MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Phorpiex

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3
SHA3-384 hash:	d23360295fc181a14491206c2988763bb9903d63f3723269340e2393e67e7ecfcd18fbd6bf396daf526265c713de4de5
SHA1 hash:	74c021250ef2c027deb141d8f8b35329de082209
MD5 hash:	8bf379efd813e2b19e3c0abf2dc08f05
humanhash:	april-aspen-foxtrot-winner
File name:	Document.doc.lnk
Download:	download sample
Signature	Phorpiex Create hunting rule
File size:	2'067 bytes
First seen:	2026-01-06 07:50:12 UTC
Last seen:	Never
File type:	lnk
MIME type:	application/x-ms-shortcut
ssdeep	24:8VVJqMFXuvawAgqx+/ntSy9kerUMkWI9wCc5QgkgVBS9ZmT:8VemaquoyOerHypgkgVw9ZY
Threatray	2'573 similar samples on MalwareBazaar
TLSH	T12541C1161BD64725D3F84E3AE8BBE71099A97C1AFB138F5D0181929818516149C68F3E
Magika	lnk
Reporter	abuse_ch
Tags:	lnk Phorpiex

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

LNK

Details

LNK

a command line and any observed urls

Link:

https://research.acce.ciphertechsolutions.com/results/c12d9797-8fa4-41db-b78f-3511b017580d/

Detection(s):

Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.26415.PshHeur.UNOFFICIAL

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL

TwinWave.EvilLNK.FireForYou.20221018.UNOFFICIAL

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL

TwinWave.EvilLNK.PkillEasyPshellDLAndDetonate.20240116.UNOFFICIAL

TwinWave.EvilLNK.SilverChairs4SilverBacks.20221114.UNOFFICIAL

TwinWave.EvilLNK.WeaponisedLove.M2.20250617.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=695b833fd2357cccc3df8608

Tags:

trojan shell sage

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3/results/dashboard

Payload URLs

URL

File name

http://178.16.54.109/spl.exe

LNK File

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

autorun cmd dropper lolbin masquerade powershell powershell

Link:

https://www.filescan.io/uploads/695cbebc6c350eb0b6f631d8/reports/83d2f7d6-0609-47e5-870c-d0ff2845235d/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3

Verdict:

Malicious

File Type:

lnk

First seen:

2026-01-04T14:57:00Z UTC

Last seen:

2026-01-08T06:29:00Z UTC

Hits:

~10000

Detections:

HEUR:Trojan.WinLNK.Shino.gen HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Powedon.a Trojan-Ransom.Win32.Encoder.sb Trojan-Downloader.WinLNK.Agent.sb Trojan.WinLNK.Agent.sb HEUR:Trojan-Ransom.Win32.Generic HEUR:Trojan-Downloader.WinLNK.Powedon.b Trojan-Ransom.Win32.Agent.sb Trojan.Win32.Vimditator.sb Trojan.Win32.DelShad.sb HEUR:Trojan-Ransom.Win64.Generic PDM:Trojan.Win32.Generic Trojan-Ransom.Win64.Agent.mona HEUR:Trojan.Multi.Agent.gen Trojan-Downloader.PowerShell.Agent.sb Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.Win32.Agent.gen

Link:

https://opentip.kaspersky.com/70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3/results?tab=lookup

Result

Threat name:

MalLnk

Detection:

malicious

Classification:

rans.spre.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1845338

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Bypasses PowerShell execution policy

Contains functionality to enumerate network shares of other devices

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Drops PE files to the user root directory

Found evasive API chain (may stop execution after checking mutex)

Found Tor onion address

Hides that the sample has been downloaded from the Internet (zone.identifier)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Modifies existing user documents (likely ransomware behavior)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Powershell drops PE file

Sigma detected: Powershell download and execute file

Sigma detected: PowerShell DownloadFile

Suricata IDS alerts for network traffic

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Uses an obfuscated file name to hide its real file extension (double extension)

Windows shortcut file (LNK) contains suspicious command line arguments

Windows shortcut file (LNK) starts blacklisted processes

Writes a notice file (html or txt) to demand a ransom

Yara detected malicious lnk

Behaviour

Behavior Graph:

Download SVG

Verdict:

Malware

YARA:

2 match(es)

Tags:

Batch Command Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:cmd.exe Malicious PowerShell PowerShell Call T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002

Link:

https://app.malva.re/file/8bf379efd813e2b19e3c0abf2dc08f05

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3/

Verdict:

Malicious

Threat:

Trojan.Win32.Vimditator

Link:

https://tip.neiki.dev/file/70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3

Threat name:

Shortcut.Trojan.WinLnk

Status:

Malicious

First seen:

2026-01-04 17:53:56 UTC

File Type:

Binary

AV detection:

23 of 36 (63.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ocsk7k2e22u6zv7ufk3xs4v6a5g6za4dur5caeplaez2emfe7lrq._file

Verdict:

malicious

Label(s):

phorpiex

Phorpiex

2c7d58690529990afc514b12c60f805abebfae9f798685f93de0b87eebbb240d

Phorpiex

33f6bff83a6ce68bf321847b66f432840af51cdec378b2cda41ab1f2f0e0ecb1

Phorpiex

3a1108af4bfe7864add18f34e0658f2da34930fbef90e34f176fd938065bf2bc

Phorpiex

5b5e85f9aaddc637b944a78fe390c93d21fa4ffadd953dc7a9412b658d9b15f0

Phorpiex

614ce7fb8a4a9214f3c185458394866350ce76cb99ce2012f06dbe9ecaaffa31

Phorpiex

70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3

Phorpiex

dd1937330f8b10026eb29045fb3d57e1364bf1fe8a80b92568fc4a055ad99c1d

Phorpiex

+ 2'563 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery execution persistence ransomware

Link:

https://tria.ge/reports/260106-jrfytsex7e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Sets desktop wallpaper using registry

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Badlisted process makes network request

Downloads MZ/PE file

Renames multiple (174) files with added filename extension

Malware Config

Dropper Extraction:

http://178.16.54.109/spl.exe

Malware family:

Phorpiex

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/70a4afab44d6/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/70a4afab44d6a9ecd7f42ab77972be074dec8383a47a2011eb0133a230a4fae3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	Execution_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies execution artefacts in shortcut (LNK) files.

Rule name:	LNK_sospechosos Create hunting rule
Author:	Germán Fernández
Description:	Detecta archivos .lnk sospechosos

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_CMD Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to cmd.exe inside an lnk file, which is suspicious

Rule name:	SUSP_LNK_PowerShell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to powershell inside an lnk file, which is suspicious

Rule name:	SUSP_LNK_SuspiciousCommands Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample