MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de352459a704c44cd7e8c3d21db7ec679af28ec22505060e1bd825c0f461c9f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de352459a704c44cd7e8c3d21db7ec679af28ec22505060e1bd825c0f461c9f2
SHA3-384 hash: 2b60d735d8c4bc5ba45962e79dc8502a7044965a06cdf9463ff3e2f9ebc49751eaf16b9bf030020f7521fd3270445e84
SHA1 hash: 9b42d740cfbe08dfcabd2a349c9d52ad2cf198dc
MD5 hash: 58769199d32d6816ef22149eee1d05f7
humanhash: rugby-avocado-aspen-mexico
File name:401kEmployee.lnk
Download: download sample
File size:2'602 bytes
First seen:2025-05-30 08:17:46 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 48:8y5aFTNXkF3cb6pLaMbLYmvfdJ9UnBWq:8y5YTmF3KWL7jGnz
Threatray 4 similar samples on MalwareBazaar
TLSH T16B5122341AF502EEF673C7B99BF573B34426FBD6CD224ABC108123451212510B4A7E76
Magika lnk
Reporter abuse_ch
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.Guinnesses.20221108.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68396c1eacf88f5815e8ec64
Tags:
ransomware shell agent
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/de352459a704c44cd7e8c3d21db7ec679af28ec22505060e1bd825c0f461c9f2/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive lolbin masquerade mshta powershell
Link:
https://www.filescan.io/uploads/683969d3fd02ed5e058ffa3b/reports/7fc15100-4b82-4b41-999c-c63e737eec55/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Pantera.41
Link:
https://www.hybrid-analysis.com/sample/de352459a704c44cd7e8c3d21db7ec679af28ec22505060e1bd825c0f461c9f2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1702164
Signature
.NET source code contains potential unpacker
.NET source code contains suspicious base64 encoded strings
Creates processes via WMI
Encrypted powershell cmdline option found
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Uses threadpools to delay analysis
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1702164 Sample: 401kEmployee.lnk Startdate: 30/05/2025 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Windows shortcut file (LNK) starts blacklisted processes 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 9 other signatures 2->77 9 cmd.exe 1 2->9         started        12 powershell.exe 11 2->12         started        14 svchost.exe 2->14         started        process3 dnsIp4 79 Windows shortcut file (LNK) starts blacklisted processes 9->79 17 mshta.exe 16 9->17         started        20 conhost.exe 9->20         started        81 Encrypted powershell cmdline option found 12->81 83 Powershell drops PE file 12->83 22 powershell.exe 21 12->22         started        24 conhost.exe 1 12->24         started        59 127.0.0.1 unknown unknown 14->59 signatures5 process6 signatures7 61 Encrypted powershell cmdline option found 17->61 63 Creates processes via WMI 17->63 65 Uses threadpools to delay analysis 17->65 26 powershell.exe 17->26         started        30 powershell.exe 14 35 17->30         started        67 Windows shortcut file (LNK) starts blacklisted processes 22->67 69 Loading BitLocker PowerShell Module 22->69 32 mshta.exe 16 22->32         started        process8 dnsIp9 51 C:\Users\user\AppData\Roaming\g2m.dll, PE32 26->51 dropped 53 C:\Users\user\AppData\Roaming\aa.exe, PE32 26->53 dropped 85 Loading BitLocker PowerShell Module 26->85 35 aa.exe 7 26->35         started        39 conhost.exe 26->39         started        41 aa.exe 30->41         started        43 conhost.exe 30->43         started        55 54.226.224.138, 49692, 49693, 49694 AMAZON-AESUS United States 32->55 87 Creates processes via WMI 32->87 file10 signatures11 process12 dnsIp13 57 179.43.176.79, 443, 49704, 49706 PLI-ASCH Panama 35->57 47 C:\Users\user\AppData\Local\Temp\...\g2m.dll, PE32 35->47 dropped 49 C:\Users\user\7946dc3643\g2m.dll, PE32 35->49 dropped 45 WerFault.exe 41->45         started        file14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de352459a704c44cd7e8c3d21db7ec679af28ec22505060e1bd825c0f461c9f2/
Threat name:
Shortcut.Trojan.Pantera
Create hunting rule
Status:
Malicious
First seen:
2025-05-30 07:16:39 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3y2siwnhatcezv7iypjb3n7mm6npfdwceucqmdq33as4b5dbzhza._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
Similar samples:
10d9405548942090984d59adfffb9147189629080d9086598c31c7770a254505
2c43c7caf2f129267a73fc613776857950b362564857c7f8bc71a97455636953
3d1f7ac922633f3e90d22f392aa8c7e14e8dc4986ed4e33e1cef586e1dfbe774
a3db99c64b9a79ab584f3e8ec33ca604a6d3148570daec46d19e67546fe0ec4e
error
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250530-j7f9jaeq2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
http://54.226.224.138/core/coo.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de352459a704c44cd7e8c3d21db7ec679af28ec22505060e1bd825c0f461c9f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Shortcut (lnk) lnk de352459a704c44cd7e8c3d21db7ec679af28ec22505060e1bd825c0f461c9f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3555489/
  
Delivery method
Distributed via web download

Comments