MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Patchwork

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd
SHA3-384 hash:	1f09ada6e4ae521f3bbf56dfb888ab3a88d4c7568570dac2ef2947adaf0dc54296d9595cd6402b00c0751c5baf00f08a
SHA1 hash:	5cf716dc70a0de1656b933c5ac2b1b56bae29f7f
MD5 hash:	dcde2aa7d290cf696c8070207577610e
humanhash:	july-xray-carbon-berlin
File name:	Report_2026.lnk
Download:	download sample
Signature	Patchwork Create hunting rule
File size:	3'762 bytes
First seen:	2026-04-15 14:02:57 UTC
Last seen:	Never
File type:	lnk
MIME type:	application/x-ms-shortcut
ssdeep	48:8oruaFktOJRLurzOAGitbD+sqddKHYd0Y9XuHQBqiYLq4:8orXgOzurzOap6sXTY1um3YLq
TLSH	T17A717B0427F60254F7B34B3EA8FFA25155767D5CFE319A9D02A0D1480CE5619E83AF2B
Magika	lnk
Reporter	smica83
Tags:	apt lnk Patchwork

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

LNK

Details

LNK

a command line and any observed urls

Link:

https://research.acce.ciphertechsolutions.com/results/4c839717-6224-4fde-bc59-63e4f22d75b1/

Detection(s):

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

SecuriteInfo.com.LNK.PowerShell.Download-4.UNOFFICIAL

Sanesecurity.Malware.30776.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69df9aa5f68adfe1003a15c9

Tags:

autorun shell sage blic

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug evasive fingerprint lolbin macros masquerade packed powershell schtasks

Link:

https://www.filescan.io/uploads/69df9aa85ea31bc68a2d19d1/reports/3a5551b5-b0b9-4a5d-87f1-0c48d27fcfcb/overview

Verdict:

Malicious

Labled as:

LNK/TrojanDownloader.Agent

Link:

https://www.hybrid-analysis.com/sample/045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd

Result

Gathering data

Verdict:

Clean

File Type:

lnk

Link:

https://opentip.kaspersky.com/045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd

Threat name:

Shortcut.Trojan.Generic

Status:

Suspicious

First seen:

2026-04-15 14:04:12 UTC

File Type:

Binary

AV detection:

5 of 36 (13.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=arozsxpotm73ucaecw7flsjs6jcvqlce24beh7b7x4axj7jusw6q._file

Verdict:

malicious

Label(s):

patchworkrat

Similar samples:

error

Patchwork

Result

Malware family:

n/a

Score:

8/10

Tags:

adware discovery execution persistence spyware

Link:

https://tria.ge/reports/260415-rc7r1agt7l/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Badlisted process makes network request

Downloads MZ/PE file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/045d995dee9b3fba080415be55c932f245582c44d70243fc3fbf0174fd3495bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Archive_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies archive (compressed) files in shortcut (LNK) files.

Rule name:	Detect_Remcos_RAT Create hunting rule
Author:	daniyyell
Description:	Detects Remcos RAT payloads and commands

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	PDF_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample