MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1ceb4baf68db35a5a77e8334c55627dc7b3e0894fd069f0a6063a1a2dc4cd8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1ceb4baf68db35a5a77e8334c55627dc7b3e0894fd069f0a6063a1a2dc4cd8f
SHA3-384 hash: 5f5e74cef12b5497a4b0e758254874d00d392b6a74f47093f779646e027d44edafb7534cfaa8b1207a88d1b7abc6a5d5
SHA1 hash: 1e02e38ab215816599daabb967352fc399c4c916
MD5 hash: 517894ae1fa916c690143d1f1f707579
humanhash: whiskey-virginia-bulldog-comet
File name:Documentsfiles00102920.LNK
Download: download sample
Signature Formbook
Create hunting rule
File size:202'631 bytes
First seen:2025-04-16 15:50:20 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 6144:EzrUaNaATUvtXGM1iI2G600hGLtDmx20a79D019:MDNXiXGM1iDx5hGLRm894D
Threatray 120 similar samples on MalwareBazaar
TLSH T11614F224DB2A0BD9FD2D0DBC0C6E665A4CCD7E313C12CCF9C99B150B4525AD756A2C2B
Magika lnk
Reporter abuse_ch
Tags:FormBook lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.LNK.PowerShell.Download-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ffd451f3fd91e7d60bc44f
Tags:
delphi emotet
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/a1ceb4baf68db35a5a77e8334c55627dc7b3e0894fd069f0a6063a1a2dc4cd8f/results/dashboard
Payload URLs
URL
File name
https://link.storjshare.io/raw/jxhn64sg5f3hjwqbbctalsw4ivsa/office/r.txt','C:\\Users\\Public\\png');
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
PWSH.Downloader.D.Generic
Link:
https://www.hybrid-analysis.com/sample/a1ceb4baf68db35a5a77e8334c55627dc7b3e0894fd069f0a6063a1a2dc4cd8f
Result
Verdict:
MALICIOUS
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1666546
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell DownloadFile
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to download and execute files (via powershell)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1666546 Sample: Documentsfiles00102920.LNK.lnk Startdate: 16/04/2025 Architecture: WINDOWS Score: 100 51 www.es85.cyou 2->51 53 www.rciede.info 2->53 55 4 other IPs or domains 2->55 73 Suricata IDS alerts for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Windows shortcut file (LNK) starts blacklisted processes 2->77 79 16 other signatures 2->79 11 powershell.exe 14 30 2->11         started        signatures3 process4 dnsIp5 63 link.storjshare.io 136.0.77.2, 443, 49693 EGIHOSTINGUS United States 11->63 47 C:\Users\Public\CHROME.PIF, PE32 11->47 dropped 49 C:\Users\Public\png, ASCII 11->49 dropped 95 Drops PE files to the user root directory 11->95 97 Drops PE files with a suspicious file extension 11->97 99 Found suspicious powershell code related to unpacking or dynamic code loading 11->99 101 2 other signatures 11->101 16 CHROME.PIF 6 11->16         started        20 conhost.exe 1 11->20         started        file6 signatures7 process8 file9 45 C:\Users\user\Links\ycgixfvP.pif, PE32 16->45 dropped 65 Windows shortcut file (LNK) starts blacklisted processes 16->65 67 Drops PE files with a suspicious file extension 16->67 69 Writes to foreign memory regions 16->69 71 4 other signatures 16->71 22 ycgixfvP.pif 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        signatures10 process11 signatures12 89 Detected unpacking (changes PE section rights) 22->89 91 Maps a DLL or memory area into another process 22->91 29 q3Ohj11npXVbYknu5.exe 22->29 injected 32 conhost.exe 25->32         started        34 conhost.exe 27->34         started        process13 signatures14 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 36 net1.exe 13 29->36         started        process15 signatures16 81 Tries to steal Mail credentials (via file / registry access) 36->81 83 Tries to harvest and steal browser information (history, passwords, etc) 36->83 85 Modifies the context of a thread in another process (thread injection) 36->85 87 3 other signatures 36->87 39 q3Ohj11npXVbYknu5.exe 36->39 injected 43 firefox.exe 36->43         started        process17 dnsIp18 57 www.rciede.info 47.83.1.90, 49703, 49704, 49705 VODANETInternationalIP-BackboneofVodafoneDE United States 39->57 59 www.aqbtkj.top 47.99.76.96, 49698, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 39->59 61 www.fool.com.cdn.cloudflare.net 104.18.40.166, 49699, 49700, 49701 CLOUDFLARENETUS United States 39->61 93 Found direct / indirect Syscall (likely to bypass EDR) 39->93 signatures19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1ceb4baf68db35a5a77e8334c55627dc7b3e0894fd069f0a6063a1a2dc4cd8f/
Threat name:
Win32.Trojan.Powdowhlnk
Create hunting rule
Status:
Malicious
First seen:
2025-04-16 13:28:34 UTC
File Type:
Binary
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uhhljoxwrwzvuwtx5azuyvlcpxd3hyejj7igt4fgay5buloezwhq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
00b229de51c409d79b0084465543c9197f797d4a835290ebf72cbce75cfb2044
Formbook
061b716c6ca8262d658b5877cd23d1013e90831193da7e19cd03ca0f22b176bc
Formbook
4e83dca9f0fc2e50b3c4b2abd8161e2ee5857286ae7bf9ffa5c789cdf2542052
Formbook
7cbc23bc350f050b9429f3c2b553dd00f04216a80a8103a0607277c106bd7f20
Formbook
8d734b78502071cecbe494da5c9cd396bba958522e47b64598f57853810ddaab
Formbook
a3114edcd192349ce4a5638983bf46a73b279e4bb2962fe263b32e4ea8465b9a
Formbook
cac32941d0d9176a10b105459e893c126b3617318f4f2c6a67501d7b313df8f3
Formbook
cfecc683911218dde9c607fc0365c31c3fa5e4f7561cb7a68bc99c96c68bf0a4
Formbook
error
Formbook
f350851cc9dfeb4619cc5d14444e3849c0c25db429b31d8c50c56579dffa889a
Formbook
f919ad3a0b960e8665024b04de0d5e9b9b8bcfd50276cb6ad03ac3a5ff8f1a48
Formbook
+ 110 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250416-tajy9sszcx/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
ModiLoader Second Stage
Modiloader family
ModiLoader, DBatLoader
Malware Config
Dropper Extraction:
https://link.storjshare.io/raw/jxhn64sg5f3hjwqbbctalsw4ivsa/office/r.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1ceb4baf68d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments