MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a13b83bc6a73748046889f150f3865c9299a0f660dec7f865280e7dee165c4d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a13b83bc6a73748046889f150f3865c9299a0f660dec7f865280e7dee165c4d1
SHA3-384 hash: 5b25a06ff2ad9d056e7a3a7682176106be26eff2ed9464241519c271aa8602a9f9125114a68f896e2b0a54b7c9146bcd
SHA1 hash: f8530f785309e5d62f05cb2f8847af6b7f583367
MD5 hash: 5f28b70ae1806d2182281170d80754ce
humanhash: fix-three-seven-lion
File name:Delay_Report_08.2025.pdf.lnk
Download: download sample
Signature MetaStealer
Create hunting rule
File size:3'037 bytes
First seen:2025-08-05 07:20:43 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8kCicJsiwpWNhA5x+/5+ABnnnMo/Sbdd+5CwiXuHY8WabEjm:8Efwy2VxnnMo2dyRiXuHya6
TLSH T19751CE1536F90359F3F35E3B58B69621993FB940D9628E1D02A482881892B01EC3AF7B
Magika lnk
Reporter abuse_ch
Tags:lnk metastealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaymsiexec.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADayDownloaders.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6891b104af3050dc8d3477a7
Tags:
dropper xtreme sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/a13b83bc6a73748046889f150f3865c9299a0f660dec7f865280e7dee165c4d1/results/dashboard
Payload URLs
URL
File name
http://myprojectdocs.com/Delay_Report_08.2025.pdf
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BZC.YAX.Mole.3.3D01CF3E;BZC.YAX.Mole.3
Link:
https://www.hybrid-analysis.com/sample/a13b83bc6a73748046889f150f3865c9299a0f660dec7f865280e7dee165c4d1
Result
Threat name:
MalLnk
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1750296
Signature
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750296 Sample: Delay_Report_08.2025.pdf.lnk Startdate: 05/08/2025 Architecture: WINDOWS Score: 72 34 myprojectdocs.com 2->34 50 Windows shortcut file (LNK) starts blacklisted processes 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected malicious lnk 2->54 56 2 other signatures 2->56 8 msedge.exe 104 384 2->8         started        11 cmd.exe 2 2->11         started        13 msiexec.exe 2->13         started        signatures3 process4 dnsIp5 36 192.168.2.6 unknown unknown 8->36 38 192.168.2.8, 138, 443, 49309 unknown unknown 8->38 40 239.255.255.250 unknown Reserved 8->40 15 msedge.exe 24 8->15         started        18 msedge.exe 8->18         started        20 msedge.exe 8->20         started        22 msedge.exe 8->22         started        24 msedge.exe 9 11->24         started        26 curl.exe 1 11->26         started        28 taskkill.exe 1 11->28         started        30 2 other processes 11->30 process6 dnsIp7 42 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49697, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->42 44 ln-0007.ln-msedge.net 150.171.22.17, 443, 49694 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->44 48 15 other IPs or domains 15->48 32 msedge.exe 24->32         started        46 127.0.0.1 unknown unknown 26->46 process8
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/5f28b70ae1806d2182281170d80754ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a13b83bc6a73748046889f150f3865c9299a0f660dec7f865280e7dee165c4d1/
Threat name:
Shortcut.Trojan.MetaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 00:59:33 UTC
File Type:
Binary
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ue5yhpdkon2iaruit4kq6odfzeuzud3gbxwh7bssqdt55ylfytiq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250805-h6xpfssmv4/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_Malicious_Nov1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious LNK file
Reference:https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Shortcut (lnk) lnk a13b83bc6a73748046889f150f3865c9299a0f660dec7f865280e7dee165c4d1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3595300/
  
Delivery method
Distributed via web download

Comments