[Community-sigs] Satan Ransomware RaaS downloader
Askar Dyussekeyev
dyussekeyev at yandex.kz
Mon Apr 10 11:58:12 EDT 2017
Info:
- https://satan6dll23napb5.onion.to/droppers (RaaS website, need to register)
Samples:
- https://virustotal.com/ru/file/0a3f919eba596900a1b6e793a30904c85a38d9ec0b882e6327607105adaefb5f/analysis/1491839688/
- https://virustotal.com/ru/file/14e1b29392ac3ad11c342343383a1bd81e016c542ab5031a146a135d5df0b02e/analysis/1491839764/
02.04.2017, 02:41, "Askar Dyussekeyev" <dyussekeyev at yandex.kz>:
> Hello!
>
> There is simple logical signature for Satan Ransomware RaaS downloader (at RaaS website classified as "dropper"), that looks for specific strings (at HTML and TEXT format):
>
> Win.Downloader.Satan.HTML;Engine:51-255,Target:3;0&1&2&3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;68696464656E;636F6D6D616E64;6E65772D6F626A656374;73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;7772697465616C6C6279746573;7368656C6C65786563757465
>
> Win.Downloader.Satan.TXT;Engine:51-255,Target:7;0&1&2&3&4&5&(6>1)&7&8&9&10&11&12&13&14;706F7765727368656C6C;657865637574696F6E706F6C696379;627970617373;77696E646F777374796C65;68696464656E;636F6D6D616E64;6E65772D6F626A656374;73797374656D2E6E65742E776562636C69656E74;646F776E6C6F616464617461;636F756E74;6C656E677468;62786F72;73797374656D2E636F6E76657274;7772697465616C6C6279746573;7368656C6C65786563757465
>
> Best regards,
> Askar
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list