Multi-License Discount Quote

Change Region

English
Threat Database Ransomware Sage.DA Ransomware

Sage.DA Ransomware

By CagedTech in Ransomware

Threat Scorecard

Popularity Rank: 18,033
Threat Level: 100 % (High)
Infected Computers: 23
First Seen: September 1, 2021
Last Seen: January 7, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Sage.DA Ransomware
Signature status: No Signature

Known Samples

MD5: 1812da398cb164aa087464d193100e4e
SHA1: 3c71deb91e1af638aadc009298bed9fbc1a5a2ac
SHA256: D4288FA6B44A7C14FD4DDFEC630F1F1721BC2AFA86A249841B40A329D1B7C3B3
File Size: 527.36 KB, 527360 bytes
MD5: aef84dfdbfe180858cecec143e75197f
SHA1: eaa9be800ae519fd31297cbfb13bdeab7f6dafc0
SHA256: 7C9071E75701A4092BFC51F3A2E89E6E3F11263ECB57DB2C22EFC83990558EA8
File Size: 515.58 KB, 515584 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have security information
  • File has exports table
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

  • No Version Info
  • x86

Block Information

Total Blocks: 942
Potentially Malicious Blocks: 348
Whitelisted Blocks: 594
Unknown Blocks: 0

Visual Map

x 0 x x 0 x 0 x 0 x x 0 x x x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x 0 x x x x x x 0 x x x 0 0 x 0 x x x 0 0 0 x x x x x x x x 0 x 0 0 0 0 x x x x x x 0 x 0 x x 0 0 x x x x x x x x x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x 0 0 0 0 x x x x x x x x x x x x x x x x x x 0 0 0 0 0 x x x x x x 0 x 0 x 0 x x x x x x 0 x 0 x 0 0 x x x x 0 0 0 0 x x x x x 0 x 0 x 0 0 0 x x x x x x x x x x x x x x x x x x x x x x x x x x 0 0 0 x x x x x 0 x 0 x 0 0 0 x x x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x 0 x x x 0 x x x x 0 x x x x x x x x x x x x x x x 0 x x x x 0 x x 0 x x x x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x 0 0 x x x x 0 x 0 x 0 0 0 0 0 0 0 x x x x x 0 0 0 0 0 x x x x x x x 0 x x x x x x x x x x x x x x x x x 0 0 0 0 x x 0 x x x x x 0 x 0 x 0 0 0 x 0 x x x x x x x x x x 0 0 x x x x x 0 x x 0 x 0 0 0 x x x 0 x 0 0 x x x x x x x 0 x x x x 0 x x x x x x x x x x 0 x x x 0 x x x x x x x 0 x x x 0 x x x x x x 0 x 0 x 0 0 0 x x x x x x x x x x x x x x x x x 0 x 0 x x 0 0 0 x x 0 x x 0 0 0 0 0 0 0 0 0 1 0 0 2 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 2 0 0 0 1 0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 3 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 1 0 0 0 1 0 0 0 1 1 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
c:\programdata\botoboto\mybotos.exe Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\win\winex86 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\programdata\{1b4b8d0e-1d59-4d1d-967b-abe3a55e72d8}\{38380b48-e071-4fb4-ba62-7a2ae0e61683}.bat Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\{abd9f80c-0d39-4c09-a358-8d4693126b20}.lnk Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\{cb33d65c-bb65-4ddc-b4e7-3970a302a24e}::{d43094a0-ae7e-46b3-b65e-fcd97d604ad5} 뵢㊵ǜ RegNtPreCreateKey
HKCU\software\{cb33d65c-bb65-4ddc-b4e7-3970a302a24e}::{622c49dc-18a2-419b-9bf3-6cd69fa50a44} 婍￿¸@øἎ຺됀촉렡䰁⇍桔獩瀠潲牧浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ਍$䍝槊∙㪤∙㪤∙㪤呶㨺∌㪤娐㨧∝㪤娐㨷∐㪤∙㪥⊖㪤呶㨏≖㪤呶㨎≩㪤呶㨿∘㪤呶㨾∘㪤呶㨹∘㪤楒档∙㪤䕐Ō RegNtPreCreateKey
HKCU\software\{cb33d65c-bb65-4ddc-b4e7-3970a302a24e}::{e817b46c-d0c3-4f9b-8ce5-b67ed08c1800} c:\users\user\downloads\3c71deb91e1af638aadc009298bed9fbc1a5a2ac_0000527360 RegNtPreCreateKey
HKCU\software\{5238e199-3e7b-405d-a081-4e2f222b1f0a}::{f1b446b7-af7d-44b7-8484-d181132515f4} ꥀ聵ǜ RegNtPreCreateKey
HKCU\software\{5238e199-3e7b-405d-a081-4e2f222b1f0a}::{d9a52cdf-eaf5-41bf-9d52-a501a357b416} 婍￿¸@ĀἎ຺됀촉렡䰁⇍桔獩瀠潲牧浡挠湡潮⁴敢爠湵椠佄⁓潭敤മ਍$ꦂ큗죆茹죆茹죆茹뺩莒죂茹嗝莧죓茹냏莺죂茹냏莪죏茹죆茸졋茹嗝莒좍茹嗝莓좶茹嗝莢죇茹嗝莣죇茹嗝莤죇茹楒档죆茹 RegNtPreCreateKey
HKCU\software\{5238e199-3e7b-405d-a081-4e2f222b1f0a}::{0be2021a-73f8-41f5-827b-bae652abed27} c:\users\user\downloads\eaa9be800ae519fd31297cbfb13bdeab7f6dafc0_0000515584 RegNtPreCreateKey
HKCU\software\{5238e199-3e7b-405d-a081-4e2f222b1f0a}::{0be2021a-73f8-41f5-827b-bae652abed27} C:\ProgramData\Win\WinEx86 RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\explorer.exe 鏢聵ǜ RegNtPreCreateKey
HKCU\software\{af6b9362-bf0d-4c97-b716-32233ca18bc8}::{af6b9362-bf0d-4c97-b716-32233ca18bc8} {B457592F-7414-4C7F-B1DE-A7291D26EDAF}{1C0738E9-A9D8-4AD5-A533-EAE016C3F374}{DF41656E-6 RegNtPreCreateKey

Windows API Usage

Category API
Network Winsock2
  • WSAStartup
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAddAtomEx
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcConnectPort
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateResourceReserve
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcQueryInformationMessage
Show More
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtAlpcSetInformation
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtCancelWaitCompletionPacket
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateThreadEx
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtGetCompleteWnfStateSubscription
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenMutant
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryEvent
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryObject
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryTimerResolution
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationObject
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetSecurityObject
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSetValueKey
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtUnsubscribeWnfStateChange
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair

4 additional items are not displayed above.

Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetComputerName
  • GetUserObjectInformation
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

"C:\ProgramData\botoboto\mybotos.exe" {850A2B3D-27DA-4872-B725-C6EFA8D6256A}
"C:\ProgramData\Win\WinEx86" {E706D49F-8F1C-42C3-81AD-640BDB90C820}
C:\WINDOWS\explorer.exe (NULL)

Trending

Most Viewed

Loading...