{
	"id": "1c80079b-59b3-4b4f-9dd1-4644624fefe6",
	"created_at": "2026-04-06T00:19:22.919741Z",
	"updated_at": "2026-04-10T03:24:29.581415Z",
	"deleted_at": null,
	"sha1_hash": "6bc3ad509dcbd9887387d23a04c51751cf0c8c8d",
	"title": "BKDR_SARHUST.A - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58451,
	"plain_text": "BKDR_SARHUST.A - Threat Encyclopedia | Trend Micro (US)\r\nBy Analysis by: Abraham Latimer Camba\r\nArchived: 2026-04-05 17:32:58 UTC\r\nThis backdoor may be dropped by other malware.\r\nIt executes commands from a remote malicious user, effectively compromising the affected system.\r\nIt creates an event.\r\nArrival Details\r\nThis backdoor may be dropped by the following malware:\r\nTROJ_ARTIEF.PT\r\nInstallation\r\nThis backdoor drops the following non-malicious files:\r\n%Temp%\\Debug.log - malware's log file\r\n%Temp%\\wmiprvse.ini\r\n(Note: %Temp% is the Windows Temporary folder, which is usually C:\\Windows\\Temp or C:\\WINNT\\Temp.)\r\nIt adds the following mutexes to ensure that only one of its copies runs at any one time:\r\nHUSSARINI\r\nOther System Modifications\r\nThis backdoor adds the following registry entries:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\r\nIntervalTime = \"{random number}\"\r\nHKEY_CURRENT_USER\\Software\\Microsoft\r\nServerID = \"{random number}\"\r\nBackdoor Routine\r\nThis backdoor executes the following commands from a remote malicious user:\r\nCreate files\r\nRead files\r\nModify files\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a\r\nPage 1 of 3\n\nExecute files\r\nGet file information\r\nDownload additional components\r\nIt connects to the following URL(s) to send and receive commands from a remote malicious user:\r\nhttp://{BLOCKED}i.{BLOCKED}s-mail.com\r\nIt posts the following information to its command and control (C\u0026C) server:\r\nUser name\r\nComputer name\r\nOS information\r\nCPU information\r\nOther Details\r\nThis backdoor creates the following event(s):\r\nHussarCreate\r\nStep 1\r\nFor Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System\r\nRestore to allow full scanning of your computer.\r\nStep 2\r\nRemove the malware/grayware file that dropped/downloaded BKDR_SARHUST.A\r\nTROJ_ARTIEF.PT\r\nStep 3\r\nIdentify and terminate files detected as BKDR_SARHUST.A\r\n[ Learn More ]\r\na. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete\r\nit, restart your computer in safe mode. To do this, refer to this link for the complete steps.\r\nb. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing\r\nthe next steps.\r\nStep 4\r\nDelete this registry value\r\n[ Learn More ]\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a\r\nPage 2 of 3\n\nImportant: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this\r\nstep only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft\r\narticle first before modifying your computer's registry.\r\n \r\nIn HKEY_CURRENT_USER\\Software\\Microsoft\r\nIntervalTime = \"{random number}\"\r\nIn HKEY_CURRENT_USER\\Software\\Microsoft\r\nServerID = \"{random number}\"\r\nStep 5\r\nSearch and delete these files\r\n[ Learn More ]\r\nThere may be some component files that are hidden. Please make sure you check the Search Hidden Files and\r\nFolders checkbox in the \"More advanced options\" option to include all hidden files and folders in the search\r\nresult.\r\n%Temp%\\Debug.log\r\n%Temp%\\wmiprvse.ini\r\nStep 6\r\nScan your computer with your Trend Micro product to delete files detected as BKDR_SARHUST.A. If the\r\ndetected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is\r\nrequired. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more\r\ninformation.\r\nDid this description help? Tell us how we did.\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a"
	],
	"report_names": [
		"bkdr_sarhust.a"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434762,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6bc3ad509dcbd9887387d23a04c51751cf0c8c8d.pdf",
		"text": "https://archive.orkl.eu/6bc3ad509dcbd9887387d23a04c51751cf0c8c8d.txt",
		"img": "https://archive.orkl.eu/6bc3ad509dcbd9887387d23a04c51751cf0c8c8d.jpg"
	}
}