Overview

overview

10

Static

static

10

1c45c33e98...2a.exe

windows7-x64

10

1c45c33e98...2a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1c45c33e9884cb10264c1a2a0255e72a.bin

  • Size

    225KB

  • Sample

    221118-k24cjsha67

  • MD5

    1c45c33e9884cb10264c1a2a0255e72a

  • SHA1

    1992336a5d752187c979e24a95a871d8932ade6d

  • SHA256

    fa7ba459236c7b27a0429f1961b992ab87fc8b3427469fd98bfc272ae6852063

  • SHA512

    ef8613f273ae04ae61c477ccaf81799f91d38b5f6453ebbdc39c05745cbab927849321f90547982016eefa43574efa1bedc5f90e9c7a5e38b70bc79e442ed9ad

  • SSDEEP

    6144:AeJmXCQwAhozkJQkRV50DErCMxgTw7ozFD254W:AQeCQwARQBD+GcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype live:.cid.2eb1968719a82d39</strong><br><br>qOeN/Ee7Si2K1allYCfgKXW2nzZeNDQAdaIXLViSyyiGb79K17g6nH0rUyun2EPj geXx5pv04zP7pwdjZy2DHVuc12BS36YE7KIBCkxz3+6z+wunSmGZBJIxn7uqvq0a 3tIOwQolyfu3oynf1wt71EvoJldFa9j5SgtxtGxSQuva56PcUv1fEOftB0smJeon poG6VN1GHT6R3QbFu5kpS8gdw/A5F859fogG8EyLkiPdqFwmkAEeBKFKcxV7JCZW GU+u+sunmmZgOLRbL7do5qfSB1/gS4hx23aK2BMygTcfDsHEQrt6fNcCStyMQ6Wy eHFa9sYQ0AJjokJz8LuAEVurWROXMqqFLtgdYQWZd5n/uLOF0n8uz30t4y8iWE0g yyx9BbDGQMI8+Wh9mPkpeogB+fv8w4pMnNO1XT8y00VVKqtXsAt7irda7vFgJ4a5 OmoZ1orLX5PFbpnDFj76xq0+IMIqOvXxrIERP3AuaFwH41KG3sMbAgLWY6nOLQ3o qoY+JQqxqMgxMujx+Ch4lfEWELEBNKBO9xt4x+sciU7L8LqrU6Royl6kmRFZi3EV Bo4L88YzjpU60j7BSrRBVv7x6Kb8tCX02dWrBQtQX+1J11d+Z9HGuj9KYSjc3Bof lbaPBNwrids= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br>skype

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\30986266201972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected] skype live:.cid.2eb1968719a82d39
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      1c45c33e9884cb10264c1a2a0255e72a.bin

    • Size

      225KB

    • MD5

      1c45c33e9884cb10264c1a2a0255e72a

    • SHA1

      1992336a5d752187c979e24a95a871d8932ade6d

    • SHA256

      fa7ba459236c7b27a0429f1961b992ab87fc8b3427469fd98bfc272ae6852063

    • SHA512

      ef8613f273ae04ae61c477ccaf81799f91d38b5f6453ebbdc39c05745cbab927849321f90547982016eefa43574efa1bedc5f90e9c7a5e38b70bc79e442ed9ad

    • SSDEEP

      6144:AeJmXCQwAhozkJQkRV50DErCMxgTw7ozFD254W:AQeCQwARQBD+GcopfW

    Score
    10/10
    venusevasionpersistenceransomwarespywarestealer

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks