Overview

overview

10

Static

static

10

Venus.exe

windows7-x64

10

Venus.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Venus.exe

  • Size

    225KB

  • Sample

    230130-t9cdgabb67

  • MD5

    07f5fbcb96179acffab2638392d08fb8

  • SHA1

    22d84ca8e620ef5fc0027b3e06876d1a04d10406

  • SHA256

    4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

  • SHA512

    0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4

  • SSDEEP

    6144:FQJmXLQwAhWUkJ0kfV50DEr2MxgTw7ozFD254W:FeeLQwAi07DWGcopfW

Score
10/10
venusevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\README.html

Ransom Note
<html><head><title>Venus</title><style type = "text/css">*{padding:0;margin:0}p{color:white}.f{background-color:#ff7c00;width:100%;margin-left:auto;margin-right:auto;height:100%}.c h1{color:white;line-height:80px}.r{word-break:break-all;float:left;width:100%;text-align:center}</style></head><body><div class="f"><div class="c"><h1 align="center">&lt;&lt;&lt;Venus&gt;&gt;&gt;</h1></div><div class="r"><p></br></br></br></br><strong>We downloaded and encrypted your data.</strong></br>Only we can decrypt your data.<br><strong>IMPORTANT!</strong><br> If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay.<br> In this case we will not be able to help you.<br>Do not play with files.</p><p>Do not rename encrypted files.<br>Do not try to decrypt your data using third party software, it may cause permanent data loss.<br>Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.</br>-----------------------------------------------------</br>Contact and send this file to us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>LNCLNWs7Gb1e8vB+wHPthFw7mpeo4QOCJH2S6Qr7jQrFC50Thgv08BVsFuHfiNN/ 3T+hpuihskopRXwAAefrvIcWPAroIbgpe+0CIWSF4qK8p1uO+PINW3ejnYYskBCF EEvzXaNL6aDWDGJVDN4obfW6SM2dZku7EtqknAwSsWT6b3yZGuJJaPAMiLKt6e6J nveVccQaJM4ExjcsGURVaLZG1hr9GOyiwhg2Jc9U7ITjzjEuD0Fys3kq1LzquP2K gAKzfra+6Ocg5UVJF957EOl4nmnkX+8A1AjUm3Bw+7J/9ugl2whgepL00Sz+6+7m LeLEonhNS3t6DL9QTUPsLdbuMmAVNfCrr9qpuYlCunV123VxixVvcR+ttFeOBSRu rwOmffYSpcwLzXhvde/VXZuoJ31bT7FTbPfmz7miuKXX+pBNCznFouNJayDKgPi+ H/wmceZyHzRkBmO0UP3KEJ4eqbzwYlQ6Ky3jSrE7u2Qak1psSIqzGCqk8tVBRWmQ W6MgcoOy2AarXvVTNPsuqLzcu8nANONPfMwS/yVcpg7ivGa9ouTTysXDtHteX31d RG/bmBldLnq3cOiOD7C47kkFi7Zq3o2iIdmdDTreSCX3TLIAhCHTSMEDdXRycbkO UtsnJeW02pc= </p></div></body></html></html></body></html>
Emails

us:<br><strong><br>email:[email protected]<br>email:[email protected]<br></strong><br><br>LNCLNWs7Gb1e8vB+wHPthFw7mpeo4QOCJH2S6Qr7jQrFC50Thgv08BVsFuHfiNN/

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\16165406601972527219.hta

Ransom Note
<<<Venus>>> We downloaded and encrypted your data.Only we can decrypt your data.IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.-----------------------------------------------------Contact and send this file to us: email:[email protected] email:[email protected]
Emails

email:[email protected]

email:[email protected]

Targets

    • Target

      Venus.exe

    • Size

      225KB

    • MD5

      07f5fbcb96179acffab2638392d08fb8

    • SHA1

      22d84ca8e620ef5fc0027b3e06876d1a04d10406

    • SHA256

      4f92e2f752e4b0b30193d53375cd2fbd4beff02db9d6b3b6cadbf3b50e503498

    • SHA512

      0ed902259cf218f0d1f6349ff4ee45b674f19f867cbbe7fee28cf80b7edf67e691738274df4b2c7be01aac60639c45e35717e2b9c59518bc6e1240a022acabf4

    • SSDEEP

      6144:FQJmXLQwAhWUkJ0kfV50DEr2MxgTw7ozFD254W:FeeLQwAi07DWGcopfW

    Score
    10/10
    venusevasionpersistenceransomwarespywarestealer

    • Venus

      Venus is a ransomware first seen in 2022.

      ransomwarevenus

    • Venus Ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks