MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5fb0518c2ced3e2556da039dae3cfe846cbf667ef2556c6d75b1487da75ef15f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DUCKTAIL


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5fb0518c2ced3e2556da039dae3cfe846cbf667ef2556c6d75b1487da75ef15f
SHA3-384 hash: 82eeb513745aab359c89e5107915660bae95e3385fabebe9d53457b94da88b38eb8694dcec412c98f257c0b69aca8294
SHA1 hash: 5b0c8b05c486ec66f6a53a625fcb31c1dc946fe7
MD5 hash: 479b235adaa09fb5be9abb618ef56856
humanhash: uranus-wyoming-july-oranges
File name:2.2024 Outfit Strests.lnk
Download: download sample
Signature DUCKTAIL
Create hunting rule
File size:3'145'728 bytes
First seen:2024-03-20 08:28:44 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8wcxh4yCI4Xyl7+RIZJ2le8f75SRIZJpovgdJBxFsySP4I0Qc5jefJ4I0:8TxR4m7L8fvtuIISdlI
TLSH T16FE5482027ED1209F1F35F35BAB9E8A5D2B6BDA1A912C2DE0180564E4871600DE26F33
Reporter smica83
Tags:apt DUCKTAIL lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
196
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
TwinWave.LNKPShellMotherBoardFire.20220428.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/5fb0518c2ced3e2556da039dae3cfe846cbf667ef2556c6d75b1487da75ef15f/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/65fa9e545cd908a33db9e8d4/reports/cc699938-c1be-48a1-ada5-c3c2bd0c6967/overview
Verdict:
Malicious
Labled as:
Generik.HJTOUPL trojan
Link:
https://www.hybrid-analysis.com/sample/5fb0518c2ced3e2556da039dae3cfe846cbf667ef2556c6d75b1487da75ef15f
Result
Threat name:
Ducktail
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1412234
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to start a terminal service
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: PowerShell Base64 Encoded WMI Classes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Snort IDS alert for network traffic
Suspicious command line found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Very long command line found
Windows shortcut file (LNK) starts blacklisted processes
Yara detected Ducktail
Yara detected Obfuscated Powershell
Yara detected Powershell dedcode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1412234 Sample: 2.2024 Outfit Strests.lnk Startdate: 20/03/2024 Architecture: WINDOWS Score: 100 60 fixtest123.uk 2->60 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 16 other signatures 2->78 10 cmd.exe 1 2->10         started        13 svczHost.exe 1 2->13         started        signatures3 process4 dnsIp5 80 Windows shortcut file (LNK) starts blacklisted processes 10->80 82 Suspicious powershell command line found 10->82 84 Encrypted powershell cmdline option found 10->84 86 Bypasses PowerShell execution policy 10->86 16 powershell.exe 14 33 10->16         started        20 conhost.exe 1 10->20         started        62 138.201.8.186, 49710, 49714, 8000 HETZNER-ASDE Germany 13->62 88 Antivirus detection for dropped file 13->88 90 Multi AV Scanner detection for dropped file 13->90 92 Very long command line found 13->92 94 2 other signatures 13->94 22 cmd.exe 13->22         started        24 powershell.exe 13->24         started        26 powershell.exe 13->26         started        28 3 other processes 13->28 signatures6 process7 dnsIp8 58 fixtest123.uk 172.67.200.236, 49699, 49700, 49701 CLOUDFLARENETUS United States 16->58 64 Windows shortcut file (LNK) starts blacklisted processes 16->64 66 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 16->66 68 Found suspicious powershell code related to unpacking or dynamic code loading 16->68 70 Powershell drops PE file 16->70 30 cmd.exe 1 16->30         started        33 powershell.exe 11 16->33         started        35 conhost.exe 16->35         started        37 conhost.exe 22->37         started        39 sc.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        signatures9 process10 signatures11 96 Windows shortcut file (LNK) starts blacklisted processes 30->96 98 Suspicious powershell command line found 30->98 100 Encrypted powershell cmdline option found 30->100 47 powershell.exe 46 30->47         started        50 conhost.exe 30->50         started        52 conhost.exe 33->52         started        process12 file13 56 C:\Windows\Temp\svczHost.exe, PE32+ 47->56 dropped 54 conhost.exe 47->54         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5fb0518c2ced3e2556da039dae3cfe846cbf667ef2556c6d75b1487da75ef15f/
Threat name:
Shortcut.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2024-03-18 21:39:50 UTC
File Type:
Binary
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6yfddbm5u7ckvw2aoo24ph6qrwl6zt66jkwy3lvwfeh3j266fpq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240320-kdkkjacf93/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5fb0518c2ced3e2556da039dae3cfe846cbf667ef2556c6d75b1487da75ef15f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_Big_Link_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_LNK_Big_Link_File_RID2EDD
Create hunting rule
Author:Florian Roth
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_PowerShell_Caret_Obfuscation_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects powershell keyword obfuscated with carets
Reference:Internal Research
Rule name:SUSP_PowerShell_Caret_Obfuscation_2_RID347B
Create hunting rule
Author:Florian Roth
Description:Detects powershell keyword obfuscated with carets
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/suyog41/status/1770330474000286118?t=xHj7fAC9rGAAUPyR3iq4DQ&s=19

Comments