MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e32d0583c8c2726444e6bd95d85f0f1b1de201f3db984489011f71a524c9290. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mansabo


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e32d0583c8c2726444e6bd95d85f0f1b1de201f3db984489011f71a524c9290
SHA3-384 hash: b8b7ae690936a5f0c8ffdfe50a603ccf56b6e07217c07c09c85ca6744b1c741355eed39e088e580fbea5b566cc377830
SHA1 hash: d4abcd308eb6f9de17f77f77c30c97cdc545b745
MD5 hash: bc5ab0a5bbea9daf5ec8ad3a2f575e20
humanhash: angel-idaho-blue-kentucky
File name:bc5ab0a5bbea9daf5ec8ad3a2f575e20
Download: download sample
Signature Mansabo
Create hunting rule
File size:4'638'928 bytes
First seen:2021-11-19 10:51:03 UTC
Last seen:2021-11-19 13:09:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c58ba983cbcad8b3c06c5b4f999bb55 (1 x Mansabo)
ssdeep 98304:jeCSuW2suafg/4xp5DNLEtAhDlqKxOv2I6K3cXJQQ6bJDpt:qgWGiE89xsRc6z
Threatray 30 similar samples on MalwareBazaar
TLSH T16426AC9A9553DDE4CCA3A6BE4D117C7AFA642D2D0D01986EC6C63DB0F835BD093C9A03
File icon (PE):PE icon
dhash icon 8ecc8eccaa8ecc8e (1 x ArkeiStealer, 1 x Mansabo, 1 x LummaStealer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc5ab0a5bbea9daf5ec8ad3a2f575e20
Verdict:
Suspicious activity
Analysis date:
2021-11-19 10:56:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7adf8c3f-0f6e-48bb-af7f-cf9bb557dcce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Win32.Packed.VMProtect.ZJ.1450.30266.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619781992695a62af9f3c021/reports/af109e37-b391-48cf-9bc4-c5a189143d80/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23b4e104-c096-4742-a87a-be0c7b6a44fa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892595
Signature
Creates autostart registry keys with suspicious names
Delayed program exit found
Detected VMProtect packer
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potentially malicious time measurement code found
Sigma detected: Suspicious Encoded PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 525068 Sample: RP1uwL6N6T Startdate: 19/11/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Detected VMProtect packer 2->58 60 3 other signatures 2->60 8 RP1uwL6N6T.exe 4 2->8         started        13 ADDB1D920A68539009248.exe 2->13         started        15 ADDB1D920A68539009248.exe 2->15         started        process3 dnsIp4 48 fuckniggersshit.coin 8->48 40 C:\Users\user\...\ADDB1D920A68539009248.exe, PE32 8->40 dropped 42 ADDB1D920A68539009...exe:Zone.Identifier, ASCII 8->42 dropped 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->74 76 Drops PE files to the document folder of the user 8->76 78 Tries to detect virtualization through RDTSC time measurements 8->78 80 2 other signatures 8->80 17 ADDB1D920A68539009248.exe 8->17         started        21 cmd.exe 1 8->21         started        50 fuckniggersshit.coin 13->50 52 fuckniggersshit.coin 15->52 file5 signatures6 process7 dnsIp8 44 fuckniggersshit.coin 167.99.39.23, 54734, 80 DIGITALOCEAN-ASNUS United States 17->44 46 192.168.2.1 unknown unknown 17->46 62 Multi AV Scanner detection for dropped file 17->62 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->64 66 Machine Learning detection for dropped file 17->66 70 4 other signatures 17->70 23 cmd.exe 17->23         started        26 dllhost.exe 17->26         started        28 WerFault.exe 17->28         started        30 WerFault.exe 17->30         started        68 Encrypted powershell cmdline option found 21->68 32 powershell.exe 25 21->32         started        34 conhost.exe 21->34         started        signatures9 process10 signatures11 72 Encrypted powershell cmdline option found 23->72 36 conhost.exe 23->36         started        38 powershell.exe 23->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e32d0583c8c2726444e6bd95d85f0f1b1de201f3db984489011f71a524c9290/
Threat name:
Win32.Trojan.Mansabo
Create hunting rule
Status:
Malicious
First seen:
2021-11-19 07:33:40 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
196de41048232f60a7d93e73e7dd03bd524a79217c3408b98e69b855c7f83504
Mansabo
3ce688f6b00b57a37f3ffa4c5410cc02ed5fa05eab37304d44e2d8399aa8b8e2
Mansabo
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
Mansabo
54fca1375e62c5978b78593ea50a5ac198da69c3e033c94371cbb81dc5a9d5be
Mansabo
6c827d61cbe6d4b9c2851c1c234353265188e805cc27ebe195b9133e1f8fcc80
Mansabo
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
Mansabo
8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60
Mansabo
f1aae79787fff8edd5f6769ebecf43eb5a94d392cb3723810a66dd9868ec2925
Mansabo
f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a
Mansabo
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata vmprotect
Link:
https://tria.ge/reports/211119-mxtnnaabcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Enumerates physical storage devices
Adds Run key to start application
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
suricata: ET MALWARE Generic .bin download from Dotted Quad
Unpacked files
SH256 hash:
3dfc7ad36f64097ea88c60cf4154431aa2ea177a6307559a82227a00f4d281a0
MD5 hash:
74ff3dcf6d3ebd5af635735972d07411
SHA1 hash:
ed421648785c8060aa1c62e4db1fffdc3631fad7
Link:
https://www.unpac.me/results/025bfc6a-c383-4f46-a97c-03f53d944f91/
SH256 hash:
15d9a6deb278d0a11aa3f835ebc1f6a498b14e2435c77aed4d9875d15bf45497
MD5 hash:
2afffe5c87dd190c098558c5a84f7e0e
SHA1 hash:
fc271526078f6b4be3fc41623dc5b65f42413e83
Link:
https://www.unpac.me/results/025bfc6a-c383-4f46-a97c-03f53d944f91/
SH256 hash:
0e32d0583c8c2726444e6bd95d85f0f1b1de201f3db984489011f71a524c9290
MD5 hash:
bc5ab0a5bbea9daf5ec8ad3a2f575e20
SHA1 hash:
d4abcd308eb6f9de17f77f77c30c97cdc545b745
Link:
https://www.unpac.me/results/025bfc6a-c383-4f46-a97c-03f53d944f91/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0e32d0583c8c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0e32d0583c8c2726444e6bd95d85f0f1b1de201f3db984489011f71a524c9290

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mansabo

Executable exe 0e32d0583c8c2726444e6bd95d85f0f1b1de201f3db984489011f71a524c9290

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1800818/
Cape
Cape
https://www.capesandbox.com/analysis/207591/

Comments


Avatar
zbet commented on 2021-11-19 10:51:06 UTC

url : hxxp://167.99.39.23/hoetnaca/exps/Bt.mp4