MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdd593a14e314a4d2eb88cf200aa86623ca10b44d4160b2204084517a0992d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdd593a14e314a4d2eb88cf200aa86623ca10b44d4160b2204084517a0992d99
SHA3-384 hash: c8c123f35534360ae371f8b42377b4d0098b9751b5821872f15a9f0de52b835a66ed8179b5f64f891563e93f11189e32
SHA1 hash: ee05e38ce50c0ad35974d8885dcda5cc3314db2e
MD5 hash: e7a9d8b53359cdbe48f47185c075d756
humanhash: carpet-oranges-echo-stairway
File name:Shipping documents.pdf.lnk
Download: download sample
File size:3'196 bytes
First seen:2025-03-15 08:11:55 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8W0xJLCTtn6RwvKiI8W2ALOWC+/CWKWiPMov3A/ZJPyX1BfuwqvNEG3On0p4IriM:8W8M6Y8tXo/A3gmohn0W30iD/MOK
Threatray 2 similar samples on MalwareBazaar
TLSH T10961BB241AF6230CEAB2AFB1A8B8A15199B7BC15ED309A5D011D06484F17A00DC71F3F
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d54b2208116ce4257144cd
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/bdd593a14e314a4d2eb88cf200aa86623ca10b44d4160b2204084517a0992d99/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper evasive masquerade packed powershell
Link:
https://www.filescan.io/uploads/67d536750feab719930f94bf/reports/40379683-2112-4bd0-b5af-6894ef1825f8/overview
Verdict:
Malicious
Labled as:
Trojan_Script_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/bdd593a14e314a4d2eb88cf200aa86623ca10b44d4160b2204084517a0992d99
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1639304
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found potential ransomware demand text
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AntiVM3
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1639304 Sample: Shipping documents.pdf.lnk Startdate: 15/03/2025 Architecture: WINDOWS Score: 100 56 wittenhorst.eu 2->56 58 havajel.com 2->58 60 ip-api.com 2->60 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 21 other signatures 2->76 9 powershell.exe 14 22 2->9         started        14 hJTKdFUd.exe 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 62 havajel.com 87.107.190.209, 49711, 80 SINET-ASAccessServiceProviderIR Iran (ISLAMIC Republic Of) 9->62 54 C:\Users\user\AppData\Local\...\Any Name.exe, PE32 9->54 dropped 88 Found suspicious powershell code related to unpacking or dynamic code loading 9->88 90 Powershell drops PE file 9->90 18 Any Name.exe 6 9->18         started        22 conhost.exe 1 9->22         started        92 Multi AV Scanner detection for dropped file 14->92 94 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->94 96 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 14->96 98 3 other signatures 14->98 24 hJTKdFUd.exe 14->24         started        26 schtasks.exe 14->26         started        28 hJTKdFUd.exe 14->28         started        64 127.0.0.1 unknown unknown 16->64 file6 signatures7 process8 file9 50 C:\Users\user\AppData\Roaming\hJTKdFUd.exe, PE32 18->50 dropped 52 C:\Users\user\AppData\Local\...\tmpE14A.tmp, XML 18->52 dropped 78 Windows shortcut file (LNK) starts blacklisted processes 18->78 80 Found potential ransomware demand text 18->80 82 Adds a directory exclusion to Windows Defender 18->82 84 Injects a PE file into a foreign processes 18->84 30 Any Name.exe 17 36 18->30         started        34 powershell.exe 23 18->34         started        36 powershell.exe 23 18->36         started        38 schtasks.exe 1 18->38         started        86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 40 conhost.exe 26->40         started        signatures10 process11 dnsIp12 66 wittenhorst.eu 185.104.29.236, 443, 49716, 49729 AS-ZXCSNL Netherlands 30->66 68 ip-api.com 208.95.112.1, 49715, 49727, 80 TUT-ASUS United States 30->68 100 Found potential ransomware demand text 30->100 102 Loading BitLocker PowerShell Module 34->102 42 conhost.exe 34->42         started        44 WmiPrvSE.exe 34->44         started        46 conhost.exe 36->46         started        48 conhost.exe 38->48         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdd593a14e314a4d2eb88cf200aa86623ca10b44d4160b2204084517a0992d99/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-03-14 14:14:36 UTC
File Type:
Binary
AV detection:
21 of 36 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxkzhikogffe2lvyrtzabkugmi6kcc2e2qlawiqebbcrpiezfwmq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
aff6ad8311ac50a6bf8f23b5c3cdaa7e1e0f3308e505df6f65ae71bbd3a7c1f2
error
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/250315-j3xqqasks3/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://havajel.com/wp-includes/SimplePie/src/xJenVhO.exe
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdd593a14e31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdd593a14e314a4d2eb88cf200aa86623ca10b44d4160b2204084517a0992d99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments