MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773
SHA3-384 hash:	bbf6924bafde943eacb4464fa32ce1ff85f7b6476f60d6b3c4a1c39673fa55081efbecd7f63f2114202fd9f15c386ff0
SHA1 hash:	69dbf7c234404dab3689c419f42009d8f58ca61a
MD5 hash:	123b3bd746f1c889826a443143d1f004
humanhash:	princess-island-maryland-oxygen
File name:	accusa.lnk
Download:	download sample
File size:	79'832 bytes
First seen:	2025-12-25 14:19:24 UTC
Last seen:	Never
File type:	lnk
MIME type:	application/x-ms-shortcut
ssdeep	1536:jyYzOWSdvltxlqhd9JsauHM4iisVauAIvTsJLMF4Es:HSWSBLxyrJWMBJvwJIFHs
TLSH	T15073CE24CABF10B9DEC9FF7F5193E6612B11625B2E606D343FF0A38A1DB5520842C94E
Magika	lnk
Reporter	abuse_ch
Tags:	lnk

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

LNK

Details

LNK

a command line and any observed urls

Link:

https://research.acce.ciphertechsolutions.com/results/60023879-124b-41ea-a277-5e1152dfed1f/

Detection(s):

Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL

TwinWave.EvilLNK.LOLBinForFilesHeartBeat.20220523.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=694b14b101c7b4a8fe553a7d

Tags:

dropper virus shell

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773/results/dashboard

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd evasive forfiles lolbin masquerade wscript

Link:

https://www.filescan.io/uploads/694d48233f8fdbf8e951eed3/reports/5db9bd31-9b05-4543-a295-8b872445b616/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773

Result

Gathering data

Verdict:

Malicious

File Type:

lnk

First seen:

2025-12-19T05:11:00Z UTC

Last seen:

2025-12-19T05:36:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1839363

Signature

Command shell drops VBS files

Multi AV Scanner detection for submitted file

Obfuscated command line found

Sigma detected: WScript or CScript Dropper

Uses certutil -decode

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows shortcut file (LNK) starts blacklisted processes

Behaviour

Behavior Graph:

Download SVG

Verdict:

Malware

YARA:

3 match(es)

Tags:

Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002

Link:

https://app.malva.re/file/123b3bd746f1c889826a443143d1f004

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773/

Verdict:

Malicious

Threat:

Trojan-PSW.Win32.Stealer

Link:

https://tip.neiki.dev/file/47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773

Threat name:

Win32.Trojan.Sonbokli

Status:

Malicious

First seen:

2025-12-18 18:18:25 UTC

File Type:

Binary

Extracted files:

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i7kafvzxvhck6qtasjqvp6g7yzqgn5n6zp7xjcc6ywdojtik45zq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion persistence privilege_escalation spyware stealer

Link:

https://tria.ge/reports/251225-rnjjjswjgq/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Indirect Command Execution

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47d402d737a9c4af4260926157f8dfc66066f5becbff74885ec586e4cd0ae773

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Archive_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies archive (compressed) files in shortcut (LNK) files.

Rule name:	Execution_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies execution artefacts in shortcut (LNK) files.

Rule name:	Find_Emotoet_LNK_File_VBS Create hunting rule
Author:	David Ledbetter
Description:	Search for lnk files dropping vbs files.

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	Script_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies scripting artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample