MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310
SHA3-384 hash: 076fce64ca1fc925f8998a9b2058b64780f8c218e8e61e66201ae05820bbdb111114de133eac00e3c83ab253cd7c9a6e
SHA1 hash: 741974d46f8e1660193e5c51ad82a16a0616da08
MD5 hash: 88ab49fe02954d61d259954237b00432
humanhash: snake-fifteen-football-whiskey
File name:vehiculo_para_recompra.pdf.lnk
Download: download sample
File size:2'538 bytes
First seen:2025-04-28 11:23:32 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8Ayw/BHYVKVWO+/CWYk3eRlPP/dd79dsoEZK:8y5as7dP/dJ9hJ
Threatray 10 similar samples on MalwareBazaar
TLSH T1BB516A142EE50724F2B2CA356C767310897BB809DE3D8B8D019DC2443763225F4A9F6F
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221108.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680f69dac8b2e86d0ac3be8b
Tags:
ransomware obfuscate xtreme
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin masquerade mshta powershell
Link:
https://www.filescan.io/uploads/680f6558218c4a98ade5293e/reports/1be8389c-c362-4166-90d2-3d9f92988a4a/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Pantera.229
Link:
https://www.hybrid-analysis.com/sample/8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1676215
Signature
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected LNK With Padded Argument
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1676215 Sample: vehiculo_para_recompra.pdf.lnk Startdate: 28/04/2025 Architecture: WINDOWS Score: 88 27 Antivirus detection for URL or domain 2->27 29 Windows shortcut file (LNK) starts blacklisted processes 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 4 other signatures 2->33 6 powershell.exe 27 2->6         started        9 cmd.exe 1 2->9         started        11 svchost.exe 1 1 2->11         started        process3 dnsIp4 35 Windows shortcut file (LNK) starts blacklisted processes 6->35 37 Loading BitLocker PowerShell Module 6->37 14 mshta.exe 16 6->14         started        17 conhost.exe 1 6->17         started        19 mshta.exe 16 9->19         started        21 conhost.exe 9->21         started        23 127.0.0.1 unknown unknown 11->23 signatures5 process6 dnsIp7 25 95.215.108.179, 49692, 49693, 49954 HostingvpsvilleruRU Russian Federation 14->25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310/
Threat name:
Shortcut.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-04-28 02:52:47 UTC
File Type:
Binary
AV detection:
9 of 23 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qqm2j4lkw6zw2ixafeucl72edzncpni2yl6e32uz3fxcnbmn4mia._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
19f6b0cbf4d58ca4c4dda40eb41107ad5bdf05fb914dd3c5fdb101dbde4532e8
4e71fd189cf074e29b93eca914c11a300ad7110d98a284023b88b65fd4524051
71149e56febb1f0b96518016f33dcfae141c8d8e1dcca5de5b97519214ec6de5
82db204101b68d97b93c4f5a76c3aabce7b568ced3d25f4c3a5d31b00d187a43
8daa2f6bfe2c616af887f5068fe916d4312e385196ec9808b48abf81073f3be6
94086b63d9c96edeb3e7cc9ce3cb4f4a57acb6e1204d4a2b113b265392641ae0
c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591
d40773790dc2818eedcaf20bb2831d11f1d24a76839bd90efba1229e55ad6d75
d4c7a4729719f8d24ce40793d4f23abb629101920775bc5106486b59835d1ee4
error
f767fa2879dc1d53e423e63f9d7773611002594c63fcfc0f02cf42bdee5b4731
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250428-nhrq7awnz8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://95.215.108.179/BKWFHXXZ.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXT_EXPL_ZTH_LNK_EXPLOIT_A
Create hunting rule
Author:Peter Girnus
Description:This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.
Reference:https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Shortcut (lnk) lnk 8419a4f16ab7b36d22e0292825ff441e5a27b51ac2fc4dea99d96e26858de310

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3526876/
  
Delivery method
Distributed via web download

Comments