MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043
SHA3-384 hash: 9560a2a1c3bf1ab0ac496f1ae98ce7cb038e6ed36887421e4a7170cd3bce653a1e79f44f984a00a8b9fed607162fafdb
SHA1 hash: 7de06b462069ee045182b08d2fe6939554e2bd3f
MD5 hash: 8b68173e0f5484fc965d50770f71a08d
humanhash: steak-minnesota-finch-hydrogen
File name:Microsoft-Order.pdf.lnk
Download: download sample
File size:5'367 bytes
First seen:2025-04-08 06:56:27 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 96:83W9u+h/z+lnJq+zH/92yKxeHeByQw2lQoWQrpe6xLdrg:83W9uEy9/fhMeH+hwp+9e6xLx
TLSH T13EB1231816E5C700E7739E7869A27233262FB73F573B8189008D9CC91BAB60C9716B27
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4c9d6a695a0cd1fac9501
Tags:
xtreme virus miner
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043/results/dashboard
Payload URLs
URL
File name
https://goVuq
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade powershell
Link:
https://www.filescan.io/uploads/67f4c8d02d430c849e0c46da/reports/2110c834-6335-4a42-8bec-ae831e93639e/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Boxter.32
Link:
https://www.hybrid-analysis.com/sample/d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1658979
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Yara detected LNK With Padded Argument
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1658979 Sample: Microsoft-Order.pdf.lnk Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 67 x1.i.lencr.org 2->67 69 uno-cdn-update.buzz 2->69 71 8 other IPs or domains 2->71 91 Malicious sample detected (through community Yara rule) 2->91 93 Antivirus detection for URL or domain 2->93 95 Windows shortcut file (LNK) starts blacklisted processes 2->95 97 8 other signatures 2->97 10 DDMService.exe 10 2->10         started        14 steamerrorreporter.exe 2->14         started        16 powershell.exe 18 22 2->16         started        19 12 other processes 2->19 signatures3 process4 dnsIp5 53 C:\Users\user\AppData\Local\...\ReaderTls.exe, PE32+ 10->53 dropped 55 C:\Users\user\AppData\Local\Temp\pdoyah, PE32+ 10->55 dropped 109 Windows shortcut file (LNK) starts blacklisted processes 10->109 111 Found hidden mapped module (file has been removed from disk) 10->111 113 Maps a DLL or memory area into another process 10->113 115 Found direct / indirect Syscall (likely to bypass EDR) 10->115 21 ReaderTls.exe 10->21         started        25 cmd.exe 2 2 10->25         started        27 cmd.exe 10->27         started        57 C:\Users\user\AppData\Local\Temp\xryo, PE32+ 14->57 dropped 117 Switches to a custom stack to bypass stack traces 14->117 59 go-cars-cheaprest.cfd 104.21.53.131, 443, 49699 CLOUDFLARENETUS United States 16->59 119 Found many strings related to Crypto-Wallets (likely being stolen) 16->119 29 conhost.exe 1 16->29         started        61 127.0.0.1 unknown unknown 19->61 63 239.255.255.250 unknown Reserved 19->63 31 msedge.exe 19->31         started        file6 signatures7 process8 dnsIp9 73 uno-cdn-update.buzz 104.21.32.217, 443, 49721, 49722 CLOUDFLARENETUS United States 21->73 75 medoloki9.shop 172.67.148.218, 443, 49724, 49849 CLOUDFLARENETUS United States 21->75 99 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->99 101 Found many strings related to Crypto-Wallets (likely being stolen) 21->101 103 Found strings related to Crypto-Mining 21->103 107 6 other signatures 21->107 33 chrome.exe 21->33         started        36 msedge.exe 21->36         started        105 Switches to a custom stack to bypass stack traces 25->105 38 Acrobat.exe 76 25->38         started        40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        77 13.89.179.9, 443, 49790, 49812 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->77 79 ax-0003.ax-msedge.net 150.171.27.12, 443, 49769 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->79 81 31 other IPs or domains 31->81 signatures10 process11 dnsIp12 65 192.168.2.11, 138, 443, 49519 unknown unknown 33->65 44 chrome.exe 33->44         started        47 msedge.exe 36->47         started        49 AcroCEF.exe 85 38->49         started        process13 dnsIp14 83 www.google.com 142.250.72.100, 443, 49734, 49735 GOOGLEUS United States 44->83 85 plus.l.google.com 142.250.72.110, 443, 49729, 49730 GOOGLEUS United States 44->85 89 5 other IPs or domains 44->89 87 e8652.dscx.akamaiedge.net 23.39.37.95, 49718, 80 AKAMAI-ASUS United States 49->87 51 AcroCEF.exe 49->51         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-04-07 18:47:56 UTC
File Type:
Binary
AV detection:
13 of 36 (36.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2q4otjvoco3hz3swrlfdh7mghpy3qyladsho44jgjzwa67uwybbq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution spyware stealer
Link:
https://tria.ge/reports/250408-hq5ecszjt5/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d438e9a6ae13/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Shortcut (lnk) lnk d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3503681/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3504741/

Comments