MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597
SHA3-384 hash: 9b94790591ab2703323177dd41ff8ddf67f5018c681c7805a1b87b87d3ef4455defce85df64bfb76c0699585a6e2bcfc
SHA1 hash: d34ec490ac26427921b246ad32a147cefc55beaf
MD5 hash: b78aa2e8ca3b1fff30e4f012bd72c371
humanhash: xray-hydrogen-pasta-butter
File name:file
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:1'444'264 bytes
First seen:2022-12-22 22:11:02 UTC
Last seen:2022-12-22 23:31:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21b6a4e9054e8bbad032c11f147ef0f3 (3 x LgoogLoader, 1 x ArkeiStealer, 1 x ManusCrypt)
ssdeep 24576:6rCg8mxmu6JNpvpP4Pbcv8JxRSWjobZuylFcJ/a969xG5cVeB8F8888aWP9p7y23:ugu6914Q8REbU4g3Pb7y2wK
Threatray 250 similar samples on MalwareBazaar
TLSH T1F2655CE32E264EB4FAD25AF1986BCE65726D0DFC245C9E057E11CC4E185222142D8FEF
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0f4b27268eaf0e8 (1 x ManusCrypt)
Reporter jstrosch
Tags:exe ManusCrypt signed

Code Signing Certificate

Organisation:seek.com.au
Issuer:Amazon RSA 2048 M01
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-10T00:00:00Z
Valid to:2023-12-10T23:59:59Z
Serial number: 0a820e2006e89aba1bd23600cef1da4b
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e59fcf4ff036faccdc8f17a0e7c7ba4ca78dbf94d563de4f4c16782b58ce0f23
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2022-12-22 22:12:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2e14afd6-e256-46b7-9f55-c08098f9008d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349211/
Detection(s):
SecuriteInfo.com.Variant.Jaik.109106.27031.10692.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Launching a process
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4df745f5-b428-4216-aca5-0e2508cd332e
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1139658
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2022-12-22 22:12:08 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
15 of 39 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkrjbmdhzpjd2qsidnq4osxfpa2csp45uluemhr563qgfgxmwwlq._file
Verdict:
malicious
Similar samples:
154ca9b65ed10747abd833a0ea2a7b5135742ea3fdad1f53f006216fc7950ebf
ManusCrypt
2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d
ManusCrypt
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
ManusCrypt
6b955c6b75fd243f374ffffc38466f94889e3a5ccb3947babf4e79e8358db6fe
ManusCrypt
8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177
ManusCrypt
9f29109994932960f368925877a9beed7cd6e687686cc8131937e7bbe58384f4
ManusCrypt
c0178dc0e1f125da7b6bab419edc783fdff63a376019140e086e6bc10ec588bd
ManusCrypt
dabdfc50cc2a6bc20b098b7feee83bedf463d58e0a9f824831290acefddc703c
ManusCrypt
dc97a6f3209e48c6b45354965214110cc515209135483152672cc73f149cfbcf
ManusCrypt
e3ac933f39d5fa387a5f844d1d29379d88c4421aa72ac4e9b50d8bc1d5b40fa4
ManusCrypt
+ 240 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221222-13xjdsfc87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Program crash
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d00540f9-ea08-4050-82d3-20756abb71ab
Unpacked files
SH256 hash:
7e7d3e67d0fda02724b852a9ecd20e3ba9c63b45f163acb257ae26e5854ffdc3
MD5 hash:
6c4300193f892f32333d497f98266d40
SHA1 hash:
1622eb7e5f943c346c895e4bdea406c34440a395
Link:
https://www.unpac.me/results/59518c2b-b8ba-4505-80f8-6aa5ef196e70/
SH256 hash:
3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597
MD5 hash:
b78aa2e8ca3b1fff30e4f012bd72c371
SHA1 hash:
d34ec490ac26427921b246ad32a147cefc55beaf
Link:
https://www.unpac.me/results/59518c2b-b8ba-4505-80f8-6aa5ef196e70/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3aa290b067cb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.27
Link:
https://yomi.yoroi.company/submissions/3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ManusCrypt

Executable exe 3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349211/

Comments