MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Loki


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752
SHA3-384 hash: 1459965278eb1324e511c8e8b27edc93cf04b04248b05f48781cf036907f21b417b939be0146f80861213bbad13f0e33
SHA1 hash: 1f77d2879725462577a73adbf83d07c60eb6a384
MD5 hash: f88d5c71b79d93f336a5fbc20deeb9dd
humanhash: virginia-quebec-single-stream
File name:Order.lnk
Download: download sample
Signature Loki
Create hunting rule
File size:2'522 bytes
First seen:2024-03-26 08:50:05 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8z/BHYVKVWzO+/CW/HiyQebPEW/OcjAQG9vPvxrw89ufoYZa4o0oYh5/:8z5aBLEW/OSA/vPvxM896oK
TLSH T1795127145AE91324F6F38B3978BAF3514935B8A9FE22CBDD0194428C1C70650E8B1F3B
Reporter smica83
Tags:HUN lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
HU HU
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752/results/dashboard
Payload URLs
URL
File name
http://busyestinglsv.site/cmeo/ahbsfrbahogrfoweybrzhfbshdlhabdfhbawvgfrweifrvboherjbvfwr/zxfhvgkhchbavsdfabvlgf1244rhgv5hvkghvkhvkh6vkgvh/clips.exe','yjtjewi.exe');./'yjtjewi.exe';(get-item
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
dropper evasive masquerade
Link:
https://www.filescan.io/uploads/66028c77f1c80c2d4d580faf/reports/2d7301e0-4a17-454f-b200-f46646702b07/overview
Verdict:
Malicious
Labled as:
Trojan.PowerShell.LNK.Generic
Link:
https://www.hybrid-analysis.com/sample/a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1415636
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1415636 Sample: Order.lnk Startdate: 26/03/2024 Architecture: WINDOWS Score: 92 13 busyestinglsv.site 2->13 15 Antivirus detection for URL or domain 2->15 17 Windows shortcut file (LNK) starts blacklisted processes 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 7 other signatures 2->21 7 powershell.exe 14 30 2->7         started        signatures3 process4 process5 9 conhost.exe 1 7->9         started        11 OpenWith.exe 7->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752/
Threat name:
Shortcut.Trojan.PowerShell
Create hunting rule
Status:
Malicious
First seen:
2024-03-26 00:18:13 UTC
File Type:
Binary
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=utsrwnsfjduhssgqa5nivx743ea5fb3jkdhg6cutsqj2bvcqw5ja._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/240326-kr54dshe21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
http://busyestinglsv.site/cmeo/ahbsfrbahogrfoweybrzhfbshdlhabdfhbawvgfrweifrvboherjbvfwr/zxfhvgkhchbavsdfabvlgf1244rhgv5hvkghvkhvkh6vkgvh/clips.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Archive_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies archive (compressed) files in shortcut (LNK) files.
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Loki

Shortcut (lnk) lnk a4e51b364548e87948d0075a8adffcd901d2876950ce6f0a939413a0d450b752

(this sample)

Loki

Executable exe fbed0af892e58c844c0d37e6c68e979b8dbb94b5d6a95876a7cd38e0f0172478

  
Dropping
SHA256 fbed0af892e58c844c0d37e6c68e979b8dbb94b5d6a95876a7cd38e0f0172478
  
Dropping
MD5 01bad75f225c4d649c47a64beefa2881

Comments