MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec52e869927d212b5662143d8f5e0064b465ced789a071cdc0a99b1241b804ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	ec52e869927d212b5662143d8f5e0064b465ced789a071cdc0a99b1241b804ad
SHA3-384 hash:	e80588024d73acd09a3b3fcf4a1e76f0c6c7c01123417095218b0863318353aae43ee9d84244fc70b1158530f9b597db
SHA1 hash:	0818cab1d714a5c0e7d44392a28785dd826300b2
MD5 hash:	d9bc07e8ca61daa947b6ab41cfcd549d
humanhash:	ten-oscar-high-pizza
File name:	pussy.pdf.lnk
Download:	download sample
File size:	733'063 bytes
First seen:	2025-04-30 08:16:50 UTC
Last seen:	Never
File type:	lnk
MIME type:	application/x-ms-shortcut
ssdeep	24:8Ayw/BHYVKVWO+/CWR62fVTlP4HnLgMUPdd79dsoEZ/7QAMN5:8y5al62fVR2UPdJ9ha7Q
TLSH	T1C0F44C141BFA0328E3B3DB796CB677119C7BB816EE558F8D009141891835615F4B4F6F
Magika	lnk
Reporter	abuse_ch
Tags:	lnk

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL

Sanesecurity.Malware.30777.LnkHeur.UNOFFICIAL

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL

TwinWave.EvilLNK.Guinnesses.20220719.UNOFFICIAL

TwinWave.EvilLNK.Guinnesses.20221102.UNOFFICIAL

TwinWave.EvilLNK.Guinnesses.20221108.UNOFFICIAL

TwinWave.EviLNK.PolicyKillXLACreepin.20230609.UNOFFICIAL

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL

TwinWave.EvilLNK.KingForADaymshta.20231121.UNOFFICIAL

TwinWave.EvilLNK.LOLBinPaddedRoomFluteLoop.20220523.UNOFFICIAL

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6811e47ac8b2e86d0ac50ebd

Tags:

virus overt spawn

Result

Verdict:

Malicious

File Type:

LNK File - Malicious

Link:

https://app.docguard.net/ec52e869927d212b5662143d8f5e0064b465ced789a071cdc0a99b1241b804ad/results/dashboard

Payload URLs

URL

File name

https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2')

LNK File

Behaviour

BlacklistAPI detected

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive lolbin masquerade mshta powershell

Link:

https://www.filescan.io/uploads/6811dc8c218c4a98ade8ed7a/reports/fa262a53-7d63-47b6-a736-3dcdfe14cd54/overview

Verdict:

Malicious

Labled as:

BZC.YAX.Pantera.41

Link:

https://www.hybrid-analysis.com/sample/ec52e869927d212b5662143d8f5e0064b465ced789a071cdc0a99b1241b804ad

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1677969

Signature

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Sigma detected: Potentially Suspicious PowerShell Child Processes

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Windows shortcut file (LNK) contains suspicious command line arguments

Windows shortcut file (LNK) starts blacklisted processes

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec52e869927d212b5662143d8f5e0064b465ced789a071cdc0a99b1241b804ad/

Threat name:

Shortcut.Trojan.Pantera

Status:

Malicious

First seen:

2025-04-29 22:11:01 UTC

File Type:

Binary

AV detection:

10 of 24 (41.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5rjoq2mspuqswvtccq6y6xqams2gltwxrgqhdtoavgnreqnyaswq._file

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/250430-j6sk6sxwgs/

Behaviour

Modifies Internet Explorer settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Blocklisted process makes network request

Malware Config

Dropper Extraction:

https://www.4sync.com/web/directDownload/MVSMFskQ/LO8xSpi2.62ec7135a2f4fdd6669b0320481d33d2

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ec52e869927d212b5662143d8f5e0064b465ced789a071cdc0a99b1241b804ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	Large_filesize_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.

Rule name:	PS_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies PowerShell artefacts in shortcut (LNK) files.

Rule name:	SUSP_LNK_Big_Link_File Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects a suspiciously big LNK file - maybe with embedded content
Reference:	Internal Research

Rule name:	SUSP_LNK_Big_Link_File_RID2EDD Create hunting rule
Author:	Florian Roth
Description:	Detects a suspiciously big LNK file - maybe with embedded content
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

lnk ec52e869927d212b5662143d8f5e0064b465ced789a071cdc0a99b1241b804ad

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3530198/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample