MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Venus


Vendor detections: 14


Intelligence 14 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
SHA3-384 hash: bb8f1dc329b2c2451944a49510b6f65684a0c87bdf94eac9014a1bed66e43c664ff045c9fd2dc954ef870fa6fa8a4161
SHA1 hash: d08f753af5b5d9be3352495189be6fd4914ad8e1
MD5 hash: 3ac0d935228460fdc38bdab692d71b0c
humanhash: burger-sweet-east-green
File name:78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
Download: download sample
Signature Venus
Create hunting rule
File size:271'872 bytes
First seen:2022-12-09 05:38:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k9Pj5XJkcXV50DErs5xgTw7ozFz254WfRgzJmXrQwAN:akzDZGcoxfWfRglerQwAN
TLSH T1E444BF10E6C290F2D8A70FBD98FA59FE90352A304735E3F7EBD54E9989366C2D138251
TrID 84.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter petikvx
Tags:exe Ransomware Venus

Intelligence

File Origin
# of uploads :
1
# of downloads :
533
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
Verdict:
Malicious activity
Analysis date:
2022-12-09 05:35:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e2279993-22cf-4333-be73-0ad1830c9e23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344589/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

Win.Ransomware.Bandook-9978067-1
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a file
Launching a process
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file in the Program Files subdirectories
Sending a UDP request
Moving a file to the Program Files subdirectory
Changing a file
Moving a file to the %AppData% subdirectory
Moving a recently created file
Moving a file to the Program Files directory
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Creating a file in the mass storage device
Infecting executable files
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
neshta overlay packed shell32.dll venus virus winlock
Link:
https://www.filescan.io/uploads/6392c9f804e0e79bdf41b3dc/reports/1038e9d6-0030-450f-b200-6782743a3d24/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Venus Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/432b3950-c3fa-4118-a90e-2f03d3349ca8
Result
Threat name:
Neshta, Venus
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131227
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register hotkeys which are used to close and control applications (CTRL-ALT-DEL, ALT-F4 etc)
Contains functionalty to change the wallpaper
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for Windows Mail specific files
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes many files with high entropy
Yara detected Neshta
Yara detected Venus Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763951 Sample: C8lT6JglpY.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 86 Malicious sample detected (through community Yara rule) 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 8 other signatures 2->92 9 C8lT6JglpY.exe 4 2->9         started        13 svchost.com 2->13         started        15 svchost.com 2->15         started        17 2 other processes 2->17 process3 file4 58 C:\Windows\svchost.com, PE32 9->58 dropped 60 C:\Users\user\AppData\...\C8lT6JglpY.exe, PE32 9->60 dropped 62 C:\ProgramData\...\vcredist_x86.exe, PE32 9->62 dropped 66 16 other malicious files 9->66 dropped 104 Creates an undocumented autostart registry key 9->104 106 Drops PE files with a suspicious file extension 9->106 108 Drops executable to a common third party application directory 9->108 110 Infects executable files (exe, dll, sys, html) 9->110 19 C8lT6JglpY.exe 1 2 9->19         started        64 C:\Users\user\Downloads\ChromeSetup.exe, PE32 13->64 dropped 112 Multi AV Scanner detection for dropped file 13->112 23 C8lT6JglpY.exe 13->23         started        114 Drops executables to the windows directory (C:\Windows) and starts them 15->114 25 C8lT6JglpY.exe 15->25         started        27 C8lT6JglpY.exe 17->27         started        29 C8lT6JglpY.exe 17->29         started        signatures5 process6 file7 56 C:\Windows\C8lT6JglpY.exe, PE32 19->56 dropped 94 Multi AV Scanner detection for dropped file 19->94 96 Contains functionalty to change the wallpaper 19->96 98 Creates multiple autostart registry keys 19->98 102 2 other signatures 19->102 31 C8lT6JglpY.exe 7 13 19->31         started        36 cmd.exe 1 19->36         started        100 Creates autostart registry keys with suspicious names 23->100 signatures8 process9 dnsIp10 68 192.168.2.100 unknown unknown 31->68 70 192.168.2.101 unknown unknown 31->70 72 98 other IPs or domains 31->72 48 C:\Program Filesbehaviorgraphoogle\...\id.pak.venus, DOS 31->48 dropped 50 C:FI\Microsoft\...\memtest.efi.mui.venus, COM 31->50 dropped 52 C:FI\Microsoft\...\bootmgfw.efi.mui.venus, 0421 31->52 dropped 54 230 other malicious files 31->54 dropped 74 Multi AV Scanner detection for dropped file 31->74 76 Contains functionalty to change the wallpaper 31->76 78 Searches for Windows Mail specific files 31->78 80 Writes many files with high entropy 31->80 38 cmd.exe 1 31->38         started        82 Uses ping.exe to sleep 36->82 84 Uses ping.exe to check the status of other devices and networks 36->84 40 conhost.exe 36->40         started        42 PING.EXE 1 36->42         started        file11 signatures12 process13 process14 44 taskkill.exe 1 38->44         started        46 conhost.exe 38->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 14:54:55 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
40 of 41 (97.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pats5lrgnaljwcx3deliu4oraolu3iynlf5d6ue4z5qhzbbp2nqq._file
Result
Malware family:
venus
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:venus evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/221209-gbsatacd98/
Behaviour
Checks SCSI registry key(s)
Interacts with shadow copies
Kills process with taskkill
Modifies registry class
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Sets desktop wallpaper using registry
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Modifies system executable filetype association
Neshta
Venus
Venus Ransomware
Detect Neshta payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/db418878-076a-4d7e-86b6-bfa2030cd17e
Unpacked files
SH256 hash:
78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361
MD5 hash:
3ac0d935228460fdc38bdab692d71b0c
SHA1 hash:
d08f753af5b5d9be3352495189be6fd4914ad8e1
Detections:
win_neshta_g0
Create hunting rule
VenusRansomware
Create hunting rule
Link:
https://www.unpac.me/results/c6a2710c-3b76-471e-ad8c-5f85b6c04a86/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78272eae2668/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78272eae2668169b0afb19168a71d103974da30d597a3f509ccf607c842fd361

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_RANSOM_Venus_Nov22_1
Create hunting rule
Author:Florian Roth
Description:Detects Venus Ransomware samples
Reference:https://twitter.com/dyngnosis/status/1592588860168421376
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RAN_Venus_Oct_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect venus ransomware
Reference:https://www.bleepingcomputer.com/forums/t/777945/venus-ransomware-support-help-topic-venus-readmehtml/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344589/

Comments