Overview

overview

10

Static

static

10

38d8f55b3a...d6.exe

windows7-x64

10

38d8f55b3a...d6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    38d8f55b3a4b6871b5e62fdc73c504d6.bin

  • Size

    225KB

  • Sample

    221118-k24nbaha68

  • MD5

    38d8f55b3a4b6871b5e62fdc73c504d6

  • SHA1

    102b8625e5662c89efe4547dc2cb173be8b08851

  • SHA256

    8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb

  • SHA512

    97c8f11f1bd28ecacddf3606b507dbeb0ab85a56c788e99160ef77c9757f92fd1e4920b24ad077de8763939da77d2bd71089512787dda0fd0e804d47c0cbbecb

  • SSDEEP

    6144:gUhJmXLQwAhgEkJ8kdV50DErPMxgTw7ozFD254W:gUneLQwAE8VDtGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>Wvh+yDoebpY05BPoOBvbShfiRQAf0J/bi0ptwbRJ+mmPeapDrb4uIAH8OfekpCH7 LAoequGw86V1Xa+zGqAGrLwR7YhpZ8XhFTp37P3fs0D0P4UgX2XjFP0gsHnYe//4 /K8Kq2TSQMtRT44dsVBj+xP+D1yo83pW6Fn8kmmxMZebSQNvXzsXtQOX7Cu7ja5w y8OH1zke4DZOZu5kpnAzlK/syrqv56PoLagfq9vta160ZTVvVXzOXXTvsle1Kgaw O2GbBjUq3RaXP6PT2L/bl98aydomjea2eNcJ9dMHenyN9V0+9s5ZxowG9Z8mdu5Y 8jDrVk58BT2BhOCwzLjg1l6/t4/blt3YjKLf+dd2hapVcM8fhVt/e1eSMUKfs5AK QDArYsKjosc6JQw1uLj33OQBVzioapCBSXSulP8Ivnq0tdK4zwlAzx+GjuHcXsMF APZ/BYsdVQFxUm4tIvP4a+jEy7jf1q41fqC0MDv45pPZRdqHD16NOHzy+aSClhok I9RQ+gJhQU5swvAQgZtk1+IydRViaDbbRlt387RL/8/uXi1y9Was5dk6SqZhn8F7 /HzXozC+17Zv7jxazvd2XtBAjll3mo1WM9RTSfqAuOVdbxchOmAanN5uRoyCN7eK 0NxxPVxsW/E= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>Wvh+yDoebpY05BPoOBvbShfiRQAf0J/bi0ptwbRJ+mmPeapDrb4uIAH8OfekpCH7

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\27405752111972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      38d8f55b3a4b6871b5e62fdc73c504d6.bin

    • Size

      225KB

    • MD5

      38d8f55b3a4b6871b5e62fdc73c504d6

    • SHA1

      102b8625e5662c89efe4547dc2cb173be8b08851

    • SHA256

      8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb

    • SHA512

      97c8f11f1bd28ecacddf3606b507dbeb0ab85a56c788e99160ef77c9757f92fd1e4920b24ad077de8763939da77d2bd71089512787dda0fd0e804d47c0cbbecb

    • SSDEEP

      6144:gUhJmXLQwAhgEkJ8kdV50DErPMxgTw7ozFD254W:gUneLQwAE8VDtGcopfW

    Score
    10/10
    venusevasionpersistenceransomwarespywarestealer

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks