MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4
SHA3-384 hash: 6328d407355f147983d27bf6c9dcff567ee916f0b7066f47532d319f573aa606bbf82bd676a6601b082c368c8a9fe096
SHA1 hash: b93c13204acb4819c7688f847b1470ac25df52b3
MD5 hash: 0eb8db3cbde470407f942fd63afe42b8
humanhash: hydrogen-winner-purple-venus
File name:현황조사표.xlsx.ln#
Download: download sample
File size:25'952'256 bytes
First seen:2023-08-12 18:25:13 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 384:8+8+ba0vH3XVgL/mYIDm/QuG/bSbiNsvidDTn1VhGiplDQpB+H:pbXvEtIiQuGTUiSaVcw
TLSH T13E4707B8A69FE0D5D5F262FC986C97C116322F51D0754A6E7027B408DBF121224CAFEE
Reporter 500mk500
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
UA UA
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

MiscreantPunch.INFO.LNK.CMDPSHELL.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.ReturnOfTheMac.005056c00008.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.PKInsideHethens.20230420.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.DoomAngels.20220426.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.BackToYou.20230602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4/results/dashboard
Behaviour
BlacklistAPI detected
Gathering data
Verdict:
Malicious
Labled as:
BZC.YAX.Boxter.949.2AF87C59;BZC.YAX.Boxter.949
Link:
https://www.hybrid-analysis.com/sample/a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1290522
Signature
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell creates an autostart link
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1290522 Sample: #Ud604#Ud669#Uc870#Uc0ac#Ud... Startdate: 12/08/2023 Architecture: WINDOWS Score: 100 75 Malicious sample detected (through community Yara rule) 2->75 77 Windows shortcut file (LNK) starts blacklisted processes 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 5 other signatures 2->81 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        14 cmd.exe 1 2->14         started        16 2 other processes 2->16 process3 signatures4 113 Windows shortcut file (LNK) starts blacklisted processes 9->113 115 Suspicious powershell command line found 9->115 117 Very long command line found 9->117 119 Encrypted powershell cmdline option found 9->119 18 powershell.exe 8 18 9->18         started        22 conhost.exe 1 9->22         started        121 Uses cmd line tools excessively to alter registry or file data 12->121 24 cmd.exe 12->24         started        32 2 other processes 12->32 26 cmd.exe 14->26         started        34 2 other processes 14->34 123 Bypasses PowerShell execution policy 16->123 28 powershell.exe 5 16->28         started        30 powershell.exe 5 16->30         started        36 2 other processes 16->36 process5 file6 67 C:\Users\user\AppData\...\PMmVvG56FLC9y.bat, ASCII 18->67 dropped 69 C:\Users\user\AppData\Local\Temp\?????.xlsx, Microsoft 18->69 dropped 83 Windows shortcut file (LNK) starts blacklisted processes 18->83 85 Found suspicious powershell code related to unpacking or dynamic code loading 18->85 87 Powershell creates an autostart link 18->87 38 cmd.exe 2 18->38         started        41 EXCEL.EXE 23 19 18->41         started        89 Suspicious powershell command line found 24->89 91 Very long command line found 24->91 43 conhost.exe 24->43         started        45 powershell.exe 24->45         started        47 conhost.exe 26->47         started        49 powershell.exe 26->49         started        93 Uses ping.exe to sleep 28->93 95 Uses ping.exe to check the status of other devices and networks 28->95 51 PING.EXE 1 28->51         started        54 PING.EXE 1 30->54         started        signatures7 process8 dnsIp9 97 Windows shortcut file (LNK) starts blacklisted processes 38->97 99 Very long command line found 38->99 101 Uses cmd line tools excessively to alter registry or file data 38->101 56 cmd.exe 1 38->56         started        59 reg.exe 1 1 38->59         started        71 2.2.2.2 FranceTelecom-OrangeFR France 51->71 signatures10 process11 signatures12 103 Windows shortcut file (LNK) starts blacklisted processes 56->103 105 Suspicious powershell command line found 56->105 107 Very long command line found 56->107 61 powershell.exe 16 18 56->61         started        65 conhost.exe 56->65         started        109 Creates multiple autostart registry keys 59->109 111 Creates an autostart registry key pointing to binary in C:\Windows 59->111 process13 dnsIp14 73 75.119.136.207, 49756, 49757, 49759 BROADBANDONEUS United States 61->73 125 Creates autostart registry keys with suspicious values (likely registry only malware) 61->125 127 Creates multiple autostart registry keys 61->127 signatures15
Gathering data
Threat name:
Win32.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 19:49:34 UTC
File Type:
Binary
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uomdd3f6a6jk36d7mp5zsvltk25grds7nwumfmcy2kr5b4gx2hsa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230812-w26y8aff2v/
Behaviour
Modifies registry class
Modifies registry key
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a39831ecbe0792adf87f63fb99557356ba688e5f6da8c2b058d2a3d0f0d7d1e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Archive_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies archive (compressed) files in shortcut (LNK) files.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:MSOffice_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Microsoft Office artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_Big_Link_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_LNK_Big_Link_File_RID2EDD
Create hunting rule
Author:Florian Roth
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments