MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb
SHA3-384 hash: f23a3184897c526f77c097edbd699da73484fa5594dff3ea7900c46d1918d2d6a729dd8965acda7eda8d9abf78c88b26
SHA1 hash: 47a74d13875af3feeb5f494406f7d36bcc63cbd5
MD5 hash: 665cc3044cb4fb6e4c1d595d8992d541
humanhash: beryllium-florida-fifteen-social
File name:README.pdf.lnk
Download: download sample
Signature MetaStealer
Create hunting rule
File size:2'969 bytes
First seen:2025-12-15 10:22:19 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8SmJfS55lwtAyx+/5+UhbyRnmWHA/Sbdd+5Cww9dsquWgncWgssqMmkZ:8S8S53NNbyRnmP2dyRw9ducBBZ
TLSH T132511E1627EA0729E3F34D3E54B2EB069A37F886DE718E5C039181480862B01EC34FA7
Magika lnk
Reporter abuse_ch
Tags:lnk metastealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/6b2d4f95-38d1-4ec7-aa73-fa7bb63939c9/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.57724789.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaymsiexec.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADayDownloaders.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693fe837838ad7e48539a3e8
Tags:
infosteal dropper shell sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb/results/dashboard
Payload URLs
URL
File name
https://www.ups.com
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd expand fingerprint lolbin lolbin masquerade msiexec taskkill
Link:
https://www.filescan.io/uploads/693fe5e998941bdf1de60715/reports/e4bcdb1a-6e9c-458d-ac6d-c75d235d17a7/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Mole.3.3BB1DB57;BZC.YAX.Mole.3
Link:
https://www.hybrid-analysis.com/sample/77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb
Verdict:
Malicious
File Type:
lnk
First seen:
2025-12-14T22:10:00Z UTC
Last seen:
2025-12-17T06:41:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Runner.n HEUR:Trojan.Multi.Runner.e Trojan.WinLNK.Agent.sb
Link:
https://opentip.kaspersky.com/77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb/results?tab=lookup
Result
Threat name:
Metastealer, MalLnk
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832913
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates files in the system32 config directory
Drops large PE files
Found API chain indicative of debugger detection
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Unusual module load detection (module proxying)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes or reads registry keys via WMI
Yara detected malicious lnk
Yara detected Metastealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1832913 Sample: README.pdf.lnk Startdate: 15/12/2025 Architecture: WINDOWS Score: 100 92 ykgmqooyusggyyya.xyz 2->92 94 yeosyyyaewokgioa.xyz 2->94 96 3 other IPs or domains 2->96 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Antivirus detection for URL or domain 2->118 122 10 other signatures 2->122 10 msiexec.exe 2->10         started        13 cmd.exe 2->13         started        16 msedge.exe 76 537 2->16         started        19 cmd.exe 2 2->19         started        signatures3 120 Performs DNS queries to domains with low reputation 94->120 process4 dnsIp5 72 C:\Windows\Installer\MSI296D.tmp, PE32 10->72 dropped 21 msiexec.exe 10->21         started        148 Creates files in the system32 config directory 13->148 23 dvmw.exe 13->23         started        26 conhost.exe 13->26         started        86 192.168.2.5, 443, 49675, 49678 unknown unknown 16->86 88 192.168.2.23 unknown unknown 16->88 90 2 other IPs or domains 16->90 28 msedge.exe 122 16->28         started        38 7 other processes 16->38 32 curl.exe 2 19->32         started        34 msedge.exe 11 19->34         started        36 conhost.exe 1 19->36         started        40 2 other processes 19->40 file6 signatures7 process8 dnsIp9 42 out_.exe 21->42         started        47 expand.exe 21->47         started        49 icacls.exe 21->49         started        124 Windows shortcut file (LNK) starts blacklisted processes 23->124 126 Found API chain indicative of debugger detection 23->126 128 Adds a directory exclusion to Windows Defender 23->128 130 Unusual module load detection (module proxying) 23->130 51 powershell.exe 23->51         started        104 98.90.64.91, 443, 49795 TWC-11351-NORTHEASTUS United States 28->104 106 15.197.193.217, 443, 49738, 49739 TANDEMUS United States 28->106 112 72 other IPs or domains 28->112 84 C:\Users\user\AppData\Local\...\Cookies, SQLite 28->84 dropped 108 upsinfo2025.com 78.153.155.97, 443, 49695 INTERLAN-ASRU Russian Federation 32->108 110 127.0.0.1 unknown unknown 32->110 53 msedge.exe 34->53         started        file10 signatures11 process12 dnsIp13 98 yeosyyyaewokgioa.xyz 42->98 100 ykgmqooyusggyyya.xyz 155.117.20.75, 443, 49805, 49806 PANDGUS United States 42->100 102 cmqsqomiwwksmcsw.xyz 38.134.148.74, 443, 49802, 49807 COGENT-174US United States 42->102 74 C:\Users\user\AppData\Local\...\dvmw.exe, PE32 42->74 dropped 138 Windows shortcut file (LNK) starts blacklisted processes 42->138 140 Performs DNS queries to domains with low reputation 42->140 142 Tries to harvest and steal browser information (history, passwords, etc) 42->142 146 3 other signatures 42->146 55 systeminfo.exe 42->55         started        58 powershell.exe 42->58         started        76 C:\Users\user\AppData\...\out1.exe (copy), PE32 47->76 dropped 78 C:\Users\user\AppData\...\out.exe (copy), PE32 47->78 dropped 80 C:\Users\user\AppData\...\loader.exe (copy), PE32 47->80 dropped 82 3 other malicious files 47->82 dropped 60 conhost.exe 47->60         started        62 conhost.exe 49->62         started        144 Loading BitLocker PowerShell Module 51->144 64 conhost.exe 51->64         started        66 WmiPrvSE.exe 51->66         started        file14 signatures15 process16 signatures17 132 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 55->132 134 Writes or reads registry keys via WMI 55->134 68 conhost.exe 55->68         started        136 Loading BitLocker PowerShell Module 58->136 70 conhost.exe 58->70         started        process18
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/665cc3044cb4fb6e4c1d595d8992d541
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb/
Verdict:
Malicious
Threat:
Trojan.Multi.Runner
Link:
https://tip.neiki.dev/file/77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb
Threat name:
Shortcut.Trojan.MetaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 09:10:43 UTC
File Type:
Binary
AV detection:
16 of 36 (44.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5bcvrkdxeyqi26besdeyl45xqhbgldfkapxsijvus3656qqexfq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251215-mtme6stmez/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_Malicious_Nov1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious LNK file
Reference:https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Shortcut (lnk) lnk 77422ac543b931046bc124864c2f9dbc0e132c65501f792135a4b7eefa1025cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3733816/
  
Delivery method
Distributed via web download

Comments