MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81254cfb6f4eee19aed87a2a5d526654455e911cee51665739d572f698dc97f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash: 81254cfb6f4eee19aed87a2a5d526654455e911cee51665739d572f698dc97f5
SHA3-384 hash: fbcbca63a2d54b929a0ce19899a6e942ab0971a500976cdd5774b1333bc8fad092a6a63e9ea6cf7e3394a0a515ab85d5
SHA1 hash: 4184e883c605936cb964c8ec6ca30fc20a38c110
MD5 hash: 336d861178e3bde015c91c1e87a59059
humanhash: sierra-bulldog-blue-foxtrot
File name:81254cfb6f4eee19aed87a2a5d526654455e911cee51665739d572f698dc97f5
Download: download sample
File size:1'032 bytes
First seen:2026-07-16 07:34:42 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 6:4xtisdS2ndS2nHolHKlFcnlj+SEEgykQLPfBMlpIoF6SaU/k1ARokJxt:8oUXx4QkCikQLhMbHFMf8
TLSH T155112B301BCB5A00F3F54B35BC3EB3012975BC0C8D314ADD928519AC0C26A109C35F36
Magika lnk
Reporter JAMESWT_WT
Tags:booking lnk v0hkpadr04mbz5lkearqa-com

Intelligence


File Origin
# of uploads :
1
# of downloads :
80
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Tags:
shell agent sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
LNK_TrojanDownloader_Agent_CWF_trojan
Verdict:
Malicious
File Type:
lnk
First seen:
2026-07-15T17:46:00Z UTC
Last seen:
2026-07-17T19:40:00Z UTC
Hits:
~10
Verdict:
Malware
YARA:
3 match(es)
Tags:
Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:cmd.exe Malicious PowerShell PowerShell Call T1027 T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments