MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051
SHA3-384 hash: 00fc7dadcb07caa64dcc9fe514dddcb0cbe1138526122ed520d9147fc1606391db49f64c7a36e122f78fea434e1560af
SHA1 hash: 6a0a16db1bb627613754d4e505a216c4d93cb31f
MD5 hash: 7dcf5627fb57c61fe69601431a1057ec
humanhash: cardinal-potato-louisiana-sodium
File name:application_documents.lnk
Download: download sample
File size:2'476 bytes
First seen:2025-04-18 16:50:34 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8Ayw/BHYVKVWO+/CWdpWkDWdd79dsoEZK:8y5aWkqdJ9hJ
TLSH T1A2515B042EE50324F3B68B35A8B66721C977B849CE718F8D008D42481733210F4A5F6F
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221108.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6802871b280f5f89a0d1778a
Tags:
shell miner sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade powershell
Link:
https://www.filescan.io/uploads/68028300931404048d805001/reports/a571c7c9-9428-4ca4-9885-a7fb7208037d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1668588
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected LNK With Padded Argument
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1668588 Sample: application_documents.lnk Startdate: 18/04/2025 Architecture: WINDOWS Score: 100 98 node2-server.cfd 2->98 100 play.google.com 2->100 102 6 other IPs or domains 2->102 126 Suricata IDS alerts for network traffic 2->126 128 Malicious sample detected (through community Yara rule) 2->128 130 Antivirus detection for URL or domain 2->130 132 9 other signatures 2->132 11 msiexec.exe 87 47 2->11         started        14 powershell.exe 19 2->14         started        17 Gene_Bin.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 84 C:\Users\user\AppData\Local\...behaviorgraphene_Bin.exe, PE32 11->84 dropped 86 C:\Users\user\AppData\Local\...\xprt6.dll, PE32 11->86 dropped 88 C:\Users\user\AppData\Local\...\msvcr71.dll, PE32 11->88 dropped 92 8 other files (none is malicious) 11->92 dropped 22 Gene_Bin.exe 14 11->22         started        160 Windows shortcut file (LNK) starts blacklisted processes 14->160 26 cmd.exe 1 14->26         started        28 conhost.exe 1 14->28         started        90 C:\Users\user\AppData\Local\...\1A988F8.tmp, PE32+ 17->90 dropped 162 Modifies the context of a thread in another process (thread injection) 17->162 164 Maps a DLL or memory area into another process 17->164 30 cmd.exe 17->30         started        32 gt_sign_test.exe 17->32         started        110 127.0.0.1 unknown unknown 19->110 112 239.255.255.250 unknown Reserved 19->112 34 msedge.exe 19->34         started        37 msedge.exe 19->37         started        39 msedge.exe 19->39         started        41 msedge.exe 19->41         started        file6 signatures7 process8 dnsIp9 76 C:\ProgramData\pluginoracle_v3behaviorgraphene_Bin.exe, PE32 22->76 dropped 78 C:\ProgramData\pluginoracle_v3\xprt6.dll, PE32 22->78 dropped 80 C:\ProgramData\pluginoracle_v3\msvcr71.dll, PE32 22->80 dropped 82 8 other files (none is malicious) 22->82 dropped 144 Switches to a custom stack to bypass stack traces 22->144 146 Found direct / indirect Syscall (likely to bypass EDR) 22->146 43 Gene_Bin.exe 5 22->43         started        148 Windows shortcut file (LNK) starts blacklisted processes 26->148 47 mshta.exe 17 26->47         started        50 conhost.exe 30->50         started        104 sb.scorecardresearch.com 18.64.155.22, 443, 49924 MIT-GATEWAYSUS United States 34->104 106 18.64.155.37, 443, 49972 MIT-GATEWAYSUS United States 34->106 108 33 other IPs or domains 34->108 file10 signatures11 process12 dnsIp13 94 C:\Users\user\AppData\...\gt_sign_test.exe, PE32+ 43->94 dropped 96 C:\Users\user\AppData\Local\...\F97AFFD.tmp, PE32+ 43->96 dropped 150 Windows shortcut file (LNK) starts blacklisted processes 43->150 152 Modifies the context of a thread in another process (thread injection) 43->152 154 Found hidden mapped module (file has been removed from disk) 43->154 158 3 other signatures 43->158 52 gt_sign_test.exe 43->52         started        56 cmd.exe 43->56         started        124 80.66.84.133, 49692, 49693, 80 TEAM-HOSTASRU Russian Federation 47->124 156 Encrypted powershell cmdline option found 47->156 58 powershell.exe 14 22 47->58         started        file14 signatures15 process16 dnsIp17 114 node2-server.cfd 104.21.40.161, 443, 49705, 49721 CLOUDFLARENETUS United States 52->114 134 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 52->134 136 Tries to harvest and steal browser information (history, passwords, etc) 52->136 138 Writes to foreign memory regions 52->138 142 4 other signatures 52->142 60 chrome.exe 52->60         started        63 msedge.exe 52->63         started        140 Switches to a custom stack to bypass stack traces 56->140 65 conhost.exe 56->65         started        67 conhost.exe 58->67         started        69 msiexec.exe 3 58->69         started        signatures18 process19 dnsIp20 122 192.168.2.8, 443, 49673, 49692 unknown unknown 60->122 71 chrome.exe 60->71         started        74 msedge.exe 63->74         started        process21 dnsIp22 116 142.251.15.105, 443, 49799, 49803 GOOGLEUS United States 71->116 118 www.google.com 71->118 120 7 other IPs or domains 71->120
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051/
Threat name:
Shortcut.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-04-17 23:07:32 UTC
File Type:
Binary
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jzy72ge46b2ofg4t5surjqi2gafnoeintcriiar3rc3f7vcsibiq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250418-vcw72syybt/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://80.66.84.133/OKFBVTBZ.mp4
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4e71fd189cf0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Shortcut (lnk) lnk 4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3517082/
  
Delivery method
Distributed via web download

Comments