MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67c31c5794f8158756745a674e28f5412c81f3109d1af2cbcc2ad91f649ed954. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67c31c5794f8158756745a674e28f5412c81f3109d1af2cbcc2ad91f649ed954
SHA3-384 hash: dd1bdd90bd996182d101c1f7c669b8615da932d4ccb5394bbc2a8a6cdb6dfac55bae7137e43e243492c83a48779f1d20
SHA1 hash: 999cdf0c67555c620da7c311d4be77fb19932b59
MD5 hash: 51db87bd259c144a2f8502be3a964d32
humanhash: bakerloo-sodium-virginia-grey
File name:file
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:2'034'664 bytes
First seen:2022-12-24 19:39:49 UTC
Last seen:2022-12-24 21:30:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5da6903811911bf599fe9217e46f6bb4 (1 x LgoogLoader, 1 x ManusCrypt)
ssdeep 49152:JaBIOU793vSNKyqwTyxRLloBY/2Aq7ppL99YZnfXT:JHzx36NKylTyxRLlmY/2Aq9pL4Znfj
Threatray 86 similar samples on MalwareBazaar
TLSH T17C95BE1112689BDDFCBD43BBF1A18A4EBC6397E42B28CC4E3DCD3A4A6C096670D17165
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f8e4f09ce5e0e0f0 (1 x ManusCrypt)
Reporter jstrosch
Tags:exe ManusCrypt signed

Code Signing Certificate

Organisation:*.wpengine.com
Issuer:RapidSSL Global TLS RSA4096 SHA256 2022 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-01T00:00:00Z
Valid to:2023-09-01T23:59:59Z
Serial number: 041e465abd529b90b720c6cc60ac3bd5
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ba37712cfc5b473003b769193cb6f7643d583bc16fb49eafa510e022fcd0f148
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-24 19:42:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7250053e-6100-418a-a0a5-3bc346f94f98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.5279.26124.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63a75595898959f356c5bd78/reports/fc8ff2f3-58a3-4d27-89da-64dbc163ad5f/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d11bab0-f7ba-4aed-8207-ad316e019a60
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1140567
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67c31c5794f8158756745a674e28f5412c81f3109d1af2cbcc2ad91f649ed954/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2022-12-24 19:40:12 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m7bryv4u7akyovtuljtu4khviewid4yqtunpfs6mflmr6ze63fka._file
Verdict:
malicious
Similar samples:
154ca9b65ed10747abd833a0ea2a7b5135742ea3fdad1f53f006216fc7950ebf
ManusCrypt
3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597
ManusCrypt
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
ManusCrypt
68fd573a5c864560d33008461b4cc2d848542891111226c9c56d85e289f9c1c4
ManusCrypt
8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177
ManusCrypt
93dc33973823843d0eba85f4f9f09561f37ff650129cdacc2ead9fffd8d131a1
ManusCrypt
c0178dc0e1f125da7b6bab419edc783fdff63a376019140e086e6bc10ec588bd
ManusCrypt
ca240b4fd7c8b8dc492d92070641e46fd4dd125a7e9d394d7d1bba7e83cabfca
ManusCrypt
dc97a6f3209e48c6b45354965214110cc515209135483152672cc73f149cfbcf
ManusCrypt
+ 76 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader
Link:
https://tria.ge/reports/221224-ydh9csdf8y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Detects LgoogLoader payload
LgoogLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
1ea522eee30c94b608f92468b9483b3f21e151629224ba1c2f08c11fa2b78bb6
MD5 hash:
bb0c28868531e66f30f766bb9fcbc156
SHA1 hash:
8b0aa03d05007d5cfde76948ff0dcea432d34598
Link:
https://www.unpac.me/results/3c7bee8b-7398-4d08-a71d-889934988cab/
SH256 hash:
67c31c5794f8158756745a674e28f5412c81f3109d1af2cbcc2ad91f649ed954
MD5 hash:
51db87bd259c144a2f8502be3a964d32
SHA1 hash:
999cdf0c67555c620da7c311d4be77fb19932b59
Link:
https://www.unpac.me/results/3c7bee8b-7398-4d08-a71d-889934988cab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/67c31c5794f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67c31c5794f8158756745a674e28f5412c81f3109d1af2cbcc2ad91f649ed954

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ManusCrypt

Executable exe 67c31c5794f8158756745a674e28f5412c81f3109d1af2cbcc2ad91f649ed954

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2485896/

Comments