MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c
SHA3-384 hash: 140208176abd76ea111f58057dae44abba874818f403e973dc6b417d87794028e69c30f520400a4590d76166933d6f19
SHA1 hash: ac23ca802b5c13fb3b74c49ac095add6d53ffc27
MD5 hash: 36f9ef1c2594e6c20d78611388703abb
humanhash: butter-pip-tennessee-north
File name:manual.pdf.lnk
Download: download sample
Signature MetaStealer
Create hunting rule
File size:2'965 bytes
First seen:2025-10-28 07:22:34 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8tJfIA5f3JMAyx+/5++y2Wnm2YLMu/Sbdd+5Cww9dsquWgncWgssqMmkZ:8T3PNnyxnmpLMu2dyRw9ducBBZ
TLSH T12551F11127E90769E3F35E3F58B6DB158937F886DE21CD5C029141481866B41EC34FBB
Magika lnk
Reporter abuse_ch
Tags:lnk metastealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaymsiexec.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADayDownloaders.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69000e2a5de5ca27075318e5
Tags:
dropper virus sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c/results/dashboard
Payload URLs
URL
File name
https://anydesk.com
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BZC.YAX.Mole.3.3B09E935;BZC.YAX.Mole.3
Link:
https://www.hybrid-analysis.com/sample/3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c
Verdict:
Malicious
File Type:
lnk
First seen:
2025-10-27T19:30:00Z UTC
Last seen:
2025-10-28T06:59:00Z UTC
Hits:
~100
Detections:
Trojan.WinLNK.Agent.sb HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Runner.n HEUR:Trojan.Multi.Runner.e
Link:
https://opentip.kaspersky.com/3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c/results?tab=lookup
Result
Threat name:
MalLnk
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802991
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802991 Sample: manual.pdf.lnk Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 55 anydesck.net 2->55 71 Antivirus detection for URL or domain 2->71 73 Antivirus detection for dropped file 2->73 75 Windows shortcut file (LNK) starts blacklisted processes 2->75 77 6 other signatures 2->77 9 msiexec.exe 3 11 2->9         started        12 cmd.exe 2 2->12         started        14 msedge.exe 113 468 2->14         started        signatures3 process4 dnsIp5 53 C:\Windows\Installer\MSI98F3.tmp, PE32 9->53 dropped 17 msiexec.exe 5 9->17         started        19 curl.exe 2 12->19         started        22 msedge.exe 9 12->22         started        24 taskkill.exe 1 12->24         started        34 2 other processes 12->34 67 192.168.2.7, 138, 443, 49627 unknown unknown 14->67 69 239.255.255.250 unknown Reserved 14->69 26 msedge.exe 106 14->26         started        28 msedge.exe 14->28         started        30 msedge.exe 14->30         started        32 msedge.exe 14->32         started        file6 process7 dnsIp8 36 expand.exe 8 17->36         started        39 icacls.exe 1 17->39         started        41 out1.exe 17->41         started        57 anydesck.net 87.120.219.100, 443, 49683 NET1-ASBG Bulgaria 19->57 59 127.0.0.1 unknown unknown 19->59 43 msedge.exe 22->43         started        61 18.172.170.97, 443, 49739 MIT-GATEWAYSUS United States 26->61 63 part-0042.t-0009.fb-t-msedge.net 13.107.226.70, 443, 49686 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->63 65 42 other IPs or domains 26->65 process9 file10 49 C:\Users\user~1\AppData\...\fhst.exe (copy), PE32 36->49 dropped 51 C:\...\a410545817cb1e47a65d5fad62eed35c.tmp, PE32 36->51 dropped 45 conhost.exe 36->45         started        47 conhost.exe 39->47         started        process11
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/36f9ef1c2594e6c20d78611388703abb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c/
Verdict:
Malicious
Threat:
Trojan.Multi.Runner
Link:
https://tip.neiki.dev/file/3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c
Threat name:
Shortcut.Trojan.MetaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-10-28 00:28:28 UTC
File Type:
Binary
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hklfcqe5vwbbfce66kln2zymnmxxs76ddsrh74hkoalfq5xotzga._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251028-jdll6aek3s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_Malicious_Nov1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious LNK file
Reference:https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Shortcut (lnk) lnk 3a9651409dad8212889ef296dd670c6b2f797fc31ca27ff0ea70165876ee9e4c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3687888/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3687889/

Comments