Overview

overview

10

Static

static

10

78272eae26...61.exe

windows7-x64

10

78272eae26...61.exe

windows10-2004-x64

10

Resubmissions

09-12-2022 06:35

221209-hcjkqsce85 10

09-12-2022 05:38

221209-gbsatacd98 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

  • Size

    265KB

  • Sample

    221209-gbsatacd98

  • MD5

    3ac0d935228460fdc38bdab692d71b0c

  • SHA1

    d08f753af5b5d9be3352495189be6fd4914ad8e1

  • SHA256

    78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361

  • SHA512

    04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54

  • SSDEEP

    6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN

Score
10/10
neshtavenusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

\??\E:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>WulaZ+g2Lncvvsm+OHlq3l8MSul2Lz7SBT6r9cBXVxYGhPvBNR5iLsZcjtYhJxnY xa+fhApdSYa/2YH9lTgrwv2TXawsLeZkhBl85B7PV0GUxGdVVh1duQh/FXnJjl6s 58KS2Gpy3TGvLQgNaDI/KIGfY5OKcJfxMLD0WA2R07BqIXkPPpghZPSVL1z/ic9b hAejewof2Fi6VVPHZvByXPhe7Xx6JjGMzWTIfLU1QkVz5eDX/3UaAp/+FgUi0gNe oeFaHVPMR1LSqzNPibi3ZsIXyfbtNLcnIv1pkmV4FZYacghrRJ7NeJ4Ddq9uEzS4 cndfBNI2c8MrqGp9s91pXmX2O1RwhAjZXVeuUQZkKiJPy13ZBwfmHJe7idg2s/4n 4/Vh5Sy40KxwFc8xv7LxgGa9UrkelXaMjpgrONdR7TmEs/IbHYVhQYBj5+thieo5 KQfDhMThlMDLJ5ICOZuAt2IqHRXk9z/QTUZavr+Ngnma6Nz6OkOQnAmzFAYTXeJ2 X+l9bHYaRMo63XHKxL09WvVAbXKLDktkWWdU6s7NNw6hJe1TD0eCX0X1dlszro0J QaKCG7Z0TKf2HXutNvUXbfHJ0803aVeer1mYQ5NpgLBJgi0op9RcNbH15krFugz6 Ti1gNZVq5yQ7 </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>WulaZ+g2Lncvvsm+OHlq3l8MSul2Lz7SBT6r9cBXVxYGhPvBNR5iLsZcjtYhJxnY

Targets

    • Target

      78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361.exe

    • Size

      265KB

    • MD5

      3ac0d935228460fdc38bdab692d71b0c

    • SHA1

      d08f753af5b5d9be3352495189be6fd4914ad8e1

    • SHA256

      78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361

    • SHA512

      04376fc469808504a8071f0b9baa35c4f922d7b69c4d4c6e77309022f95cf916a80b758a6733154f36e8be59d928b93903eec47a6df32e96b2ef3b4b6f0fde54

    • SSDEEP

      6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN

    Score
    10/10
    neshtavenuspersistenceransomwarespywarestealerevasion

    • Detect Neshta payload

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks