Overview

overview

10

Static

static

10

fa57cf745e...b3.exe

windows7-x64

10

fa57cf745e...b3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

  • Size

    225KB

  • Sample

    221219-1rlyhsbc8z

  • MD5

    f62590e838b1d13960abb6b363e03ed9

  • SHA1

    66f706a7d39038964471e0a009a76e0f978fb075

  • SHA256

    fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

  • SHA512

    7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

  • SSDEEP

    6144:IuC7JmXiQwAh6jkJwkNV50DEr9MxgTw7ozFD254W:IuCteiQwAjw1DDGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>hOVDDqiqDLMs0IgZPqCj2mZBWbdQ5cTlS3KxXwHghkalPcroxZbjQJ3brZLeiDHs hcqRz5i0NTG78XHCZWwtu1aC6lMayX3558j9ynMTV3BM5BM8RVHL2CKZ15wDiBQY 8Dq5Z0xhMnl6TgHCqWma0xMFmeM8gB28PcyyXc04AAzuU3Zgt9AbaRlT1zsz35/E 5k9W/D4jiMzLa6uno9RVHYwvwjtr6MBnwGNdBT8V+jG8gzMaVRcjHYHMuaHpmHJo +XD0vSOsb2F4OzaPnB6NCM2qm9dYy4voo0H72JFYOQj79kPPG4DUX6mfQ2DV9w3l H4P2H9/QHsesC20ErWxVpdvSWr/nBmplj0M/pA5vQClXxoIfOY0dvNEVa96QO/ZA TTc8aN4HecGiYQRJ9xdOYHXZrgBdrJ3ScFTHtFO0X5D416eOwkXjzYbbpPteREuM CfgQpFnuaXbqTpDJp4hIYeL4AD8ev+N5oin2/HMJ+6DpbFML6m6O8NC9D5eIjQjx N5XdE+A87UrtBsuRW6CcdSe8mPLL989hBrKnIJLmtL0KDNjbCiY5NPAGWGb+fh72 a3DbyUsB2ErUeYF5jBQHNSTGbSd6NOqNs660FnYqSRvuCX5Pj91UldAkRFEjtW3E 4SFK3iiJYM7rUumv7A== </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>hOVDDqiqDLMs0IgZPqCj2mZBWbdQ5cTlS3KxXwHghkalPcroxZbjQJ3brZLeiDHs

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\24531424571972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

    • Size

      225KB

    • MD5

      f62590e838b1d13960abb6b363e03ed9

    • SHA1

      66f706a7d39038964471e0a009a76e0f978fb075

    • SHA256

      fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

    • SHA512

      7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

    • SSDEEP

      6144:IuC7JmXiQwAh6jkJwkNV50DEr9MxgTw7ozFD254W:IuCteiQwAjw1DDGcopfW

    Score
    10/10
    venusevasionpersistenceransomwarespywarestealer

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks