MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MuckStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a
SHA3-384 hash: 8ac8aa0a05f39be690d8ce3837e35ceb0dd1ad5a0661b527deaa9806a3b17415c41c752340c875c464fb125aaae77391
SHA1 hash: 2f138f18d57a8f5633b952ea5abd6074459bdae0
MD5 hash: 64ff7bfcea29963681fa0017f3811983
humanhash: yellow-leopard-north-utah
File name:Mandatory_Compliance_Notice.txt.lnk
Download: download sample
Signature MuckStealer
Create hunting rule
File size:61'613 bytes
First seen:2025-12-10 22:58:18 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 1536:jafW6pTEZ43eXLsOqbDmm/JG/W0IstFBWIor:jeW6pTE+OZyDb/JG/iSFBWIor
TLSH T1DD53F11609A1836ED571CC71B9C526094A73F8AAEB31EB29484E66434FC3C3E351D73D
Magika lnk
Reporter smica83
Tags:lnk MuckStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/dd976ecf-2cb0-482e-881b-ddf700050c9f/
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32317.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30774.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD._OUTFILE.220426B64.1.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6939fb45a675b653bd0feb3e
Tags:
xtreme shell sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a
Verdict:
Malicious
File Type:
lnk
First seen:
2025-12-04T03:46:00Z UTC
Last seen:
2025-12-10T20:21:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic Trojan.WinLNK.Agent.sb HEUR:Trojan.WinLNK.ZDI-CAN-25373.gen HEUR:Trojan.WinLNK.Powecod.e HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Powecod.a
Link:
https://opentip.kaspersky.com/1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a/results?tab=lookup
Result
Threat name:
Python Stealer, Muck Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1830639
Signature
Found pyInstaller with non standard icon
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Generic Python Stealer
Yara detected LNK With Padded Argument
Yara detected Muck Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1830639 Sample: Mandatory_Compliance_Notice... Startdate: 11/12/2025 Architecture: WINDOWS Score: 100 34 gitlab.com 2->34 36 discord.com 2->36 46 Malicious sample detected (through community Yara rule) 2->46 48 Windows shortcut file (LNK) starts blacklisted processes 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 8 other signatures 2->52 8 powershell.exe 17 33 2->8         started        13 OpenWith.exe 18 6 2->13         started        signatures3 process4 dnsIp5 40 gitlab.com 172.65.251.78, 443, 49689 CLOUDFLARENETUS United States 8->40 24 C:\Users\user\AppData\...\W9Z6Gosv32.exe, PE32+ 8->24 dropped 54 Found suspicious powershell code related to unpacking or dynamic code loading 8->54 56 Powershell drops PE file 8->56 15 W9Z6Gosv32.exe 111 8->15         started        19 conhost.exe 1 8->19         started        file6 signatures7 process8 file9 26 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 15->26 dropped 28 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 15->28 dropped 30 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 15->30 dropped 32 69 other malicious files 15->32 dropped 42 Multi AV Scanner detection for dropped file 15->42 44 Found pyInstaller with non standard icon 15->44 21 W9Z6Gosv32.exe 15->21         started        signatures10 process11 dnsIp12 38 discord.com 162.159.136.232, 443, 49694 CLOUDFLARENETUS United States 21->38
Verdict:
Malware
YARA:
3 match(es)
Tags:
Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:powershell.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/64ff7bfcea29963681fa0017f3811983
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a/
Verdict:
Malicious
Threat:
Trojan.Multi.Powecod
Link:
https://tip.neiki.dev/file/1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a
Threat name:
Shortcut.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 03:32:00 UTC
File Type:
Binary
Extracted files:
1
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dosdwx6cfc7hehfvookofueztxn36ngqzngabgmlzysb5na4krva._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
credential_access defense_evasion discovery execution pyinstaller spyware stealer
Link:
https://tria.ge/reports/251210-2yg4kssqfk/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1ba43b5fc228/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXT_EXPL_ZTH_LNK_EXPLOIT_A
Create hunting rule
Author:Peter Girnus
Description:This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.
Reference:https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

MuckStealer

Shortcut (lnk) lnk 1ba43b5fc228be721cb57394e2d0999ddbbf34d0cb4c00998bce241eb41c546a

(this sample)

MuckStealer

Executable exe b61ee518ba44e1fdc1689a56a8d765f10af2f9ddece7da07f8765ddd8ca41673

  
Dropping
SHA256 b61ee518ba44e1fdc1689a56a8d765f10af2f9ddece7da07f8765ddd8ca41673
  
Dropping
MD5 969dc1413c1b82a6281f9db6e1a8bc60

Comments