MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 13


Intelligence 13 IOCs YARA 15 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6
SHA3-384 hash: 1192a5ca7236612002484c264bb9fd5235f3eea9c8718e8a8648c8ac154f1fa9c8f337d1cc1ef0a600949ac638d9cb17
SHA1 hash: 792602df079f7a494d29c816ff380fbd938ceee1
MD5 hash: 6b8976a7665e344c2e1b14f63d821acf
humanhash: harry-beryllium-shade-yellow
File name:6b8976a7665e344c2e1b14f63d821acf
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:5'718'528 bytes
First seen:2023-01-24 06:27:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'448 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 98304:p4B3tqNJ/2VsA5AIwpaqq4lpYxcw/XXUruDUx7z+bK8YJ+asbsGKCZir:CB9qN45blb4lexcw/nUCDUVh+1X
TLSH T15346EF704ABA56C6EBF3ED79C37AB65D48F731974C8288FE5240574209922C8A57332F
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe ManusCrypt

Intelligence

File Origin
# of uploads :
1
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
6b8976a7665e344c2e1b14f63d821acf
Verdict:
Malicious activity
Analysis date:
2023-01-24 06:29:47 UTC
Tags:
evasion loader gcleaner trojan rat redline stealer opendir vidar
Link:
https://app.any.run/tasks/fbcd3131-c7ae-4676-8586-87b633f47b96

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie Infostealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/356233/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm mokes packed
Link:
https://www.filescan.io/uploads/63cf7a742d4f6d560e2293b7/reports/cd0c5da8-fab0-4ab2-92a2-a65daf9d95ac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8665a37-c636-42b6-83ac-b52e917e75b2
Result
Threat name:
Fabookie, ManusCrypt, Nymaim, Socelars
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157645
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Fabookie
Yara detected ManusCrypt
Yara detected Nymaim
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 790382 Sample: 0fx8tmMwZ9.exe Startdate: 24/01/2023 Architecture: WINDOWS Score: 100 66 45.12.253.72 CMCSUS Germany 2->66 68 45.12.253.98 CMCSUS Germany 2->68 110 Snort IDS alert for network traffic 2->110 112 Multi AV Scanner detection for domain / URL 2->112 114 Malicious sample detected (through community Yara rule) 2->114 116 12 other signatures 2->116 9 0fx8tmMwZ9.exe 6 2->9         started        12 rundll32.exe 2->12         started        signatures3 process4 file5 56 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\Temp\pb1109.exe, PE32+ 9->58 dropped 60 C:\Users\user\AppData\Local\...\handdiy_3.exe, PE32 9->60 dropped 62 2 other malicious files 9->62 dropped 14 setup.exe 15 9->14         started        18 handdiy_3.exe 12 9->18         started        20 cc.exe 2 9->20         started        22 pb1109.exe 9->22         started        24 rundll32.exe 2 12->24         started        process6 dnsIp7 84 45.12.253.56 CMCSUS Germany 14->84 126 Multi AV Scanner detection for dropped file 14->126 128 Detected unpacking (changes PE section rights) 14->128 130 Detected unpacking (overwrites its own PE header) 14->130 26 WerFault.exe 14->26         started        86 iplogger.org 148.251.234.83, 443, 49716 HETZNER-ASDE Germany 18->86 88 www.icodeps.com 149.28.253.196, 443, 49712 AS-CHOOPAUS United States 18->88 132 Antivirus detection for dropped file 18->132 134 May check the online IP address of the machine 18->134 136 Machine Learning detection for dropped file 18->136 28 WerFault.exe 18->28         started        138 Creates processes via WMI 20->138 31 cc.exe 3 20->31         started        34 conhost.exe 20->34         started        90 45.66.159.142 ENZUINC-US Russian Federation 22->90 92 star-mini.c10r.facebook.com 157.240.253.35, 443, 49713, 49715 FACEBOOKUS United States 22->92 94 www.facebook.com 22->94 140 Writes to foreign memory regions 24->140 142 Allocates memory in foreign processes 24->142 144 Creates a thread in another existing process (thread injection) 24->144 36 svchost.exe 24->36 injected 39 svchost.exe 24->39 injected 41 svchost.exe 24->41 injected 43 16 other processes 24->43 signatures8 process9 dnsIp10 70 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->70 72 xv.yxzgamen.com 188.114.96.3, 443, 49711 CLOUDFLARENETUS European Union 31->72 82 2 other IPs or domains 31->82 64 C:\Users\user\AppData\Local\Temp\db.dll, PE32 31->64 dropped 45 conhost.exe 31->45         started        118 System process connects to network (likely due to code injection or exploit) 36->118 120 Sets debug register (to hijack the execution of another thread) 36->120 122 Modifies the context of a thread in another process (thread injection) 36->122 124 3 other signatures 36->124 47 svchost.exe 36->47         started        74 23.35.236.109 ZAYO-6461US United States 39->74 76 93.184.220.29 EDGECASTUS European Union 41->76 78 20.90.152.133 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->78 80 20.90.156.32 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 43->80 file11 signatures12 process13 dnsIp14 96 g.agametog.com 34.142.181.181 ATGS-MMD-ASUS United States 47->96 98 208.95.112.1 TUT-ASUS United States 47->98 100 172.67.161.69 CLOUDFLARENETUS United States 47->100 52 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 47->52 dropped 54 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 47->54 dropped 102 Query firmware table information (likely to detect VMs) 47->102 104 Installs new ROOT certificates 47->104 106 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 47->106 108 Tries to harvest and steal browser information (history, passwords, etc) 47->108 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sato3ziknlvw7tycqa2fuecmnjyswk5mkmrkltke2ybizn5uista._file
Verdict:
malicious
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner family:socelars loader spyware stealer vmprotect
Link:
https://tria.ge/reports/230124-g8bz4ahb27/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Executes dropped EXE
VMProtect packed file
GCleaner
Process spawned unexpected child process
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://hdbywe.s3.us-west-2.amazonaws.com/sdfeas18/
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Unpacked files
SH256 hash:
ee98f7f20da57050ef47be4200dbd3c507fcb516223877803ba7a75a652301ed
MD5 hash:
b40d68dd8bc069c7c9bdcf30fd6c4e6d
SHA1 hash:
82c6c3c03619bfc68b6426b1102084f22ceb1667
Link:
https://www.unpac.me/results/960968f7-abf9-4515-b7d0-c23995413638/
SH256 hash:
9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6
MD5 hash:
6b8976a7665e344c2e1b14f63d821acf
SHA1 hash:
792602df079f7a494d29c816ff380fbd938ceee1
Link:
https://www.unpac.me/results/960968f7-abf9-4515-b7d0-c23995413638/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9026ede50a6a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:win_gcleaner_de41
Create hunting rule
Author:Johannes Bader
Description:detects GCleaner
Rule name:win_gcleaner_w0
Create hunting rule
Author:Johannes Bader @viql
Description:detects GCleaner

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ManusCrypt

Executable exe 9026ede50a6aeb6fcf0280345a104c6a712b2bac5322a5cd44d6028cb7b444a6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2516894/
Cape
Cape
https://www.capesandbox.com/analysis/356233/

Comments


Avatar
zbet commented on 2023-01-24 06:28:05 UTC

url : hxxps://cleanpcsoft.com/JavHad.exe