitializeCriticalSection
GetSystemDirectoryW
Sleep
CopyFileW
LeaveCriticalSection
HeapCreate
CreateProcessA
ReadFile
CreateFileW
SetThreadPriority
FlushFileBuffers
OutputDebugStringA
GetFileSizeEx
GetLastError
GetProcAddress
QueueUserAPC
MoveFileW
EnterCriticalSection
VirtualAllocEx
FindClose
GetLocalTime
LoadLibraryA
CreateFileMappingA
LocalAlloc
DeviceIoControl
WaitForMultipleObjects
GetModuleFileNameA
GetModuleHandleA
FindNextFileW
GetShortPathNameW

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

ws2_32

WSAStartup
connect
send
gethostbyname
closesocket
socket
htons

user32

MessageBoxA
wsprintfW

advapi32

GetUserNameA
RegSetValueExW
RegCloseKey
GetCurrentHwProfileW
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegQueryValueExA

shell32

CommandLineToArgvW

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
unpacked.mem
.exe windows:5 windows x86 arch:x86

Password: infected

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

ntdll

RtlGetNtVersionNumbers
strrchr
wcsncmp
wcstombs
_vsnwprintf
wcsstr
wcsrchr
NtQueryInformationProcess
RtlGetCurrentPeb
NtYieldExecution
vsprintf
mbstowcs
sprintf
_stricmp
_chkstk
memset
memcpy
_allrem
RtlUnwind

msvcrt

??3@YAXPAX@Z
free
??2@YAPAXI@Z
malloc

kernel32

GetTempPathW
SwitchToThread
ExpandEnvironmentStringsW
CreateThread
DeleteFileA
SetFileAttributesW
ResumeThread
WriteProcessMemory
LocalFree
DeleteFileW
GetWindowsDirectoryW
CloseHandle
GetFullPathNameW
ExitProcess
GetCommandLineW
GetComputerNameA
CreateFileA
GetFileSize
SetPriorityClass
FindFirstFileW
SetFilePointer
GetLocaleInfoA
MapViewOfFile
UnmapViewOfFile
GetDriveTypeW
FreeLibrary
HeapAlloc
SetUnhandledExceptionFilter
InterlockedIncrement
MoveFileExW
InterlockedDecrement
GetCurrentProcess
GetLogicalDriveStringsW
HeapFree
WaitForSingleObject
GetSystemDefaultLCID
OutputDebugStringW
GetTickCount
GetProcessHeap
FormatMessageA
WriteFile
InitializeCriticalSection
GetSystemDirectoryW
Sleep
CopyFileW
LeaveCriticalSection
HeapCreate
CreateProcessA
ReadFile
CreateFileW
SetThreadPriority
FlushFileBuffers
OutputDebugStringA
GetFileSizeEx
GetLastError
GetProcAddress
QueueUserAPC
MoveFileW
EnterCriticalSection
VirtualAllocEx
FindClose
GetLocalTime
LoadLibraryA
CreateFileMappingA
LocalAlloc
DeviceIoControl
WaitForMultipleObjects
GetModuleFileNameA
GetModuleHandleA
FindNextFileW
GetShortPathNameW

mpr

WNetOpenEnumW
WNetEnumResourceW
WNetCloseEnum

ws2_32

WSAStartup
connect
send
gethostbyname
closesocket
socket
htons

user32

MessageBoxA
wsprintfW

advapi32

GetUserNameA
RegSetValueExW
RegCloseKey
GetCurrentHwProfileW
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA
RegQueryValueExA

shell32

CommandLineToArgvW

Sections

.text
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

user32

opengl32

Sections

.text Size: 8KB - Virtual size: 12KB

.data Size: 38KB - Virtual size: 40KB

.rsrc Size: 1024B - Virtual size: 4KB

.reloc Size: 1024B - Virtual size: 930B

Password: infected

a3bc0305643e7601d6deca72652f4ab5

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

user32

opengl32

Sections

.text Size: 8KB - Virtual size: 12KB

.data Size: 38KB - Virtual size: 40KB

.rsrc Size: 1024B - Virtual size: 4KB

.reloc Size: 1024B - Virtual size: 930B

Password: infected

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

msvcrt

kernel32

mpr

ws2_32

user32

advapi32

shell32

Sections

.text Size: 22KB - Virtual size: 21KB

.data Size: 8KB - Virtual size: 70KB

.tls Size: 512B - Virtual size: 12B

.reloc Size: 2KB - Virtual size: 2KB

Password: infected

d99e35e9d4559cb6df0e1eb507b928cc

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

msvcrt

kernel32

mpr

ws2_32

user32

advapi32

shell32

Sections

.text Size: 22KB - Virtual size: 21KB

.data Size: 8KB - Virtual size: 70KB

.tls Size: 512B - Virtual size: 12B

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 8KB - Virtual size: 12KB

.data
Size: 38KB - Virtual size: 40KB

.rsrc
Size: 1024B - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 930B

.text
Size: 8KB - Virtual size: 12KB

.data
Size: 38KB - Virtual size: 40KB

.rsrc
Size: 1024B - Virtual size: 4KB

.reloc
Size: 1024B - Virtual size: 930B

.text
Size: 22KB - Virtual size: 21KB

.data
Size: 8KB - Virtual size: 70KB

.tls
Size: 512B - Virtual size: 12B

.reloc
Size: 2KB - Virtual size: 2KB

.text
Size: 22KB - Virtual size: 21KB

.data
Size: 8KB - Virtual size: 70KB

.tls
Size: 512B - Virtual size: 12B

.reloc
Size: 2KB - Virtual size: 2KB