Overview

overview

10

Static

static

10

fa57cf745e...b3.exe

windows7-x64

10

fa57cf745e...b3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

  • Size

    225KB

  • Sample

    221222-fgclwadh53

  • MD5

    f62590e838b1d13960abb6b363e03ed9

  • SHA1

    66f706a7d39038964471e0a009a76e0f978fb075

  • SHA256

    fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

  • SHA512

    7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

  • SSDEEP

    6144:IuC7JmXiQwAh6jkJwkNV50DEr9MxgTw7ozFD254W:IuCteiQwAjw1DDGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>7tHcfikjaWfTUUQi1kF4/IpRAHcm3O9U8KwEbX+hYTWWtdPCTp1j+amG/hwc/ff7 W5hdcXuUUdNz5ctjkpvYvJTI0hvnIVuT/qua5Ia8HTV5jdjtBhO5CwxiCoyV29k5 I+OOoxMV/qujZrYStLFjBbPKeaCIg+zKRBpF4ylSY8Gv6i+zHIgNUPaSKrNKJ7G9 iqimwPqmZBPZLUHA228iP144WebJTgBBrx97xxOAtlY8Yw4SH5O1EMA/VFr8ZxHE e7vBYUSVWKEPd8deN817uBxttArs0CZiHFMq72Re9ImTJHGkjpSAlg0cR+sx3oS/ iIoXY8VYnQyHhc1nzszlTdUAT3AsPuq/g1omgDXZ6uLpOFVdvLc10yph3mnH8wu/ e88ezM3wGRv0/LJY9ZDXEJGKaOOdTasAsXDXVcjgJErV4f5JE7fKNtvhT+GUgCPI thtzOfTYNjRL5TbB7xPlTIEKrVGQEK6qQ9B+wC5TEKya0cZUB3aH72YhSXHu9ju2 r15OjoKjlDgs4OulkN3qyfQo15KULC1HPcDx2W//pga/usSrDxafOx7wzIlzEZwf I2zlmYvJKsInCZ/Y+MagidXlqByaKMTuJHLGLFi3kDCLPlR8WCdj46MueejWjTFu LuO66VrSeuV80fg= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>7tHcfikjaWfTUUQi1kF4/IpRAHcm3O9U8KwEbX+hYTWWtdPCTp1j+amG/hwc/ff7

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\180596361972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3.exe

    • Size

      225KB

    • MD5

      f62590e838b1d13960abb6b363e03ed9

    • SHA1

      66f706a7d39038964471e0a009a76e0f978fb075

    • SHA256

      fa57cf745ea986627cfeb9615038685304457812f262d3e20bd4ee0a70145bb3

    • SHA512

      7d372043b31cca8d6d73ecd386e08d720ec29fa02e6c01b099c70977e7bdbd06f2a2a8c44f1b813c1a4b67b12a37a51efcfc3776e8667ed216b25d2bf1d56556

    • SSDEEP

      6144:IuC7JmXiQwAh6jkJwkNV50DEr9MxgTw7ozFD254W:IuCteiQwAjw1DDGcopfW

    Score
    10/10
    venusevasionpersistenceransomwarespywarestealer

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks