MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0cbbb0d0b53509ccae1da6ea6f1b084c20d72e8723b98bb2aa5cced01f7b414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash: e0cbbb0d0b53509ccae1da6ea6f1b084c20d72e8723b98bb2aa5cced01f7b414
SHA3-384 hash: b84fe9a80be9823a5eeda6d06ddd1677b46102fa10c4013a4bda627d1f6096bc90f752747575a6375c3abc3bc58fd4ef
SHA1 hash: 19b1ec1802e3b2324eba7add6898026c99085699
MD5 hash: e7d14a301bef41d36f7de8b0a7fe523e
humanhash: arkansas-yankee-enemy-wisconsin
File name:e0cbbb0d0b53509ccae1da6ea6f1b084c20d72e8723b98bb2aa5cced01f7b414
Download: download sample
File size:1'032 bytes
First seen:2026-07-15 11:56:25 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 6:4xti9X3X3/lKolHKlFcnlj+SEEgykQLPfBMlpIoF6SaU/k1ARokJxt:8ol04QkCikQLhMbHFMf8
TLSH T10911C2251BCA4E00E2F5AB34BC38960119A87C6C8D314A8D0286195C0C26A209A75F36
Magika lnk
Reporter JAMESWT_WT
Tags:315ws-net booking ghanioilandgas-com lnk Spam-ITA v0hkpadr04mbz5lkearqa-com

Intelligence


File Origin
# of uploads :
1
# of downloads :
78
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Tags:
shell virus sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Behaviour
BlacklistAPI detected
Verdict:
Malicious
File Type:
lnk
First seen:
2026-07-15T10:22:00Z UTC
Last seen:
2026-07-16T19:02:00Z UTC
Hits:
~10
Verdict:
Malware
YARA:
3 match(es)
Tags:
Batch Command DeObfuscated Execution: CMD in LNK Execution: PowerShell in LNK LNK LOLBin LOLBin:cmd.exe Malicious PowerShell PowerShell Call T1027 T1059.001 T1059.003 T1202: Indirect Command Execution T1204.002
Threat name:
Shortcut.Backdoor.AsyncRAT
Status:
Malicious
First seen:
2026-07-15 11:52:23 UTC
File Type:
Binary
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Execution_in_LNK
Author:@bartblaze
Description:Identifies execution artefacts in shortcut (LNK) files.
Rule name:PS_in_LNK
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_CMD
Author:SECUINFRA Falcon Team
Description:Detects the reference to cmd.exe inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments