MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0
SHA3-384 hash: 1d3c71cabe51ef86dd8cb4ae0458568547398b0d9909da90655ca670b6e238f81fd383ad1172d7defa086717719cabab
SHA1 hash: db1deb3a5f1452935117a27134ffca86e3687dab
MD5 hash: 5132cbde40a752aa50a6b45e4b29512b
humanhash: red-burger-artist-virginia
File name:Повестка совещания.docx.lnk
Download: download sample
File size:1'368 bytes
First seen:2024-05-06 08:01:03 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8AtJtnyU+ef46xrrElANZ/jbhCANVajaS05on:8MO+QejXhCGoau
TLSH T18F21E20A1EBD5BA1F376E97948FD478684377541D6BB8F1D405D0D4D2029A21FE20F2B
Reporter smica83
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
HU HU
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27118.LnkHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1436640
Signature
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436640 Sample: 44f.docx.lnk Startdate: 06/05/2024 Architecture: WINDOWS Score: 60 41 Windows shortcut file (LNK) starts blacklisted processes 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Uses an obfuscated file name to hide its real file extension (double extension) 2->45 7 cmd.exe 1 2->7         started        9 chrome.exe 9 2->9         started        process3 dnsIp4 12 reg.exe 1 1 7->12         started        14 msg.exe 1 7->14         started        16 xcopy.exe 1 7->16         started        18 conhost.exe 1 7->18         started        35 192.168.2.5, 443, 445, 49703 unknown unknown 9->35 37 192.168.2.6 unknown unknown 9->37 39 239.255.255.250 unknown Reserved 9->39 20 chrome.exe 9->20         started        process5 dnsIp6 23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        29 play.google.com 142.250.217.206, 443, 49746, 49747 GOOGLEUS United States 20->29 31 www.google.com 142.250.64.196, 443, 49705, 49706 GOOGLEUS United States 20->31 33 4 other IPs or domains 20->33 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-04-27 02:19:21 UTC
File Type:
Binary
AV detection:
3 of 38 (7.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ypx3vshl77ht3alyzyr6lhz3jf4plki37e3xhceyodkfzqnvksya._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240506-jwld4sgh84/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:MSOffice_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Microsoft Office artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Shortcut (lnk) lnk c3efbac8ebffcf3d8178ce23e59f3b4978f5a91bf93773889870d45cc1b554b0

(this sample)

Executable exe 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4

  
X
https://twitter.com/ginkgo_g/status/1787373903880606193?t=y1olayqPR7d7P9VxQloHOA&s=19
  
Dropping
SHA256 1301ec3006ad03742bfaef047aa434320aa0e725a99be5d6be27b955a814fcf4
  
Dropping
MD5 6892abc8eb5833b7a142bb88dc0bc1c5

Comments