MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9
SHA3-384 hash: f76ed4fedae4242001551f44a2607fe167ea1295554efbf9b3b1d8a7c332770f18f8fa02dcbf9e2c4dfaaea09cf02ab4
SHA1 hash: c10ff092fdc86835459ebc21f77d0082b4873dd2
MD5 hash: 5827a1d6eed09c4afd130b12fa38a5a1
humanhash: whiskey-massachusetts-timing-mississippi
File name:Delay_Report_08.2025.pdf.lnk
Download: download sample
Signature MetaStealer
Create hunting rule
File size:3'033 bytes
First seen:2025-08-03 15:55:08 UTC
Last seen:2025-08-03 23:52:12 UTC
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8DS5XfJ7kv0qGV7Agx+/5+0NBnnlMVRa/Sbdd+5CwiXuHY8pLar/4XI7Tmm:8DSBlkZ3BxnlMW2dyRiXuHdLaroum
TLSH T1BF51C0122BEA0725F3F25D7A58B29716967BF955E9618F1D019181480852A00EC38FAB
Magika lnk
Reporter abuse_ch
Tags:92-118-112-17 lnk metastealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
47
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.4324152222.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.20221214.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaymsiexec.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADayDownloaders.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688f86760b4775fb2135a959
Tags:
dropper overt sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9/results/dashboard
Payload URLs
URL
File name
http://myprojectdocs.com/Delay_Report_08.2025.pdf
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
BZC.YAX.Mole.3.3CADD3EF;BZC.YAX.Mole.3
Link:
https://www.hybrid-analysis.com/sample/cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9
Result
Threat name:
MalLnk
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1749407
Signature
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected malicious lnk
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749407 Sample: Delay_Report_08.2025.pdf.lnk Startdate: 03/08/2025 Architecture: WINDOWS Score: 76 39 myprojectdocs.com 2->39 53 Windows shortcut file (LNK) starts blacklisted processes 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected malicious lnk 2->57 59 2 other signatures 2->59 8 msedge.exe 115 525 2->8         started        12 cmd.exe 2 2->12         started        14 msedge.exe 8 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 49 192.168.2.4, 138, 443, 49152 unknown unknown 8->49 51 239.255.255.250 unknown Reserved 8->51 61 Maps a DLL or memory area into another process 8->61 18 msedge.exe 40 8->18         started        21 msedge.exe 8->21         started        33 5 other processes 8->33 23 msedge.exe 16 12->23         started        25 curl.exe 1 12->25         started        27 taskkill.exe 1 12->27         started        35 2 other processes 12->35 29 msedge.exe 14->29         started        31 msedge.exe 16->31         started        signatures6 process7 dnsIp8 41 13.107.246.40, 443, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->41 43 ln-0007.ln-msedge.net 150.171.22.17, 443, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->43 47 11 other IPs or domains 18->47 37 msedge.exe 23->37         started        45 127.0.0.1 unknown unknown 25->45 process9
Verdict:
Malware
YARA:
2 match(es)
Tags:
Execution: CMD in LNK LNK LOLBin LOLBin:cmd.exe Malicious T1059.003 T1202: Indirect Command Execution T1204.002
Link:
https://app.malva.re/file/5827a1d6eed09c4afd130b12fa38a5a1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9/
Verdict:
Malicious
Threat:
HEUR:Trojan.Multi.Runner
Link:
https://tip.neiki.dev/file/cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9
Threat name:
Shortcut.Trojan.MetaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-02 17:29:12 UTC
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zrhjd76ej2dre6u4em6wqueeyleyc6tftt6zwtpnwfg7zpi6fluq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250803-tc1pssan8x/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Drops file in Program Files directory
Checks computer location settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:Execution_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:LNK_Malicious_Nov1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects a suspicious LNK file
Reference:https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PDF_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies Adobe Acrobat artefacts in shortcut (LNK) files. A PDF document is typically used as decoy in a malicious LNK.
Rule name:SUSP_LNK_CMD
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Shortcut (lnk) lnk cc4e91ffc44e87127a9c233d685084c2c9817a659cfd9b4dedb14dfcbd1e2ae9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3595300/
  
Delivery method
Distributed via web download

Comments


Avatar
commented on 2025-08-04 19:22:24 UTC

Payload URL:
http://myprojectdocs.com/file/setup0408.pdf