MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54151922b3a7a1f16e1b10356da10b8293b6ca897fed9d48ffeb3d2eae2685cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ManusCrypt

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	54151922b3a7a1f16e1b10356da10b8293b6ca897fed9d48ffeb3d2eae2685cd
SHA3-384 hash:	e387e3f685cbb342580f1baf50a8ede23aecbcd71ce065a5cd76d98bfc5f3d5b7a3406869a522241cc3c28b767c5cd95
SHA1 hash:	345ac5a24438b8edb695d32bde79502023e09e31
MD5 hash:	e7f609df5c0fcdc581a69ed69aa3c4a1
humanhash:	emma-beryllium-carolina-sink
File name:	e7f609df5c0fcdc581a69ed69aa3c4a1.exe
Download:	download sample
Signature	ManusCrypt Create hunting rule
File size:	315'392 bytes
First seen:	2023-03-06 12:36:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	30536483726143b4d0afeee8884fc70b (10 x ManusCrypt)
ssdeep	6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1IEP3:i814Xn0Ti8tbJyIQdjrfzuEP3
Threatray	585 similar samples on MalwareBazaar
TLSH	T106648D1137E1C877D4B315734E52C3A972B6BE11AD32864B6BD03B0EAE70542CF29B69
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter	abuse_ch
Tags:	exe ManusCrypt

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

e7f609df5c0fcdc581a69ed69aa3c4a1.exe

Verdict:

Malicious activity

Analysis date:

2023-03-06 12:39:26 UTC

Tags:

evasion stealer

Link:

https://app.any.run/tasks/c04a246f-d8dd-40df-b492-665053b8fc92

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Fabookie Infostealer

Link:

https://www.capesandbox.com/analysis/371960/

Detection(s):

SecuriteInfo.com.Variant.Mikey.144518.10825.6573.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %temp% directory

Using the Windows Management Instrumentation requests

Launching a process

Searching for synchronization primitives

Sending a UDP request

Possible injection to a system process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm emotet greyware keylogger manuscrypt mikey

Link:

https://www.filescan.io/uploads/6405de6ff110781a3903aedd/reports/ea07aaac-10d2-489e-a37e-c3892b074b3d/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/54151922b3a7a1f16e1b10356da10b8293b6ca897fed9d48ffeb3d2eae2685cd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/164bfbf8-0506-474f-9bb8-028f0bbd132f

Result

Threat name:

ManusCrypt

Detection:

malicious

Classification:

bank.troj.spyw.evad.phis

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1188152

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Installs new ROOT certificates

Malicious sample detected (through community Yara rule)

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Queries temperature or sensor information (via WMI often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected ManusCrypt

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/54151922b3a7a1f16e1b10356da10b8293b6ca897fed9d48ffeb3d2eae2685cd/

Threat name:

Win32.Adware.RedCap

Status:

Malicious

First seen:

2023-03-06 12:42:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

13 of 39 (33.33%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kqkrsivtu6q7c3q3ca2w3iilqkj3nsujp7wz2sh75m6s5lrgqxgq._file

Verdict:

malicious

ManusCrypt

5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

ManusCrypt

6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c

ManusCrypt

7b211f0a09065339686ab1a2aa004fc88578c5eec065aae75f332e7f40c3a42b

ManusCrypt

9a8d4f6c8f24d96d32ef8974ba8c96cc02d4fca7d46c3d1edf7e70d6027805f5

ManusCrypt

9d6f720f4d9bd455371b863ce479c490ebb437ff53c1635fe7befd5eff30af10

ManusCrypt

b261a7995c16bc433bd714b2830e519c40c3b8bd60ad6a6239ce27e672dc6650

ManusCrypt

b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab

ManusCrypt

ef3cf49b6d22cf8fe5dcc824202f139136cf03aeb9087c458cfe0e8d0312e105

ManusCrypt

+ 575 additional samples on MalwareBazaar

Result

Malware family:

pseudomanuscrypt

Score:

10/10

Tags:

family:pseudomanuscrypt loader

Link:

https://tria.ge/reports/230306-ptfzhabf71/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Modifies registry class

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Drops file in System32 directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Checks computer location settings

Loads dropped DLL

Unexpected DNS network traffic destination

Detects PseudoManuscrypt payload

Process spawned unexpected child process

PseudoManuscrypt

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

54151922b3a7a1f16e1b10356da10b8293b6ca897fed9d48ffeb3d2eae2685cd

MD5 hash:

e7f609df5c0fcdc581a69ed69aa3c4a1

SHA1 hash:

345ac5a24438b8edb695d32bde79502023e09e31

Link:

https://www.unpac.me/results/d07626d4-7245-491f-8bfa-bf16173b7c23/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/54151922b3a7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/54151922b3a7a1f16e1b10356da10b8293b6ca897fed9d48ffeb3d2eae2685cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.