Win32/Sathurbot [Threat Name] go to Threat

Win32/Sathurbot.A [Threat Variant Name]

Category trojan
Size 225280 B
Aliases Backdoor.Win32.Agent.deje (Kaspersky)
  Trojan:Win32/Sathurbot.A (Microsoft)
  Infostealer (Symantec)
  BackDoor.HydraLoader.6 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.


The trojan is often included in the installation packages of programs downloaded from untrustworthy sources.

The trojan may create copies of itself using the following filenames:

  • %currentfolder%\­MediaIconsOverlays.dll

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­CLASSES\­CLSID\­{1EC23CFF-4C58-458f-924C-8519AEF61B32}\­InprocServer32]
    • "(Default)" = "%malwarefilepath%"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellIconOverlayIdentifiers\­MediaIconsOverlay]
    • "(Default)" = "{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
  • [HKEY_LOCAL_MACHINE\­Software\­CLASSES\­CLSID\­{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
    • "(Default)" = "Media Icons Overlay Helper Tool"

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­Software\­CLASSES\­CLSID\­{DC76A948-97DA-435e-B7A0-149BB4298979}]
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open ports
  • send open TCP and UDP port numbers to a remote computer

The following programs are terminated:

  • msseces.exe
  • msascui.exe

The following services are disabled:

  • MsMpSvc
  • WinDefend
  • wscsvc
  • SharedAccess
  • wuauserv
  • MpsSvc

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSC" = "%filepath%"
    • "Windows Defender" = "%filepath%"
  • [HKEY_LOCAL_MACHINESoftware\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSC" = "%filepath%"
    • "Windows Defender" = "%filepath%"

The trojan checks for Internet connectivity by trying to connect to the following addresses:


Please enable Javascript to ensure correct displaying of this content and refresh this page.