{
	"id": "76605757-8a33-469f-a5b3-cc3e4637ec01",
	"created_at": "2026-04-06T00:13:32.731643Z",
	"updated_at": "2026-04-10T03:21:53.184535Z",
	"deleted_at": null,
	"sha1_hash": "3dff6bd629dc53d524b44f644d4941da5ba908db",
	"title": "Satan ransomware rebrands as 5ss5c ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 341308,
	"plain_text": "Satan ransomware rebrands as 5ss5c ransomware\r\nArchived: 2026-04-05 15:05:29 UTC\r\nThe cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has\r\nnow come up with a new version or rebranding named \"5ss5c\".\r\nIn a previous blog post, Satan ransomware adds EternalBlue exploit, I described how the group behind Satan\r\nransomware has been actively developing its ransomware, adding new functionalities (specifically then:\r\nEternalBlue) and techniques with each run. Then, it appeared the group halted operations on at least the\r\nransomware front for several months.\r\nHowever, as it turns out, the group has been working on new ransomware - 5ss5c - since at least November 2019.\r\nThe following tweet got my attention:\r\nAfter some quick checks, it appears this is a downloader for the 5ss5c ransomware, which is extremely\r\nreminiscent of how Satan ransomware operated:\r\nFigure 1 - 5ss5c downloader\r\nThe malware will leverage certutil and even contains logging:\r\nFigure 2 - certutil logging\r\nIt will download and leverage:\r\nSpreader (EternalBlue and hardcoded credentials);\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 1 of 9\n\nMimikatz and what appears another password dumper/stealer;\r\nThe actual ransomware.\r\nThe following hashes are relevant to this new variant:\r\nName: down.txt\r\nURL: http://58.221.158[.]90:88/car/down.txt\r\nPurpose: Downloader\r\nMD5: 680d9c8bb70e38d3727753430c655699\r\nSHA1: 5e72192360bbe436a3f4048717320409fb1a8009\r\nSHA256: ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f\r\nCompilation timestamp: 2020-01-11 19:04:24\r\nVirusTotal report:\r\nddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f\r\ndown.txt is, as mentioned, the downloader for the spreader module and for the actual ransomware:\r\nName: c.dat\r\nURL: http://58.221.158[.]90:88/car/c.dat\r\nPurpose: spreader\r\nMD5: 01a9b1f9a9db526a54a64e39a605dd30\r\nSHA1: a436e3f5a9ee5e88671823b43fa77ed871c1475b\r\nSHA256: 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc\r\nCompilation timestamp: 2020-01-11 19:19:54\r\nVirusTotal report:\r\n9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc\r\nName: cpt.dat\r\nURL: http://58.221.158[.]90:88/car/cpt.dat\r\nPurpose: ransomware\r\nMD5: 853358339279b590fb1c40c3dc0cdb72\r\nSHA1: 84825801eac21a8d6eb060ddd8a0cd902dcead25\r\nSHA256: ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c\r\nCompilation timestamp: 2020-01-11 19:54:25\r\nVirusTotal report:\r\nca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c\r\nFun fact: file version information contains \"TODO: 5SS5C Encoder\".\r\nThe compilation times are sequential, which makes sense - the downloader has been developed (and compiled)\r\nfirst, then the spreader and the actual ransomware.\r\nNote that cpt.exe as filename has already been observed in Satan ransomware.\r\nFurther indicators, such as hashes, URLs, file paths and so on will be posted at the end of this blog post.\r\n5ss5c - still in development - and with oddities\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 2 of 9\n\nThere's quite some curiosities that indicate 5ss5c is still in active development and stems from Satan ransomware,\r\nfor example:\r\nThere are several logs created, e.g. there is a file \"C:\\Program Files\\Common Files\\System\\Scanlog\" that\r\nsimply logs whether IPC SMB is open/available;\r\nCertutil logging (successful download or not);\r\nThere are several Satan ransomware artefacts;\r\nOther Tactics, Techniques and Procedures (TTP) align with both Satan (and DBGer), and slightly overlap\r\nwith Iron: \r\nOne of these is, for example, the use of multiple packers to protect their droppers and payloads. \r\nThis time however, they decided to use both MPRESS and Enigma, and even Enigma VirtualBox!\r\n(Note: Enigma and Enigma VirtualBox are not the same - the latter is a virtualised packer and also\r\nreferred to as EnigmaVM.)\r\nHowever, there are quite some curiosities, one of them being what appear to be hardcoded credentials:\r\nFigure 3 - Hardcoded creds\r\nThese hardcoded credentials will be leveraged in an attempt to connect to an SQL database with the xp_cmdshell\r\ncommand:\r\nCuriously, we can identify the following data inside the ransomware in regards to the SQL database:\r\necology.url\r\necology.password\r\necology.user\r\nSearching a bit further, we can discover a company named Finereport (https://www.finereport.com/en/company),\r\nwhich claims to be \"Top 1 in China’s BI market share in IDC \"China BI Software Tracker, 2018\". You guessed it -\r\nit uses SQL as database.\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 3 of 9\n\nWhat else is new is, as mentioned before, the use of Enigma VirtualBox for packing an additional spreader\r\nmodule, aptly named poc.exe. This suggest they may be experimenting (poc often is an acronym for proof of\r\nconcept).\r\nThis file will be dropped to C:\\ProgramData\\poc.exe and will run the following command:\r\ncd /D C:\\ProgramData\u0026star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --\r\nFunction RunDLL --DllPayload C:\\ProgramData\\down64.dll --TargetIp \r\nNow compare this to Satan ransomware's command:\r\ncmd /c cd /D C:\\Users\\Alluse~1\\\u0026blue.exe --TargetIp \u0026 star.exe --OutConfig a --TargetPort 445 --\r\nProtocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp \r\nSomething looks similar here... :-)\r\n5ss5c ransomware - how it operates\r\nBack to the actual ransomware. It will create the following mutexes:\r\nSSSS_Scan (in previous iterations SSS_Scan has also been observed)\r\n5ss5c_CRYPT\r\nJust like its predecessor, 5ss5c also has an exclusion list, where it will not encrypt specific files as well as files in\r\nthe following folders:\r\nFigure 4 - Exclusion list\r\nFor example, the following folders belonging to Qihoo 360 (an internet security company based in China also\r\noffering antivirus) were already excluded in Satan and DBGer ransomware:\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 4 of 9\n\n360rec\r\n360sec\r\n360sand\r\nWhile these are new in 5ss5c ransomware:\r\n360downloads\r\n360safe\r\nAs in previous iterations, 5ss5c ransomware will stop database-related services and processes.\r\nIt will however only encrypt files with the following extensions:\r\n7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar,\r\nrtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip\r\nThis extension list is not like before, and includes mostly documents, archives, database files and VMware-related\r\nextensions such as vmdk.\r\nThe ransomware will then create the following URI structure to communicate with the C2 server\r\n(61.186.243[.]2):\r\n/api/data.php?code=\r\n\u0026file=\r\n\u0026size=\r\n\u0026status=\r\n\u0026keyhash=\r\nIt will also create a ransomware note on the C:\\ drive as: _如何解密我的文件_.txt which translates to _How to\r\ndecrypt my file_.txt. Example content is as follows:\r\nFigure 5 - ransom note\r\nThe content reads:\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 5 of 9\n\n部分文件已经被加密\r\n如果你想找回加密文件,发送 (1) 个比特币到我的钱包\r\n从加密开始48小时之内没有完成支付,解密的金额会发生翻倍.\r\n如果有其他问题,可以通过邮件联系我\r\n您的解密凭证是 :\r\nEmail:[5ss5c@mail.ru]\r\nTranslated:\r\nSome files have been encrypted\r\nIf you want to retrieve the encrypted file, send (1) Bitcoins to my wallet\r\nIf payment is not completed within 48 hours from the start of encryption, the amount of decryption will\r\ndouble.\r\nIf you have other questions, you can contact me by email\r\nYour decryption credentials are:\r\nEmail: [5ss5c@mail.ru]\r\nInterestingly, the ransomware note does not contain a Bitcoin address. Additionally, the note only contains\r\ninstructions in Chinese, not Korean nor English like previous iterations. Is 5ss5c ransomware more targeted, or\r\njust actively being tested by the group/developers behind it?\r\nEncrypted files will have the actor's email address prepended and a unique token with the ransomware's name will\r\nbe appended, for example;\r\ntest.txt becomes [5ss5c@mail.ru]test.txt.Y54GUHKIG1T2ZLN76II9F3BBQV7MK4UOGSQUND7U.5ss5c.\r\nPrevention\r\nEnable UAC;\r\nEnable Windows Update, and install updates (especially verify if MS17-010 is installed);\r\nInstall an antivirus, and keep it up-to-date and running;\r\nInstall a firewall, or enable the Windows Firewall;\r\nRestrict, where possible, access to shares (ACLs);\r\nCreate backups! (and test them)\r\nMore ransomware prevention can be found here.\r\nConclusion\r\nSatan is dead, long live 5ss5c! It just doesn't sound as good, does it?\r\nWhoever's behind the development of Satan, DBGer, Lucky and likely Iron ransomware, is back in business with\r\nthe 5ss5c ransomware, and it appears to be in active development - and is trying to increase (or perhaps focus?) its\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 6 of 9\n\ntargeting and spread of the ransomware.\r\nIt is recommended organisations detect and/or search for the indicators of compromise (IOCs) below, and have\r\nproper prevention controls in place. MITRE ATT\u0026CK IDs can also be found below.\r\nIndicators of Compromise:\r\nType Indicator\r\nFile C:\\Program Files\\Common Files\\System\\Scanlog\r\nFile C:\\Program Files\\Common Files\\System\\cpt.exe\r\nFile C:\\Program Files\\Common Files\\System\\tmp\r\nFile C:\\ProgramData\\5ss5c_token\r\nFile C:\\ProgramData\\blue.exe\r\nFile C:\\ProgramData\\blue.fb\r\nFile C:\\ProgramData\\blue.xml\r\nFile C:\\ProgramData\\down64.dll\r\nFile C:\\ProgramData\\mmkt.exe\r\nFile C:\\ProgramData\\poc.exe\r\nFile C:\\ProgramData\\star.exe\r\nFile C:\\ProgramData\\star.fb\r\nFile C:\\ProgramData\\star.xml\r\nRegistry\r\nkey\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\5ss5cStart\r\nCommand C:\\Windows\\system32\\cmd.exe /c cd /D C:\\ProgramData\u0026blue.exe --TargetIp\r\nCommand\r\nstar.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL\r\n--DllPayload C:\\ProgramData\\down64.dll --TargetIp\r\nMutex SSSS_Scan\r\nMutex 5ss5c_CRYPT\r\nEmail 5ss5c@mail.ru\r\nURL http://58.221.158.90:88/car/down.txt\r\nURL http://58.221.158.90:88/car/c.dat\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 7 of 9\n\nType Indicator\r\nURL http://58.221.158.90:88/car/cpt.dat\r\nIP 58.221.158.90\r\nIP 61.186.243.2\r\nHash 82ed3f4eb05b76691b408512767198274e6e308e8d5230ada90611ca18af046d\r\nHash dc3103fb21f674386b01e1122bb910a09f2226b1331dd549cbc346d8e70d02df\r\nHash 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc\r\nHash af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da\r\nHash ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c\r\nHash e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198\r\nHash e5bb194413170d111685da51b58d2fd60483fc7bebc70b1c6cb909ef6c6dd4a9\r\nHash ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f\r\nHash ef90dcc647e50c2378122f92fba4261f6eaa24b029cfa444289198fb0203e067\r\nHash 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95\r\nHash 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7\r\nHash ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18\r\nHash 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7\r\nHash a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f\r\nHash cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de\r\nHash 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300\r\nHash ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41\r\nHash de3c5fc97aecb93890b5432b389e047f460b271963fe965a3f26cb1b978f0eac\r\nHash bd291522025110f58a4493fad0395baec913bd46b1d3fa98f1f309ce3d02f179\r\nHash 75d543aaf9583b78de645f13e0efd8f826ff7bcf17ea680ca97a3cf9d552fc1f\r\nHash 50e771386ae200b46a26947665fc72a2a330add348a3c75529f6883df48c2e39\r\nHash 0aa4b54e9671cb83433550f1d7950d3453ba8b52d8546c9f3faf115fa9baad7e\r\nHash 5d12b1fc6627b0a0df0680d6556e782b8ae9270135457a81fe4edbbccc0f3552\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 8 of 9\n\nThese indicators are also available on AlienVault OTX:\r\nSatan ransomware rebrands as 5ss5c ransomware\r\nMITRE ATT\u0026CK techniques\r\nT1210 - Exploitation of Remote Services\r\nT1003 - Credential Dumping\r\nT1486 - Data Encrypted for Impact\r\nT1105 - Remote File Copy\r\nT1027 - Obfuscated Files or Information\r\nS0002 - Mimikatz\r\nSource: https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nhttps://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html"
	],
	"report_names": [
		"satan-ransomware-rebrands-as-5ss5c.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434412,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3dff6bd629dc53d524b44f644d4941da5ba908db.pdf",
		"text": "https://archive.orkl.eu/3dff6bd629dc53d524b44f644d4941da5ba908db.txt",
		"img": "https://archive.orkl.eu/3dff6bd629dc53d524b44f644d4941da5ba908db.jpg"
	}
}