MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
SHA3-384 hash: b91a021da999d5ca56fa067f6de8426630a28e3612e4bbf32b2bc54c4bf86c0319e1e9c80f5ff95d67ab25b737f45a9b
SHA1 hash: e5725184c2da0103046f44c211cc943582c1b2b2
MD5 hash: 9b8786c9e74cfd314d7fe9fab571d451
humanhash: mango-uniform-violet-paris
File name:9b8786c9e74cfd314d7fe9fab571d451
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:1'570'304 bytes
First seen:2023-03-17 09:15:20 UTC
Last seen:2023-03-17 11:29:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'240 x SnakeKeylogger)
ssdeep 12288:0uKd2SU1qQFhpGf1U1gYZMt4TwIwwNjCBCTIXFgpWW5Gm41jKmejWYzHWsd+1Ys2:NKdKUYLm7dsTccLa1mmerbED
Threatray 293 similar samples on MalwareBazaar
TLSH T168753F07D3E069127277A2298FC53667AEFA306BC5F2CA02D519132E6971CD47F0AF49
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe ManusCrypt

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2023-03-17 02:21:05 UTC
Tags:
loader smoke trojan opendir ransomware stop evasion stealer
Link:
https://app.any.run/tasks/0f9e218e-13fc-4d66-a29f-986e6fabb8ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Fabookie Infostealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/375015/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.9891.13834.3694.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Creating a file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Launching a process
Launching cmd.exe command interpreter
Delayed reading of the file
Using the Windows Management Instrumentation requests
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/64142fd5c65d1ebf04c0f5be/reports/4cf6397a-359a-4f5d-9c64-b6663d1dc3ed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Threat 2
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fcae088-5a05-419b-a335-c8bf6abc2c85
Result
Threat name:
Amadey, Fabookie, ManusCrypt
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1195657
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates processes via WMI
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically)
Sets debug register (to hijack the execution of another thread)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey bot
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected Fabookie
Yara detected ManusCrypt
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828553 Sample: ejHYRxbnFq.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus detection for URL or domain 2->121 123 Antivirus / Scanner detection for submitted sample 2->123 125 10 other signatures 2->125 11 ejHYRxbnFq.exe 5 2->11         started        14 rundll32.exe 2->14         started        16 nbveek.exe 2->16         started        process3 file4 83 C:\Users\user\AppData\Local\Temp\zyy.exe, PE32 11->83 dropped 85 C:\Users\user\AppData\Local\Temp\ss31.exe, PE32+ 11->85 dropped 87 C:\Users\user\AppData\Local\...\Player3.exe, PE32 11->87 dropped 89 C:\Users\user\AppData\...\ejHYRxbnFq.exe.log, CSV 11->89 dropped 18 Player3.exe 3 11->18         started        22 zyy.exe 18 1 11->22         started        24 ss31.exe 13 11->24         started        27 rundll32.exe 14->27         started        process5 dnsIp6 77 C:\Users\user\AppData\Local\...\nbveek.exe, PE32 18->77 dropped 127 Antivirus detection for dropped file 18->127 129 Machine Learning detection for dropped file 18->129 29 nbveek.exe 19 18->29         started        131 Creates processes via WMI 22->131 34 zyy.exe 2 22->34         started        105 8.8.8.8 GOOGLEUS United States 24->105 107 157.240.17.35 FACEBOOKUS United States 24->107 109 5 other IPs or domains 24->109 133 Writes to foreign memory regions 27->133 135 Allocates memory in foreign processes 27->135 137 Creates a thread in another existing process (thread injection) 27->137 36 svchost.exe 27->36 injected 38 svchost.exe 27->38 injected 40 svchost.exe 27->40 injected 42 17 other processes 27->42 file7 signatures8 process9 dnsIp10 113 77.73.134.27 FIBEROPTIXDE Kazakhstan 29->113 91 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 29->91 dropped 93 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 29->93 dropped 95 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 29->95 dropped 97 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 29->97 dropped 155 Antivirus detection for dropped file 29->155 157 Creates an undocumented autostart registry key 29->157 159 Machine Learning detection for dropped file 29->159 161 Uses schtasks.exe or at.exe to add and modify task schedules 29->161 44 rundll32.exe 29->44         started        46 cmd.exe 1 29->46         started        48 schtasks.exe 1 29->48         started        50 rundll32.exe 29->50         started        115 188.114.96.3 CLOUDFLARENETUS European Union 34->115 99 C:\Users\user\AppData\Local\Temp\db.dll, PE32 34->99 dropped 163 Sets debug register (to hijack the execution of another thread) 36->163 165 Modifies the context of a thread in another process (thread injection) 36->165 167 Creates processes via WMI 36->167 52 svchost.exe 36->52         started        57 nbveek.exe 38->57         started        117 20.190.159.19 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->117 file11 signatures12 process13 dnsIp14 59 rundll32.exe 44->59         started        63 conhost.exe 46->63         started        65 cmd.exe 1 46->65         started        67 cacls.exe 1 46->67         started        71 4 other processes 46->71 69 conhost.exe 48->69         started        101 208.95.112.1 TUT-ASUS United States 52->101 103 34.142.181.181 ATGS-MMD-ASUS United States 52->103 79 C:\Users\user\AppData\Local\...\Cookies.db, SQLite 52->79 dropped 81 C:\Users\user\AppData\Local\...\Login Data.db, SQLite 52->81 dropped 139 Query firmware table information (likely to detect VMs) 52->139 141 Installs new ROOT certificates 52->141 143 Sets a auto configuration URL for Internet Explorer (IE settings are enforced automatically) 52->143 145 Tries to harvest and steal browser information (history, passwords, etc) 52->145 file15 signatures16 process17 dnsIp18 111 192.168.2.1 unknown unknown 59->111 147 System process connects to network (likely due to code injection or exploit) 59->147 149 Tries to steal Instant Messenger accounts or passwords 59->149 151 Tries to harvest and steal ftp login credentials 59->151 153 Tries to harvest and steal browser information (history, passwords, etc) 59->153 73 tar.exe 59->73         started        signatures19 process20 process21 75 conhost.exe 73->75         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09/
Threat name:
ByteCode-MSIL.Trojan.Mokes
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 02:28:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2pq6azm77hlyip4r44rnn2km74gl7ci2wek3pxbdxxt4kku6vueq._file
Verdict:
malicious
Similar samples:
0c802565c73fd2fd624ecab818162f8873935308ebc95f3b17fa74a6c582db12
ManusCrypt
590e81a847fe5bf4bf4e23ce70b49fb27ec3048ffd8b02e360b757d26e2eac6c
ManusCrypt
66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e
ManusCrypt
7db1175e55e2bc864c8e8f0915b5f4167cb0a49a87a751b3fa429be6dc4a8896
ManusCrypt
ad716b9b395d65dca7a31117215c2adedf392162eab7beee500f8061db4785c0
ManusCrypt
ba36d04cdfbdd729450db17a6f0b8b953ca8b91aefb9d56a71e58864c8e0fb61
ManusCrypt
ee7bcbe03b47dc97be9ff40d314819a99dae85cfa544f726bbd59d2a4d770585
ManusCrypt
ef75e4193acf86589cfcf6b49d61e88073fd65ca866ed4197da7c5e4b22bac6e
ManusCrypt
+ 283 additional samples on MalwareBazaar
Result
Malware family:
pseudomanuscrypt
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:pseudomanuscrypt loader spyware stealer trojan
Link:
https://tria.ge/reports/230317-k8hpeshd41/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Downloads MZ/PE file
Amadey
Detects PseudoManuscrypt payload
Process spawned unexpected child process
PseudoManuscrypt
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
77.73.134.27/8bmdh3Slb2/index.php
Unpacked files
SH256 hash:
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73
MD5 hash:
bbaa394e6b0ecb7808722986b90d290c
SHA1 hash:
682e835d7ea19c9aa3d464436d673e5c89ab2bb6
Link:
https://www.unpac.me/results/62faa077-37e2-4a4a-8784-943dee9b7dcd/
SH256 hash:
d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09
MD5 hash:
9b8786c9e74cfd314d7fe9fab571d451
SHA1 hash:
e5725184c2da0103046f44c211cc943582c1b2b2
Link:
https://www.unpac.me/results/62faa077-37e2-4a4a-8784-943dee9b7dcd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d3e1e0659ff9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Volgmer
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ManusCrypt

Executable exe d3e1e0659ff9d7843f91e722d6e94cff0cbf891ab115b7dc23bde7c52a9ead09

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2536805/
  
URLhaus
https://urlhaus.abuse.ch/url/2565187/
  
URLhaus
https://urlhaus.abuse.ch/url/2574624/
Cape
Cape
https://www.capesandbox.com/analysis/375015/

Comments


Avatar
zbet commented on 2023-03-17 09:15:22 UTC

url : hxxp://45.9.74.80/powes.exe