MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3
SHA3-384 hash: 31b79aaaf3ec9abffcf77664cdf28a19f08fc69c0ac66a487892b199244eed0add22ee50c690ee3813f53b5d058c647e
SHA1 hash: 2b3c06b550d5a2171e40a7edc390c88aa258c422
MD5 hash: 3bf7bbc0f949e65080db6e99d3767e13
humanhash: river-table-sodium-crazy
File name:file
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:1'959'328 bytes
First seen:2023-01-04 01:58:15 UTC
Last seen:2023-01-04 03:29:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe01f9f8334b2fe85e327d2dedbba869 (2 x ManusCrypt, 2 x LgoogLoader, 1 x RedLineStealer)
ssdeep 24576:ZW1YrBXOK6QQeh1551JwzQ1Ju5E0UiZTmz8rUPcMcW25SZroejHU1F1AUkd+qEu:Q1khJw8K/Z33Fh8Ku
Threatray 103 similar samples on MalwareBazaar
TLSH T14595AD10B8E9E76FFCD0657F64B3C226419C8967A42F2C81ADC9F10B11665D93E84FB8
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b27138fcfcb871b2 (1 x ManusCrypt)
Reporter jstrosch
Tags:exe ManusCrypt signed

Code Signing Certificate

Organisation:time-les.si
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-13T13:11:51Z
Valid to:2023-03-13T13:11:50Z
Serial number: 0309d972f05bac35baca02cd759248fea2a6
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: fad64cfa2658a656a41359e4d0646c5f29776ae6c51760719114daa6f67d1997
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-12-29 14:02:01 UTC
Tags:
trojan amadey loader rat redline smoke stealer
Link:
https://app.any.run/tasks/51fe09c7-c580-4fde-a024-a0e31edd6503

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349294/
Detection(s):
SecuriteInfo.com.Trojan.Generic.32790257.7230.13535.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Launching a process
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63b4dd68a66e2eb29737b315/reports/718554a2-acb4-44e2-b3ce-0548252a7130/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/154d1c09-2f4a-47ae-8258-304d5bf7fecd
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1144881
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-12-28 16:47:37 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
26 of 39 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2bv7rt3phy6fq2kfhspeitlghehsylo6zdmoxzwoyaqhununghzq._file
Verdict:
malicious
Similar samples:
36c4671ed74faa58deb5e4beeb3e5a2dea396af537cf24e2faf3b08d35b088d3
ManusCrypt
44192d53830cd0b58bd4c3213649104f23f5c5cb2d4f1168d2d07654e841b907
ManusCrypt
4aba54c660a656f5bb5b75ea11029217bdf96c931c21d1143042ac3278ac6e43
ManusCrypt
4ae50705d897b5c7a148bfe6241b8c1e50d8bd836ea1af326264128d58ced7c7
ManusCrypt
51bca1340951634cd5bdb488290a162c521945fb0cf52c360b9420c8a3cfd9e4
ManusCrypt
5e445100682a5982df3301b2631e3be0d503df870175d50cf0faa3e374e742fd
ManusCrypt
7a5647b5e4aca4354ceac0ab494086ecf14ccfaef3075110ca5fde952982e88d
ManusCrypt
7e20c52b5f40ae6bdfaa67996aa35a93c3ff1e1a197ba6b582fac1555af6d0f9
ManusCrypt
ba4fb2a15fa8baf942cdb9bddc882288290dbb6663b701b67e9ae48c85d362cb
ManusCrypt
be7096119b86de54f3a82c8059e372396169c30d2300d4ec768f4065e4b1b9a7
ManusCrypt
+ 93 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader
Link:
https://tria.ge/reports/230104-ced55sgh2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef50217b-2f3f-468a-b0c5-bff71f6dc802
Unpacked files
SH256 hash:
6f079062e4919e66f075dfbd6c31302390a43d963881a62e86b1a1124e9919fd
MD5 hash:
5080acf2a91b7564ebb3143ce4c67112
SHA1 hash:
beff86621bfaed4018499e2d3c48528b80dada0a
Link:
https://www.unpac.me/results/fb1be3a3-8a53-4db4-9e05-a13a2be81474/
SH256 hash:
d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3
MD5 hash:
3bf7bbc0f949e65080db6e99d3767e13
SHA1 hash:
2b3c06b550d5a2171e40a7edc390c88aa258c422
Link:
https://www.unpac.me/results/fb1be3a3-8a53-4db4-9e05-a13a2be81474/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d06bf8cf6f3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ManusCrypt

Executable exe d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/349294/
  
URLhaus
https://urlhaus.abuse.ch/url/2496332/

Comments