MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 388726bd0c023ce88ac427c0f9db388dc9ad82037f72ee8b3dac74e52c4201b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 388726bd0c023ce88ac427c0f9db388dc9ad82037f72ee8b3dac74e52c4201b2
SHA3-384 hash: 1e6c1b1ef7b8e9a8ae48c86d160850b5bb589ae095b167c60577ba035ae185270b8a453051cc310a2920961b7dc92819
SHA1 hash: 0ec99eec92afbc5755b96313ff11b7ea80d73494
MD5 hash: d8bbb7de0667cf2046794d650d96db1b
humanhash: zebra-emma-mississippi-texas
File name:wede.lnk
Download: download sample
File size:2'472 bytes
First seen:2025-05-30 11:02:39 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8lw/BHYVKVWv+/CWeO/qGjkh/r57q1jsrsysh6FtmVdd79dsrabAH:825ahOqkkh/Z7QVh6FtmVdJ9AaE
Threatray 92 similar samples on MalwareBazaar
TLSH T1C45178241AF202E9F3778779ABF473B28936FA92CD254A7C008113801622550F8A3F3B
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
52
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68399267acf88f5815e8fca4
Tags:
ransomware xtreme shell
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/388726bd0c023ce88ac427c0f9db388dc9ad82037f72ee8b3dac74e52c4201b2/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive lolbin masquerade mshta powershell
Link:
https://www.filescan.io/uploads/6839908de336a33801e0abbc/reports/9cb51878-0765-4fbc-b3e3-e71753cb6807/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/LNK.Agent
Link:
https://www.hybrid-analysis.com/sample/388726bd0c023ce88ac427c0f9db388dc9ad82037f72ee8b3dac74e52c4201b2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702247
Signature
Creates processes via WMI
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suricata IDS alerts for network traffic
Uses threadpools to delay analysis
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1702247 Sample: wede.lnk Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 56 neriverfeaitz.com 2->56 58 x1.i.lencr.org 2->58 60 6 other IPs or domains 2->60 76 Suricata IDS alerts for network traffic 2->76 78 Windows shortcut file (LNK) starts blacklisted processes 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 6 other signatures 2->82 12 powershell.exe 11 2->12         started        15 cmd.exe 1 2->15         started        signatures3 process4 signatures5 88 Windows shortcut file (LNK) starts blacklisted processes 12->88 90 Encrypted powershell cmdline option found 12->90 92 Powershell drops PE file 12->92 17 powershell.exe 23 12->17         started        20 conhost.exe 1 12->20         started        22 mshta.exe 16 15->22         started        24 conhost.exe 15->24         started        process6 signatures7 68 Windows shortcut file (LNK) starts blacklisted processes 17->68 70 Loading BitLocker PowerShell Module 17->70 26 mshta.exe 15 17->26         started        72 Creates processes via WMI 22->72 74 Uses threadpools to delay analysis 22->74 process8 dnsIp9 62 neriverfeaitz.com 104.21.50.173, 443, 49685, 49686 CLOUDFLARENETUS United States 26->62 84 Encrypted powershell cmdline option found 26->84 86 Creates processes via WMI 26->86 30 powershell.exe 17 18 26->30         started        34 powershell.exe 26->34         started        signatures10 process11 dnsIp12 64 the.earth.li 93.93.131.124, 443, 49690, 49691 MYTHICMythicBeastsLtdGB United Kingdom 30->64 52 C:\ProgramData\putty.exe, PE32+ 30->52 dropped 36 Acrobat.exe 18 75 30->36         started        38 conhost.exe 30->38         started        40 putty.exe 30->40         started        42 conhost.exe 34->42         started        44 Acrobat.exe 34->44         started        file13 process14 process15 46 AcroCEF.exe 36->46         started        dnsIp16 66 e8652.dscx.akamaiedge.net 23.73.185.64, 49696, 80 AKAMAI-ASUS United States 46->66 49 AcroCEF.exe 46->49         started        process17 dnsIp18 54 96.7.168.138, 443, 49699 INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR United States 49->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/388726bd0c023ce88ac427c0f9db388dc9ad82037f72ee8b3dac74e52c4201b2/
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-28 11:24:59 UTC
File Type:
Binary
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcdsnpimai6orcwee7aptwzyrxe23aqdp5zo5cz5vr2oklccagza._file
Verdict:
malicious
Label(s):
admintool_putty
Create hunting rule
Similar samples:
06a6d58847363dd6ed52ce481e7e95fd5050109ec118a18eff7323320c910dff
25f790aff251cb2f90781001561abcff269aef9e0b866456924f94c5c4b88b88
351b5c9092ecaa94f3ee0c2e70bea5ef5babc18634fadfad26826a49e5fd0e10
591c5830b814217b6372a2b9c4bf1426361affe0014423bfe7d975edfbf99eec
8232a11066fe5a6f552302da37f9b4e42f313bbeaf51f86c61fbf84bd95b1ca9
c75fcc89a5ff08c2b6b8a70d46f01c988c7d61e345e3f19d16be6d4f731b75bc
ce75f9dede6d4e93549d35b816898113b6befab9ef0aadf8949d4887c2c34bea
ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377
error
+ 82 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250530-m5xqaa1js6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://neriverfeaitz.com/12.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/388726bd0c023ce88ac427c0f9db388dc9ad82037f72ee8b3dac74e52c4201b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Shortcut (lnk) lnk 388726bd0c023ce88ac427c0f9db388dc9ad82037f72ee8b3dac74e52c4201b2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3554560/
  
Delivery method
Distributed via web download

Comments