MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea40d05c81d27ac61843cabdbaf45a81347ae058d1229300313a17b6143f35e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ManusCrypt


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea40d05c81d27ac61843cabdbaf45a81347ae058d1229300313a17b6143f35e3
SHA3-384 hash: 36fe0dbbe35dae8a5d1d814cfcc00c3f37af82ab86276aa28f7d28dacb643f0acf77b8496cc3cdc5269d77b7805e8a67
SHA1 hash: d0052de58344afe56ca0db5827fb5b713d568cdf
MD5 hash: fb795346665ad27af95872302e838827
humanhash: sixteen-river-music-grey
File name:file
Download: download sample
Signature ManusCrypt
Create hunting rule
File size:391'214 bytes
First seen:2023-02-24 12:06:41 UTC
Last seen:2023-02-27 13:57:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'512 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 6144:G/QiQXCXWm+ksmpk3U9jW1U4P9bkGnrabJ4IcPjsdURNxA+B9HzQnQa421f/hPoX:+Qi3Xt6m6URA3PhknlRcbQZkTQpNhPoX
Threatray 285 similar samples on MalwareBazaar
TLSH T134841287A2988479D0B2EBB41F3AD64516277F201DB42449B6ECDC9D4FBB3C056493B3
TrID 75.1% (.EXE) Inno Setup installer (109740/4/30)
9.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 30f0ccccccccf030 (1 x ManusCrypt)
Reporter andretavare5
Tags:exe ManusCrypt


Avatar
andretavare5
Sample downloaded from https://s3.eu-central-1.wasabisys.com/joujma/ssfth/Bolt.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-02-24 12:09:42 UTC
Tags:
installer loader evasion trojan sinkhole opendir
Link:
https://app.any.run/tasks/75e8f2bb-ef34-4a73-ab33-25becf7971d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Nymaim
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369398/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Creating a file
Searching for synchronization primitives
Adding an access-denied ACE
Launching a process
Searching for the browser window
Searching for the window
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f8a868589e1e4c5bd8b0ec/reports/9986af19-6149-4b9f-b128-f4c1ff32e03d/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/ea40d05c81d27ac61843cabdbaf45a81347ae058d1229300313a17b6143f35e3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92e6fd77-d21f-49be-83f2-2f5df6214762
Result
Threat name:
Fabookie, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181801
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected VMProtect packer
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 814632 Sample: file.exe Startdate: 24/02/2023 Architecture: WINDOWS Score: 100 89 www.pxolp.xyz 2->89 91 xv.yxzgamen.com 2->91 93 43 other IPs or domains 2->93 135 Snort IDS alert for network traffic 2->135 137 Multi AV Scanner detection for domain / URL 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 13 other signatures 2->141 11 file.exe 2 2->11         started        15 Megulifaexi.exe 2->15         started        17 Megulifaexi.exe 2->17         started        signatures3 process4 file5 79 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 11->79 dropped 147 Obfuscated command line found 11->147 19 file.tmp 3 19 11->19         started        signatures6 process7 dnsIp8 95 130.117.252.32, 49712, 80 BLUEARCHIVE-ZONE-1US United States 19->95 97 s3.eu-central-1.wasabisys.com 19->97 63 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 19->63 dropped 65 C:\Users\user\AppData\Local\Temp\...\Bolt.exe, PE32 19->65 dropped 67 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 19->67 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->69 dropped 23 Bolt.exe 22 18 19->23         started        28 chrome.exe 19->28         started        file9 process10 dnsIp11 101 connectini.net 37.230.138.123, 443, 49715, 49723 ROCKETTELECOM-ASRU Russian Federation 23->101 103 360devtracking.com 37.230.138.66, 49722, 49769, 80 ROCKETTELECOM-ASRU Russian Federation 23->103 105 5 other IPs or domains 23->105 71 C:\Users\user\AppData\...\Wifiwyjory.exe, PE32 23->71 dropped 73 C:\Users\user\AppData\...\Lukisygyto.exe, PE32 23->73 dropped 75 C:\Program Files (x86)\...\Megulifaexi.exe, PE32 23->75 dropped 77 3 other malicious files 23->77 dropped 143 Multi AV Scanner detection for dropped file 23->143 145 Machine Learning detection for dropped file 23->145 30 Wifiwyjory.exe 14 4 23->30         started        35 Lukisygyto.exe 14 17 23->35         started        file12 signatures13 process14 dnsIp15 107 google.com 142.250.74.206 GOOGLEUS United States 30->107 109 connectini.net 30->109 81 C:\Users\user\AppData\Local\...\JavHa.exe, PE32 30->81 dropped 83 C:\Users\user\AppData\Local\...\handdiy_3.exe, PE32 30->83 dropped 85 C:\Users\user\AppData\Local\...\gcleaner.exe, PE32 30->85 dropped 87 2 other malicious files 30->87 dropped 127 Antivirus detection for dropped file 30->127 129 Multi AV Scanner detection for dropped file 30->129 131 Creates HTML files with .exe extension (expired dropper behavior) 30->131 111 www.google.com 142.250.181.228, 443, 49724, 49816 GOOGLEUS United States 35->111 113 connectini.net 35->113 133 Machine Learning detection for dropped file 35->133 37 chrome.exe 35->37         started        40 chrome.exe 35->40         started        42 chrome.exe 35->42         started        44 45 other processes 35->44 file16 signatures17 process18 dnsIp19 99 192.168.2.1 unknown unknown 37->99 46 chrome.exe 37->46         started        49 chrome.exe 37->49         started        51 chrome.exe 40->51         started        53 chrome.exe 42->53         started        55 chrome.exe 44->55         started        57 chrome.exe 44->57         started        59 chrome.exe 44->59         started        61 11 other processes 44->61 process20 dnsIp21 115 www.profitabletrustednetwork.com 173.233.137.44, 443, 49735, 49738 SERVERS-COMUS United States 46->115 117 vexacion.com 139.45.197.236, 49737, 49739, 49745 RETN-ASEU Netherlands 46->117 125 3 other IPs or domains 46->125 119 173.233.137.36, 443, 49741, 49742 SERVERS-COMUS United States 49->119 121 directdexchange.com 35.201.70.46, 443, 49749, 49750 GOOGLEUS United States 49->121 123 www.directdexchange.com 49->123
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea40d05c81d27ac61843cabdbaf45a81347ae058d1229300313a17b6143f35e3/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-02-24 12:07:07 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
14 of 25 (56.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5janaxeb2j5mmgcdzk63v5c2qe2hvycy2erjgabrhil3mfb7gxrq._file
Verdict:
malicious
Similar samples:
35f0970d4b7b24b2180d36be0cfc8a1678f071077d6d4e34b0461da55658eb43
ManusCrypt
5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e
ManusCrypt
7ca44b0fffbf47b3d0ab869ca137832224aa3d6d98c29e86587f2defe98585ae
ManusCrypt
8b1813aef6ef673d4a0973bbf426857d251c21e71889376ba581652b5e56e4f3
ManusCrypt
93578a9c7067f5a2f64f200756d817d16fc4e021878ac768b3d5aa847c2af2e8
ManusCrypt
a5a259c2d8f0eb4dde69a6d7131f86c36df3f5d75989f1c6888881cdf7bb6299
ManusCrypt
f5302b9e1f7a2c2c69ce10c5975d4ceee06a7cec5a9b834fd63dece231838fe7
ManusCrypt
+ 275 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner family:lgoogloader family:pseudomanuscrypt family:rhadamanthys family:socelars downloader evasion loader persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/230224-paa9xada9x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
VMProtect packed file
Downloads MZ/PE file
Drops file in Drivers directory
Checks for common network interception software
Detect rhadamanthys stealer shellcode
Detects LgoogLoader payload
Detects PseudoManuscrypt payload
GCleaner
LgoogLoader
Process spawned unexpected child process
PseudoManuscrypt
Rhadamanthys
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
https://hdbywe.s3.us-west-2.amazonaws.com/sfasue20/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/59ae43da-7b7d-4ff0-986c-ec2e6a7d2504/
SH256 hash:
5dd0820ec97a936b25ab744fdb60f28844efe8b97902fa50dcd1cc23ed48e15c
MD5 hash:
2d869b65d7ed68f5f29b0f62ad3ef90a
SHA1 hash:
53a839addce43d05d144e6b13ea200e9d2cf3e23
Link:
https://www.unpac.me/results/59ae43da-7b7d-4ff0-986c-ec2e6a7d2504/
SH256 hash:
ea40d05c81d27ac61843cabdbaf45a81347ae058d1229300313a17b6143f35e3
MD5 hash:
fb795346665ad27af95872302e838827
SHA1 hash:
d0052de58344afe56ca0db5827fb5b713d568cdf
Link:
https://www.unpac.me/results/59ae43da-7b7d-4ff0-986c-ec2e6a7d2504/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea40d05c81d27ac61843cabdbaf45a81347ae058d1229300313a17b6143f35e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAS_Malware_Hunting
Create hunting rule
Author:Michael Reinprecht
Description:DEMO CAS YARA Rules for sample2.exe
Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:MALWARE_Win_Chebka
Create hunting rule
Author:ditekSHen
Description:Detects Chebka
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Rule name:Windows_Trojan_Generic_a681f24a
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/369398/
  
URLhaus
https://urlhaus.abuse.ch/url/2549981/

Comments