MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f26910512251dc4bdc24b080f7c627d0bb4b4de5acd4b7ad4ab024ae28cd115. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f26910512251dc4bdc24b080f7c627d0bb4b4de5acd4b7ad4ab024ae28cd115
SHA3-384 hash: 4db1bcb4e905f7319171cc67ee5e469ca851730af5b995d748370be2cc1735831f05543d14b8c068c2e04d603bd2099d
SHA1 hash: 7976c50fc68c29dcc7ebc923aefdef731e322b38
MD5 hash: 36c57f247dcda3048ad2cec9ea80dcb0
humanhash: fifteen-friend-kitten-nitrogen
File name:DHL RECEIPT.lnk
Download: download sample
File size:3'170 bytes
First seen:2025-03-18 22:43:02 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8W0xJLCZI5n6RwvKiI8W2ALOWkp+/CW2WiPMov3A/ZJPyX1BfuwqvNEG3Ong+4ZE:8W8yO6Y8tBo/A3gmohnOsi1MO6
Threatray 1'369 similar samples on MalwareBazaar
TLSH T1D65197140AF6231CE6B3AF75A8F9A25199B7BD15AE30AA9E011D42494B13A04DC61F3E
Magika lnk
Reporter smica83
Tags:lnk ZDI-CAN-25373

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d9f8b608116ce42572483c
Tags:
downloader obfuscate xtreme
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/1f26910512251dc4bdc24b080f7c627d0bb4b4de5acd4b7ad4ab024ae28cd115/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun dropper evasive masquerade obfuscated packed powershell powershell
Link:
https://www.filescan.io/uploads/67d9f7020a7899f3579cb51a/reports/d3910b2f-ba1c-4b01-86a2-3fca63bfa0bc/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1f26910512251dc4bdc24b080f7c627d0bb4b4de5acd4b7ad4ab024ae28cd115
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1642181
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found potential ransomware demand text
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AntiVM3
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1642181 Sample: DHL RECEIPT.lnk Startdate: 18/03/2025 Architecture: WINDOWS Score: 100 56 wittenhorst.eu 2->56 58 havajel.com 2->58 60 ip-api.com 2->60 78 Suricata IDS alerts for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 21 other signatures 2->84 9 powershell.exe 14 22 2->9         started        14 JtRjWrtCUi.exe 2->14         started        signatures3 process4 dnsIp5 62 havajel.com 87.107.190.209, 49722, 80 SINET-ASAccessServiceProviderIR Iran (ISLAMIC Republic Of) 9->62 54 C:\Users\user\AppData\Local\...\Any Name.exe, PE32 9->54 dropped 86 Found suspicious powershell code related to unpacking or dynamic code loading 9->86 88 Powershell drops PE file 9->88 16 Any Name.exe 6 9->16         started        20 conhost.exe 1 9->20         started        90 Antivirus detection for dropped file 14->90 92 Multi AV Scanner detection for dropped file 14->92 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->94 96 5 other signatures 14->96 22 JtRjWrtCUi.exe 14->22         started        24 schtasks.exe 14->24         started        file6 signatures7 process8 file9 50 C:\Users\user\AppData\...\JtRjWrtCUi.exe, PE32 16->50 dropped 52 C:\Users\user\AppData\Local\...\tmpE9DC.tmp, XML 16->52 dropped 68 Windows shortcut file (LNK) starts blacklisted processes 16->68 70 Found potential ransomware demand text 16->70 72 Adds a directory exclusion to Windows Defender 16->72 74 Injects a PE file into a foreign processes 16->74 26 Any Name.exe 17 37 16->26         started        30 powershell.exe 23 16->30         started        32 powershell.exe 23 16->32         started        34 schtasks.exe 1 16->34         started        76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 36 WerFault.exe 22->36         started        38 conhost.exe 24->38         started        signatures10 process11 dnsIp12 64 wittenhorst.eu 185.104.29.236, 443, 49724, 49726 AS-ZXCSNL Netherlands 26->64 66 ip-api.com 208.95.112.1, 49723, 49725, 80 TUT-ASUS United States 26->66 98 Found potential ransomware demand text 26->98 100 Loading BitLocker PowerShell Module 30->100 40 conhost.exe 30->40         started        42 WmiPrvSE.exe 30->42         started        44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 38->48         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f26910512251dc4bdc24b080f7c627d0bb4b4de5acd4b7ad4ab024ae28cd115/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-03-13 16:22:28 UTC
File Type:
Binary
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4tjcbiseuo4jpocjmea67dcpuf3jng6llguw6wuvmbevyum2ekq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
0d0c947d97036bcc46f7527e5a3953889c2ff2de32d503e463fbfa19d035716d
59ca67046d065f0fd86ed3ccc7b41aa3168e5557523644fcba23d1ac65ce69d8
810e347b05bec3d24178a9f5330d73d85b67f28c6e5e7d82c254743619dd0d0c
bdd593a14e314a4d2eb88cf200aa86623ca10b44d4160b2204084517a0992d99
error
f9f4df8b0dec45180e507d5fb6fdfd852823cbbad16cd662950d0b748a6baff0
fb171513b327007051a9d8f18b06c92bbf33577034060dc0a725a57eba5c03a0
+ 1'359 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/250318-2naazssrt3/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Malware Config
Dropper Extraction:
http://havajel.com/wp-includes/SimplePie/src/xppKfiaoWD.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1f2691051225/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f26910512251dc4bdc24b080f7c627d0bb4b4de5acd4b7ad4ab024ae28cd115

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html?utm_source=trendmicroresearch&utm_medium=smk&utm_campaign=032025_Windows-Shortcut-Zero-Day

Comments