MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43
SHA3-384 hash: 3408f29e1f898bb30d16000b8f2549eadf4775c3344ea41040f0edb445275c92f26873540caa1ffc2e7cff7e94219e22
SHA1 hash: 5a4283b11e78beac751d3acd5c6203888935672b
MD5 hash: 35750cc292cf2f56fceb22dade3d8870
humanhash: ceiling-georgia-sink-mobile
File name:Договір _2025.lnk
Download: download sample
File size:703 bytes
First seen:2025-06-20 11:38:53 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 12:8vKuxiyBm/qjIVSX6fHufbD9aGoiqKBISzlWlK8NmgiNN4URXvUR7/:8iuxYyMexaZKISJWQ8NmVqUtUt/
TLSH T1C5014C122FD68915E1B78D79847FA70C897CBAA2CE02D7BE001925294CA0600ED69667
Magika lnk
Reporter Anonymous
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.27608.18699.UNOFFICIAL
Create hunting rule

TwinWave.EviLNK.PKillLnkMSHTA.20220823.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68552dc4511de2c8101b16e9
Tags:
ransomware shellcode blic
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43/results/dashboard
Payload URLs
URL
File name
https://secfileshare.com/5.hta
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin mshta obfuscated
Link:
https://www.filescan.io/uploads/685548813faf8fcd7d383da2/reports/d0eccad3-0c6f-460c-aced-3a73ae811017/overview
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1719327
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Base64 MZ Header In CommandLine
Sigma detected: Execution from Suspicious Folder
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1719327 Sample: #U0414#U043e#U0433#U043e#U0... Startdate: 20/06/2025 Architecture: WINDOWS Score: 100 40 secfileshare.com 2->40 42 s-0005.dual-s-msedge.net 2->42 44 3 other IPs or domains 2->44 58 Malicious sample detected (through community Yara rule) 2->58 60 Windows shortcut file (LNK) starts blacklisted processes 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 13 other signatures 2->64 9 mshta.exe 18 2->9         started        13 adblocker.exe 2->13         started        16 adblocker.exe 2->16         started        signatures3 process4 dnsIp5 38 C:\Users\Public\Documents\install.exe, PE32+ 9->38 dropped 74 Renames powershell.exe to bypass HIPS 9->74 18 install.exe 18 19 9->18         started        52 192.0.0.100 unknown Reserved 13->52 54 192.0.0.101 unknown Reserved 13->54 56 52 other IPs or domains 13->56 22 WerFault.exe 13->22         started        24 WerFault.exe 16->24         started        file6 signatures7 process8 file9 36 C:\Users\user\AppData\Local\...\adblocker.exe, PE32 18->36 dropped 66 Powershell is started from unusual location (likely to bypass HIPS) 18->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 18->68 70 Reads the Security eventlog 18->70 72 Reads the System eventlog 18->72 26 adblocker.exe 15 4 18->26         started        30 WINWORD.EXE 127 93 18->30         started        32 conhost.exe 18->32         started        signatures10 process11 dnsIp12 46 192.0.0.1 unknown Reserved 26->46 48 192.0.0.11 unknown Reserved 26->48 50 44 other IPs or domains 26->50 76 Multi AV Scanner detection for dropped file 26->76 34 WerFault.exe 26->34         started        signatures13 process14
Verdict:
Malware
YARA:
2 match(es)
Tags:
LNK LNK: Script Execution Malicious MSHTA T1218 T1218.005
Link:
https://app.malva.re/file/35750cc292cf2f56fceb22dade3d8870
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43/
Threat name:
Win32.Trojan.DangerousPasswordLazarus
Create hunting rule
Status:
Malicious
First seen:
2025-06-19 16:08:59 UTC
File Type:
Binary
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pdfeuovgulktovtepof6ly6dksngon3d7hxruywliprow55etzbq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence spyware stealer
Link:
https://tria.ge/reports/250620-nshw2ayzds/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Network Service Discovery
Network Share Discovery
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://secfileshare.com/5.hta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Shortcut (lnk) lnk 78ca4a3aa6a2d53756647b8be5e3c3549a673763f9ef1a62cb43e2eb77a49e43

(this sample)

Executable exe f4f6beea11f21a053d27d719dab711a482ba0e2e42d160cefdbdad7a958b93d0

  
Dropping
SHA256 f4f6beea11f21a053d27d719dab711a482ba0e2e42d160cefdbdad7a958b93d0
  
Dropping
MD5 3f41b99fe4dda40d0b207061572de023

Comments