MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abd4dcb78a92e4f98b88199ce08f88a3ce99032390747de6f3222f8d4a71939d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abd4dcb78a92e4f98b88199ce08f88a3ce99032390747de6f3222f8d4a71939d
SHA3-384 hash: 7db3b52487669dceb549316ef6bcec9b6511849272709cc86ed129798729e3f203ab4d5f1c1060b2d41ba456955a5b05
SHA1 hash: 79ae856226052b05ec389b2db7cdfd429418f760
MD5 hash: 1cdf8cedd29b81b611e4dd2bbf3b5e08
humanhash: bakerloo-seven-arizona-fish
File name:Document.pdf.lnk
Download: download sample
File size:423'781 bytes
First seen:2024-02-02 10:17:17 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 6144:LanfOsXsSiRVKva4ygDTeCcnsEJWGd93nLYDG3djdsP/zQ/4rHTFKBS9TP0ey:La9XWVtg27nZZndzs3z5HT90R
TLSH T1B6948CD930C2B270DA65EB794335FDA5531BA35B15309C2EB03D03E00BA9BE9DA1958F
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28758.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD._OUTFILE.220426B64.8.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.DoomAngels.20220426.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.BackToYou.20230602.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/abd4dcb78a92e4f98b88199ce08f88a3ce99032390747de6f3222f8d4a71939d/results/dashboard
Payload URLs
URL
File name
http://files.catbox.moe/p1yr9i.pdf'';$d=$env:TEMP
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autorun evasive masquerade powershell
Link:
https://www.filescan.io/uploads/65bcc1600b80a407288dd495/reports/96cec64a-269e-4aaf-8c25-e817cbf66368/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Boxter.151
Link:
https://www.hybrid-analysis.com/sample/abd4dcb78a92e4f98b88199ce08f88a3ce99032390747de6f3222f8d4a71939d
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1385501
Signature
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Malicious encrypted Powershell command line found
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell creates an autostart link
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Uses regedit.exe to modify the Windows registry
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1385501 Sample: Document.pdf.lnk Startdate: 02/02/2024 Architecture: WINDOWS Score: 100 47 files.catbox.moe 2->47 53 Antivirus detection for URL or domain 2->53 55 Windows shortcut file (LNK) starts blacklisted processes 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 12 other signatures 2->59 10 powershell.exe 15 2->10         started        13 powershell.exe 10 2->13         started        15 powershell.exe 10 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 63 Windows shortcut file (LNK) starts blacklisted processes 10->63 65 Suspicious powershell command line found 10->65 67 Encrypted powershell cmdline option found 10->67 69 2 other signatures 10->69 20 powershell.exe 17 18 10->20         started        25 conhost.exe 1 10->25         started        27 conhost.exe 13->27         started        29 conhost.exe 15->29         started        45 127.0.0.1 unknown unknown 17->45 signatures6 process7 dnsIp8 49 files.catbox.moe 108.181.20.35, 443, 49729, 49730 ASN852CA Canada 20->49 43 C:\Users\Public\17399.reg, data 20->43 dropped 61 Potential dropper URLs found in powershell memory 20->61 31 regedit.exe 2 20->31         started        34 Acrobat.exe 79 20->34         started        36 conhost.exe 20->36         started        file9 signatures10 process11 signatures12 71 Creates autostart registry keys with suspicious values (likely registry only malware) 31->71 73 Creates multiple autostart registry keys 31->73 75 Creates an autostart registry key pointing to binary in C:\Windows 31->75 38 AcroCEF.exe 104 34->38         started        process13 process14 40 AcroCEF.exe 2 38->40         started        dnsIp15 51 184.25.164.138, 443, 49745 BBIL-APBHARTIAirtelLtdIN United States 40->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abd4dcb78a92e4f98b88199ce08f88a3ce99032390747de6f3222f8d4a71939d/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2024-01-25 08:18:49 UTC
File Type:
Binary
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpknzn4kslsptc4idgoobd4iuphjsazdsb2h3zxteixy2strsooq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/240202-mbyeqadfgr/
Behaviour
Enumerates system info in registry
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://files.catbox.moe/p1yr9i.pdf
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abd4dcb78a92/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abd4dcb78a92e4f98b88199ce08f88a3ce99032390747de6f3222f8d4a71939d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Archive_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies archive (compressed) files in shortcut (LNK) files.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Large_filesize_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_Big_Link_File
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_LNK_Big_Link_File_RID2EDD
Create hunting rule
Author:Florian Roth
Description:Detects a suspiciously big LNK file - maybe with embedded content
Reference:Internal Research
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments