MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb38d631b422b9a0d8df8b59e307fb2463a6882e1241f51848fa96bb4b732978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ManusCrypt

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	fb38d631b422b9a0d8df8b59e307fb2463a6882e1241f51848fa96bb4b732978
SHA3-384 hash:	7589761361b9499b74ee12e90de61c3e263ee6e6972ad6441b337c2328440f1eeabf2b7e95ea9999da12c02c3361d1ad
SHA1 hash:	af19d55fe3c6f1e331667ec0ce8d6d38c514a203
MD5 hash:	62e11920f9abfa7c150331967313915c
humanhash:	papa-video-texas-winner
File name:	file
Download:	download sample
Signature	ManusCrypt Create hunting rule
File size:	1'607'568 bytes
First seen:	2022-12-23 14:45:59 UTC
Last seen:	2022-12-24 12:56:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2287f531f7cb0485fc2e763491ad6b2d (1 x ManusCrypt)
ssdeep	24576:zBAq8Buz3yPLShmpiIIWT6sOOK8kQD8nsUshL8R3+gvqsIO3vdSn8y0eYhTOPHam:m/PLShei7W+Q8sUst8ogisJvdSkaPHam
TLSH	T117756000DB78289AD8C701BFE2106FA63C7146B335DC98315D6B16B58F5FAF52BD2688
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0f8eccccce0e4cc (1 x LgoogLoader, 1 x ManusCrypt)
Reporter	andretavare5
Tags:	exe ManusCrypt signed

Code Signing Certificate

Organisation:	nogi.com
Issuer:	R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-12-06T12:23:11Z
Valid to:	2023-03-06T12:23:10Z
Serial number:	0427835f8bff0445c06d54dda04c30152368
Thumbprint Algorithm:	SHA256
Thumbprint:	63d85dc7e3ddc4fe5d5538846d880bd384fa7e7c719e4f426f64d11cc7b3a7a1
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://vk.com/doc151547528_652778970?hash=eRiNZ0pzQHYN19VlLE0Vr6aTgTOw34zJMlpZ0NZYuwT&dl=GE2TCNJUG42TEOA:1671789357:y40mKNf9el39U8ZxXyWqUwjm8vF3iBpuHms2u0pegEc&api=1&no_preview=1#adan

Intelligence

File Origin

# of uploads :

# of downloads :

189

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2022-12-23 14:47:09 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4dbae751-9268-40bf-9237-1b944481ead4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Fragtor.182618.5797.31474.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Launching a process

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63a5bf2c86859058cb31c650/reports/495f2b93-44a8-4982-a5d1-d175ed3987b6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Sysinternals

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/75fb5588-bcd3-4561-a981-b7ea35105003

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1140056

Signature

Allocates memory in foreign processes

Contain functionality to detect virtual machines

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected lgoogLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fb38d631b422b9a0d8df8b59e307fb2463a6882e1241f51848fa96bb4b732978/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2022-12-23 10:25:21 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7m4nmmnuek42bwg7rnm6gb73err2ncbocja7kgci7kllws3tff4a._file

Verdict:

malicious

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader

Link:

https://tria.ge/reports/221223-r5amzage93/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Detects LgoogLoader payload

LgoogLoader

Unpacked files

SH256 hash:

fa6a68cca2e38538c542a56847e3116ce50ac4902dcb532fad00283dd737ef9d

MD5 hash:

0884cf700c2d7981adeb5335db67c40f

SHA1 hash:

b85cf4c3d4f3f04b5dc43f6daaa507e41dd270a9

Link:

https://www.unpac.me/results/46baaa52-76c0-4788-bd8c-637c853f2b1e/

SH256 hash:

fb38d631b422b9a0d8df8b59e307fb2463a6882e1241f51848fa96bb4b732978

MD5 hash:

62e11920f9abfa7c150331967313915c

SHA1 hash:

af19d55fe3c6f1e331667ec0ce8d6d38c514a203

Link:

https://www.unpac.me/results/46baaa52-76c0-4788-bd8c-637c853f2b1e/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/fb38d631b422/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.92

Link:

https://yomi.yoroi.company/submissions/fb38d631b422b9a0d8df8b59e307fb2463a6882e1241f51848fa96bb4b732978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_Chebka Create hunting rule
Author:	ditekSHen
Description:	Detects Chebka

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	SUSP_XORed_MSDOS_Stub_Message Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious XORed MSDOS stub message
Reference:	https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

Rule name:	Windows_Trojan_Generic_a681f24a Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample