MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505
SHA3-384 hash: c9e5a1ffd615e55cabfc058260e19731a49657327142ff79e412a313efabbc2824d3ea8a5e35f423dacdaf070d28d145
SHA1 hash: 9ca01e0f4db42108fc93d76cf38fd678735769d2
MD5 hash: 348a041f9b068f5ce4ae2b283e89cc77
humanhash: pizza-whiskey-victor-illinois
File name:pro.lnk
Download: download sample
File size:2'594 bytes
First seen:2025-05-30 08:17:57 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8Ayw/BHYVKVWf+/CWeO8YpH8OjCABx3ISdsrsysh6FtmVdd79dsH/nBWq:8y5axZYpHbjSQVh6FtmVdJ9UnBWq
TLSH T1985143280AF202FEF673D7B99BF573B24526FB92CD218ABC108123450222510F4A3F76
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221108.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68396c7b668438e362e868d6
Tags:
xtreme shell agent
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive lolbin masquerade mshta powershell
Link:
https://www.filescan.io/uploads/683969d6e336a33801e097cf/reports/e1e64658-fdce-40fc-b78b-2d8efc7d0534/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/LNK.Agent
Link:
https://www.hybrid-analysis.com/sample/10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702161
Signature
.NET source code contains potential unpacker
.NET source code contains suspicious base64 encoded strings
Creates processes via WMI
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Uses threadpools to delay analysis
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1702161 Sample: pro.lnk Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Windows shortcut file (LNK) starts blacklisted processes 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 9 other signatures 2->62 9 cmd.exe 1 2->9         started        12 powershell.exe 11 2->12         started        process3 signatures4 68 Windows shortcut file (LNK) starts blacklisted processes 9->68 14 mshta.exe 16 9->14         started        17 conhost.exe 9->17         started        70 Encrypted powershell cmdline option found 12->70 72 Powershell drops PE file 12->72 19 powershell.exe 23 12->19         started        21 conhost.exe 1 12->21         started        process5 signatures6 74 Encrypted powershell cmdline option found 14->74 76 Creates processes via WMI 14->76 78 Uses threadpools to delay analysis 14->78 23 powershell.exe 14->23         started        27 powershell.exe 14 35 14->27         started        80 Windows shortcut file (LNK) starts blacklisted processes 19->80 82 Loading BitLocker PowerShell Module 19->82 29 mshta.exe 16 19->29         started        process7 dnsIp8 48 C:\Users\user\AppData\Roaming\g2m.dll, PE32 23->48 dropped 50 C:\Users\user\AppData\Roaming\aa.exe, PE32 23->50 dropped 64 Loading BitLocker PowerShell Module 23->64 32 aa.exe 23->32         started        36 conhost.exe 23->36         started        38 aa.exe 27->38         started        40 conhost.exe 27->40         started        54 54.226.224.138, 49718, 49719, 49720 AMAZON-AESUS United States 29->54 66 Creates processes via WMI 29->66 file9 signatures10 process11 dnsIp12 52 179.43.176.79, 443, 49728, 49732 PLI-ASCH Panama 32->52 44 C:\Users\user\AppData\Local\Temp\...\g2m.dll, PE32 32->44 dropped 46 C:\Users\user\7946dc3643\g2m.dll, PE32 32->46 dropped 42 WerFault.exe 38->42         started        file13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505/
Threat name:
Shortcut.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-05-30 07:14:35 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdmuavkisqqjbgcnlgw7764ri4mjmkiibwiimwmmghdxocrfiucq._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250530-j7f9jaeq2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://54.226.224.138/core/coo.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Shortcut (lnk) lnk 10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3555488/
  
Delivery method
Distributed via web download

Comments