MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651
SHA3-384 hash: 13cf652b740affb92bf415a42b3290ec56ca94e4cd4796c80b2c7902c877b3709adf623773cbe4cd86bf44e34218592b
SHA1 hash: d0ef6253db34f6634a98976a441de2c9b9627aa8
MD5 hash: 536c70e37c1c033ae05f510281e330f4
humanhash: wyoming-enemy-six-michigan
File name:manual.pdf.lnk
Download: download sample
Signature MetaStealer
Create hunting rule
File size:2'965 bytes
First seen:2025-10-29 16:27:12 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8H2JfW5t4xAyx+/5++y2Wnm2YLMu/Sbdd+5Cww9dsquWgncWgssqMmkZ:8HMWrNnyxnmpLMu2dyRw9ducBBZ
TLSH T1F751111127D90768E3B35D3B48B7DB158936F886DE21CD5D039141481CA6B01DC39FBB
Magika lnk
Reporter abuse_ch
Tags:lnk metastealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6902445c9942f1282eca3051
Tags:
dropper virus sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651/results/dashboard
Payload URLs
URL
File name
https://anydesk.com
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BZC.YAX.Mole.3.3B09E935;BZC.YAX.Mole.3
Link:
https://www.hybrid-analysis.com/sample/7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651
Verdict:
Malicious
File Type:
lnk
First seen:
2025-10-28T14:55:00Z UTC
Last seen:
2025-10-29T18:55:00Z UTC
Hits:
~100
Detections:
Trojan.WinLNK.Agent.sb HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Runner.n HEUR:Trojan.Multi.Runner.e Trojan-Spy.Win32.MetaStealer.bk
Link:
https://opentip.kaspersky.com/7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651/results?tab=lookup
Result
Threat name:
MalLnk
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1804169
Signature
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1804169 Sample: manual.pdf.lnk Startdate: 29/10/2025 Architecture: WINDOWS Score: 92 55 anydesck.net 2->55 73 Antivirus detection for URL or domain 2->73 75 Windows shortcut file (LNK) starts blacklisted processes 2->75 77 Multi AV Scanner detection for dropped file 2->77 79 5 other signatures 2->79 9 msiexec.exe 3 11 2->9         started        12 cmd.exe 2 2->12         started        14 msedge.exe 37 462 2->14         started        signatures3 process4 dnsIp5 53 C:\Windows\Installer\MSI2E8C.tmp, PE32 9->53 dropped 17 msiexec.exe 5 9->17         started        19 curl.exe 2 12->19         started        22 msedge.exe 11 12->22         started        24 taskkill.exe 1 12->24         started        34 2 other processes 12->34 67 192.168.2.14 unknown unknown 14->67 69 192.168.2.15 unknown unknown 14->69 71 3 other IPs or domains 14->71 26 msedge.exe 100 14->26         started        28 msedge.exe 14->28         started        30 msedge.exe 14->30         started        32 msedge.exe 14->32         started        file6 process7 dnsIp8 36 expand.exe 8 17->36         started        39 icacls.exe 1 17->39         started        41 out1.exe 17->41         started        57 anydesck.net 87.120.219.100, 443, 49692 NET1-ASBG Bulgaria 19->57 59 127.0.0.1 unknown unknown 19->59 43 msedge.exe 22->43         started        61 18.172.170.119, 443, 49744 MIT-GATEWAYSUS United States 26->61 63 part-0042.t-0009.t-msedge.net 13.107.246.70, 443, 49699, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->63 65 41 other IPs or domains 26->65 process9 file10 49 C:\Users\user\AppData\...\fhst.exe (copy), PE32 36->49 dropped 51 C:\...\824f20be9482784796a32954776c4788.tmp, PE32 36->51 dropped 45 conhost.exe 36->45         started        47 conhost.exe 39->47         started        process11
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/536c70e37c1c033ae05f510281e330f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651/
Verdict:
Malicious
Threat:
Family.METASTEALER
Link:
https://tip.neiki.dev/file/7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651
Threat name:
Shortcut.Trojan.MetaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-10-29 00:58:02 UTC
File Type:
Binary
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2cckchp2uysnaiks7atzrpq5mltoa6bfcctrpzwl3zw42pcuziq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251029-x888labs3h/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_Malicious_Nov1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious LNK file
Reference:https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Shortcut (lnk) lnk 7e842508efd53126810a97c13cc5f0eb173703c1288538bf365ef36e69e2a651

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3687889/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3687888/

Comments