MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c
SHA3-384 hash: f6fb943366384726e4b9b54cfc1e64addefef3b131ce83860cbf2f7395890fdcd1ba145248bad0eb18777392851a4e6e
SHA1 hash: 28bf3699687c087f6e79e83bb3a661ab77a22f63
MD5 hash: a00c734d7a5312cdf8ed6c75ef68941b
humanhash: massachusetts-ceiling-kansas-sad
File name:file
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:659'968 bytes
First seen:2023-03-01 17:43:43 UTC
Last seen:2023-03-01 19:35:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'238 x SnakeKeylogger)
ssdeep 12288:e1LkAWcOiaZmqFdbdu/gm3kmzQ8MLyX9SSquGyb4VXq1OVe:e1wAWcObTwVzBM2NSSBGk4V7e
Threatray 285 similar samples on MalwareBazaar
TLSH T1E6E46A422DF99329C1F3DC337626F4D3E2B5974D8A675EC8203A63101AC1AAEA55533F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe ManusCrypt MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-01 13:58:39 UTC
Tags:
loader smoke trojan ransomware stop stealer rat redline
Link:
https://app.any.run/tasks/2661dfb8-46c8-489d-beb7-85a52671579a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370850/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.22311.7731.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
DNS request
Sending an HTTP GET request
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Searching for synchronization primitives
Sending a UDP request
Possible injection to a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
67%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/63ff8eeabbedb8176ff20454/reports/6bd167af-a177-48a5-a90f-8e188a269e51/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Threat 2
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/283798d9-c0e4-4539-b4d4-fc87eeb42378
Result
Threat name:
Fabookie, ManusCrypt
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1185066
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Installs new ROOT certificates
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected ManusCrypt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817922 Sample: file.exe Startdate: 01/03/2023 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic 2->93 95 Multi AV Scanner detection for domain / URL 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 7 other signatures 2->99 8 rundll32.exe 2->8         started        10 file.exe 4 2->10         started        13 WmiPrvSE.exe 2->13         started        process3 file4 16 rundll32.exe 2 8->16         started        53 C:\Users\user\AppData\Local\Temp\cc.exe, PE32 10->53 dropped 55 C:\Users\user\AppData\Local\...\file.exe.log, CSV 10->55 dropped 57 C:\Users\user\AppData\Local\Temp\2210.exe, PE32+ 10->57 dropped 19 cc.exe 1 10->19         started        21 2210.exe 14 10->21         started        117 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 13->117 119 Queries temperature or sensor information (via WMI often done to detect virtual machines) 13->119 signatures5 process6 dnsIp7 85 Writes to foreign memory regions 16->85 87 Allocates memory in foreign processes 16->87 89 Creates a thread in another existing process (thread injection) 16->89 25 svchost.exe 1 16->25 injected 28 svchost.exe 16->28 injected 30 svchost.exe 16->30 injected 36 17 other processes 16->36 91 Creates processes via WMI 19->91 33 cc.exe 2 19->33         started        59 t.vvvos3s50a.com 85.209.157.230, 49702, 80 ENZUINC-US Netherlands 21->59 61 157.240.20.35 FACEBOOKUS United States 21->61 63 3 other IPs or domains 21->63 47 C:\Users\user\AppData\Local\...\2210[1].dll, DOS 21->47 dropped file8 signatures9 process10 dnsIp11 109 System process connects to network (likely due to code injection or exploit) 25->109 111 Sets debug register (to hijack the execution of another thread) 25->111 113 Modifies the context of a thread in another process (thread injection) 25->113 115 3 other signatures 25->115 38 svchost.exe 12 14 25->38         started        43 WMIADAP.exe 28->43         started        71 20.190.159.5 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->71 73 20.190.159.69 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->73 75 192.229.221.95 EDGECASTUS United States 30->75 81 2 other IPs or domains 33->81 45 C:\Users\user\AppData\Local\Temp\db.dll, PE32 33->45 dropped 77 20.90.152.133 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->77 79 20.90.153.243 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->79 83 2 other IPs or domains 36->83 file12 signatures13 process14 dnsIp15 65 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 38->65 67 208.95.112.1 TUT-ASUS United States 38->67 69 172.67.161.69 CLOUDFLARENETUS United States 38->69 49 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 38->49 dropped 51 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 38->51 dropped 101 Query firmware table information (likely to detect VMs) 38->101 103 Installs new ROOT certificates 38->103 105 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 38->105 107 Tries to harvest and steal browser information (history, passwords, etc) 38->107 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c/
Threat name:
ByteCode-MSIL.Downloader.ShortLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 01:24:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
22 of 25 (88.00%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nw65xjrq5jzyf6a7ahw6aiv6kmh247y3u6rwtr4ar7lhujcxki6a._file
Verdict:
malicious
Similar samples:
0a5d832f3594465625f855e63075362cf73ef323fc32964e73327aa6a1030584
ManusCrypt
4ca6df75008045a45e441869a4389b4ef620df9f89cd5f05fd329d0f9987c822
ManusCrypt
5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365
ManusCrypt
7b211f0a09065339686ab1a2aa004fc88578c5eec065aae75f332e7f40c3a42b
ManusCrypt
9a8d4f6c8f24d96d32ef8974ba8c96cc02d4fca7d46c3d1edf7e70d6027805f5
ManusCrypt
9d6f720f4d9bd455371b863ce479c490ebb437ff53c1635fe7befd5eff30af10
ManusCrypt
b9a81253d85a5da410ec8cf345c2444ec09739e5c9842e4031195209bacbf8ab
ManusCrypt
ef3cf49b6d22cf8fe5dcc824202f139136cf03aeb9087c458cfe0e8d0312e105
ManusCrypt
+ 275 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230301-wa58lshd25/
Behaviour
Script User-Agent
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Process spawned unexpected child process
Unpacked files
SH256 hash:
6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c
MD5 hash:
a00c734d7a5312cdf8ed6c75ef68941b
SHA1 hash:
28bf3699687c087f6e79e83bb3a661ab77a22f63
Link:
https://www.unpac.me/results/34aee13f-0e19-4a76-afa7-91f344d38b98/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6dbddba630ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ManusCrypt

Executable exe 6dbddba630ea7382f81f01ede022be530fae7f1ba7a369c7808fd67a2457523c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2536805/
Cape
Cape
https://www.capesandbox.com/analysis/370850/

Comments