Win32/Sathurbot [Threat Name] go to Threat

Win32/Sathurbot.A [Threat Variant Name]

Category	trojan
Size	225280 B
Aliases	Backdoor.Win32.Agent.deje (Kaspersky)
	Trojan:Win32/Sathurbot.A (Microsoft)
	Infostealer (Symantec)
	BackDoor.HydraLoader.6 (Dr.Web)

The trojan serves as a backdoor. It can be controlled remotely.

The trojan is often included in the installation packages of programs downloaded from untrustworthy sources.

The trojan may create copies of itself using the following filenames:

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32]
- "(Default)" = "%malwarefilepath%"
- "ThreadingModel" = "Apartment"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\MediaIconsOverlay]
- "(Default)" = "{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
- "(Default)" = "Media Icons Overlay Helper Tool"

The trojan keeps various information in the following Registry key:

[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{DC76A948-97DA-435e-B7A0-149BB4298979}]

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It can execute the following operations:

The following programs are terminated:

The following services are disabled:

The trojan may delete the following Registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "MSC" = "%filepath%"
- "Windows Defender" = "%filepath%"
[HKEY_LOCAL_MACHINESoftware\Microsoft\Windows\CurrentVersion\Run]
- "MSC" = "%filepath%"
- "Windows Defender" = "%filepath%"

The trojan checks for Internet connectivity by trying to connect to the following addresses: