MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32
SHA3-384 hash: 6dd98a8b0c8fd0c5b96d793de53111d39ccc30cc1a0965869b8a54aabd111a4f1b318df32deb853b8559d50d8924b5cb
SHA1 hash: f225f686fe9027eb2527bc945895fead79e67926
MD5 hash: 7429ee8b83fcbb48fe5b383a6235ac1d
humanhash: black-vegan-golf-fruit
File name:file
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:770'171 bytes
First seen:2023-03-23 15:37:23 UTC
Last seen:2023-03-23 16:38:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'446 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:VQi3IG+zy2Rc6m6UR0Ipp1hf39Wkv8xwJA:VQiYG+zy2RzHIppdUMA
Threatray 209 similar samples on MalwareBazaar
TLSH T17BF4E003E646902FDC115B33D952BC71EEEEEE32DB255127268F3A4A1E321C1915F6B2
TrID 78.6% (.EXE) Inno Setup installer (109740/4/30)
10.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
2.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 3044f031f1c8d800 (1 x RedLineStealer, 1 x ManusCrypt)
Reporter andretavare5
Tags:exe ManusCrypt


Avatar
andretavare5
Sample downloaded from https://napoli.s3.fr-par.scw.cloud/1.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-23 15:42:25 UTC
Tags:
installer evasion loader
Link:
https://app.any.run/tasks/f6c04f5f-6a52-42fe-8a74-a37dd4efb373

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376899/
Detection(s):
Win.Downloader.Dealalpha-9957452-0
Create hunting rule

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Creating a file
Searching for synchronization primitives
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Launching a process
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/74448/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/641c725b6ed02dd52de51db1/reports/8969996c-4ec3-4231-99ad-9b08b54a396d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/beb6f882-b52c-401f-8805-61e7f6d59618
Result
Threat name:
Fabookie, ManusCrypt, Nymaim
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1200553
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected ManusCrypt
Yara detected Nymaim
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 833458 Sample: file.exe Startdate: 23/03/2023 Architecture: WINDOWS Score: 100 113 45.12.253.72 CMCSUS Germany 2->113 115 45.12.253.75 CMCSUS Germany 2->115 117 45.12.253.98 CMCSUS Germany 2->117 159 Snort IDS alert for network traffic 2->159 161 Multi AV Scanner detection for domain / URL 2->161 163 Malicious sample detected (through community Yara rule) 2->163 165 13 other signatures 2->165 13 file.exe 2 2->13         started        17 rundll32.exe 2->17         started        19 Haqawaejaezha.exe 18 2->19         started        22 Haqawaejaezha.exe 2->22         started        signatures3 process4 dnsIp5 103 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 13->103 dropped 179 Obfuscated command line found 13->179 24 file.tmp 3 19 13->24         started        28 rundll32.exe 17->28         started        119 uchiha.s3.pl-waw.scw.cloud 19->119 121 senju.s3.pl-waw.scw.cloud 19->121 123 2 other IPs or domains 19->123 file6 signatures7 process8 dnsIp9 133 130.117.252.29, 49695, 80 BLUEARCHIVE-ZONE-1US United States 24->133 135 s3.eu-central-1.wasabisys.com 24->135 95 C:\Users\user\AppData\Local\Temp\...\rt.exe, PE32 24->95 dropped 97 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 24->97 dropped 99 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 24->99 dropped 101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->101 dropped 31 rt.exe 22 18 24->31         started        173 Writes to foreign memory regions 28->173 175 Allocates memory in foreign processes 28->175 177 Creates a thread in another existing process (thread injection) 28->177 36 svchost.exe 28->36 injected file10 signatures11 process12 dnsIp13 137 connectini.net 37.230.138.123, 443, 49696, 49704 ROCKETTELECOM-ASRU Russian Federation 31->137 139 s3.eu-central-1.wasabisys.com 31->139 141 8 other IPs or domains 31->141 79 C:\Users\user\AppData\...\Haqawaejaezha.exe, PE32 31->79 dropped 81 C:\Program Files (x86)\...\Haqawaejaezha.exe, PE32 31->81 dropped 83 C:\Users\user\...\Haqawaejaezha.exe.config, XML 31->83 dropped 85 C:\...\Haqawaejaezha.exe.config, XML 31->85 dropped 143 Multi AV Scanner detection for dropped file 31->143 145 May check the online IP address of the machine 31->145 147 Creates HTML files with .exe extension (expired dropper behavior) 31->147 38 Haqawaejaezha.exe 14 14 31->38         started        file14 signatures15 process16 dnsIp17 127 www.cpasdrole.com 38->127 129 connectini.net 38->129 131 8 other IPs or domains 38->131 89 C:\Users\user\AppData\Local\...\gcleaner.exe, PE32 38->89 dropped 91 C:\Users\user\AppData\Local\...\chenp.exe, PE32 38->91 dropped 93 C:\Users\user\AppData\Local\Temp\...\ss27.exe, PE32+ 38->93 dropped 167 Multi AV Scanner detection for dropped file 38->167 169 May check the online IP address of the machine 38->169 171 Sets debug register (to hijack the execution of another thread) 38->171 43 cmd.exe 38->43         started        45 cmd.exe 38->45         started        47 cmd.exe 38->47         started        file18 signatures19 process20 process21 49 gcleaner.exe 43->49         started        53 conhost.exe 43->53         started        55 chenp.exe 45->55         started        57 conhost.exe 45->57         started        59 ss27.exe 47->59         started        61 conhost.exe 47->61         started        dnsIp22 105 45.12.253.56, 49725, 80 CMCSUS Germany 49->105 149 Detected unpacking (changes PE section rights) 49->149 151 Detected unpacking (overwrites its own PE header) 49->151 63 cmd.exe 49->63         started        65 WerFault.exe 49->65         started        67 WerFault.exe 49->67         started        73 6 other processes 49->73 153 Multi AV Scanner detection for dropped file 55->153 155 Creates processes via WMI 55->155 69 chenp.exe 55->69         started        107 157.240.17.35 FACEBOOKUS United States 59->107 109 157.240.234.35 FACEBOOKUS United States 59->109 111 4 other IPs or domains 59->111 157 Tries to harvest and steal browser information (history, passwords, etc) 59->157 signatures23 process24 dnsIp25 75 conhost.exe 63->75         started        77 taskkill.exe 63->77         started        125 j.ffbbjjkk.com 188.114.97.7, 443, 49724, 49726 CLOUDFLARENETUS European Union 69->125 87 C:\Users\user\AppData\Local\Temp\db.dll, PE32 69->87 dropped file26 process27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-03-17 13:56:58 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgqh4lcerl7i3fvf66mwrv7n4uwubhm5g3l2o7vkdegfy4gph4za._file
Verdict:
malicious
Similar samples:
1449e7a3111fdfb697c631367fcbc08eb0ab911bc280fd0c3d132cc3918d1da6
ManusCrypt
6be048992227daa3e44558b5e8b342f3f153eb0ff535ab399f4cd4ae3e4345bb
ManusCrypt
885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703
ManusCrypt
8b1813aef6ef673d4a0973bbf426857d251c21e71889376ba581652b5e56e4f3
ManusCrypt
ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059
ManusCrypt
d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1
ManusCrypt
f5302b9e1f7a2c2c69ce10c5975d4ceee06a7cec5a9b834fd63dece231838fe7
ManusCrypt
+ 199 additional samples on MalwareBazaar
Result
Malware family:
pseudomanuscrypt
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner family:pseudomanuscrypt evasion loader persistence spyware stealer
Link:
https://tria.ge/reports/230323-s22sqaae6y/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Downloads MZ/PE file
Drops file in Drivers directory
Checks for common network interception software
Detects PseudoManuscrypt payload
GCleaner
Process spawned unexpected child process
PseudoManuscrypt
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7d09d044-4d03-41b4-963a-df59841b45a0/
SH256 hash:
234a7035764a840cc5e7b6d4fff861a366e7233df438f6a48340de22ab6603e0
MD5 hash:
63d52df71fb1f36a82a55876e62bb0c5
SHA1 hash:
774d2940db3f99e047be6b2d429086a675c66ef4
Link:
https://www.unpac.me/results/7d09d044-4d03-41b4-963a-df59841b45a0/
SH256 hash:
59a07e2c448afe8d96a5f79968d7ede52d409d9d36d7a77eaa190c5c70cf3f32
MD5 hash:
7429ee8b83fcbb48fe5b383a6235ac1d
SHA1 hash:
f225f686fe9027eb2527bc945895fead79e67926
Link:
https://www.unpac.me/results/7d09d044-4d03-41b4-963a-df59841b45a0/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/376899/
  
URLhaus
https://urlhaus.abuse.ch/url/2582349/

Comments