MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397
SHA3-384 hash: 51658863e32cb1783fa1d88304cbd5e2b4d01dd76b6134d0fc46756cece9203deabc266b80fe2bba2a4ddfcabab5bc02
SHA1 hash: 1b3089a761da4a9b7a1bfb485cc857969346ce61
MD5 hash: 4690e59b658afa8fd684bc91928db61f
humanhash: seventeen-jersey-minnesota-tennis
File name:Employment_Verification_Details.lnk
Download: download sample
File size:2'545'432 bytes
First seen:2026-06-15 17:00:15 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24576:8fujJZoLk2M9GzTnV8weN0XYuuAkhfNC1wWVKbDJt51M/1zR+WNNT9DF2L+09Atn:XJtGywLY7BfawOnv4BFedqfcmhB8
TLSH T15FC5F8BB5A01ACF62F4114B7888718C51E5C39279CE0F1CB372D296591FDCAB2A3B59C
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
Link:
https://research.acce.ciphertechsolutions.com/results/564039fe-decd-425b-aad1-12e4c83354b1/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.32317.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.DoomAngels.20220426.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HotMetalDobermans.20240516.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2dce5434eaf30d8ce5aa06
Tags:
dridex xtreme shell sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 expired-cert fingerprint obfuscated
Link:
https://www.filescan.io/uploads/6a302fcb1f652d686581564a/reports/96a05f85-9000-4992-92c6-5349ac5d3671/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397
Verdict:
Malicious
File Type:
lnk
First seen:
2026-06-10T17:45:00Z UTC
Last seen:
2026-06-15T00:37:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1928208
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Hijacks the control flow in another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS TXT record lookups
Powershell creates an autostart link
Queries DNS domain through GetComputerNameExW (potential sandbox evasion)
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queries the IP of a very long domain name
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses certutil -decode
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected LNK With Padded Argument
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1928208 Sample: Employment_Verification_Det... Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 48 work.officialm.com 2->48 58 Suricata IDS alerts for network traffic 2->58 60 Antivirus detection for dropped file 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 11 other signatures 2->64 9 powershell.exe 3 25 2->9         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\b64_mctsetup64.dll, ASCII 9->40 dropped 42 C:\Users\user\AppData\...\b64_mctinst64.exe, ASCII 9->42 dropped 44 C:\Users\user\AppData\...\b64_827E15FA.tmp, ASCII 9->44 dropped 46 C:\...mployment_Verification_Details.pdf, Unicode 9->46 dropped 78 Uses certutil -decode 9->78 80 Powershell creates an autostart link 9->80 13 mctinst64.exe 280 9->13         started        16 certutil.exe 2 9->16         started        19 certutil.exe 2 9->19         started        21 5 other processes 9->21 signatures6 process7 file8 82 Hijacks the control flow in another process 13->82 84 Writes to foreign memory regions 13->84 86 Allocates memory in foreign processes 13->86 88 Tries to detect virtualization through RDTSC time measurements 13->88 23 raserver.exe 13->23         started        27 raserver.exe 13->27         started        34 C:\ProgramData\mctinst64.exe, PE32+ 16->34 dropped 90 Queries DNS domain through GetComputerNameExW (potential sandbox evasion) 16->90 36 C:\ProgramData\827E15FA.tmp, data 19->36 dropped 38 C:\ProgramData\mctsetup64.dll, PE32+ 21->38 dropped 29 AcroCEF.exe 21->29         started        signatures9 process10 dnsIp11 50 pviogknwgrljcphqbwijasltjtns.dwjudlgvpsomatcoknis.et.update.officialm.com 23->50 52 psdsgklxcvnlbnmmpuejoy.irjpkneomxdwdwlwijc.pmtbtiygu.update.officialm.com 23->52 54 1507 other IPs or domains 23->54 66 Queries the IP of a very long domain name 23->66 68 Tries to harvest and steal browser information (history, passwords, etc) 23->68 70 Tries to detect virtualization through RDTSC time measurements 23->70 72 Unusual module load detection (module proxying) 23->72 74 Hides threads from debuggers 27->74 31 AcroCEF.exe 29->31         started        signatures12 76 Performs DNS TXT record lookups 52->76 process13 dnsIp14 56 23.203.183.178, 443, 49719 AKAMAI-AS-AkamaiTechnologiesIncUS United States 31->56
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397/
Verdict:
Malicious
Threat:
Trojan.Win32.Runner
Link:
https://tip.neiki.dev/file/23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397
Threat name:
Shortcut.Trojan.Ravartar
Create hunting rule
Status:
Malicious
First seen:
2026-06-11 05:15:27 UTC
File Type:
Binary
Extracted files:
1
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ep2sfw5hiivsfttfca7rrh4a5lwlcx7rpedqycuvpu6mryeegolq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
adware defense_evasion discovery execution spyware
Link:
https://tria.ge/reports/260615-vjlpwsds8y/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Command and Scripting Interpreter: PowerShell
Deobfuscate/Decode Files or Information
Indicator Removal: File Deletion
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/23f522dba7422b22ce65103f189f80eaecb15ff179070c0a957d3cc8e0843397

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:EXT_EXPL_ZTH_LNK_EXPLOIT_A
Create hunting rule
Author:Peter Girnus
Description:This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.
Reference:https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_Big_Link_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_LNK_Big_Link_File_RID2EDD
Create hunting rule
Author:Florian Roth
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_LNK_lnkfileoverRFC
Create hunting rule
Author:@Grotezinfosec, modified by Florian Roth
Description:Detects APT lnk files that run double extraction and launch routines with autoruns
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments