MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8acf437b17ed52cd7b37fd1a7ec7a9eccd7144cbb8e132d7f74b4afe7de0d1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Kimsuky


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash: f8acf437b17ed52cd7b37fd1a7ec7a9eccd7144cbb8e132d7f74b4afe7de0d1b
SHA3-384 hash: 2b5e19843e2e0d0b10cbbe766652a9db6b24e76cec3ae26287a8b326c7ee2f24f9cb08ab23c0f9b02fde18ade2e5c4eb
SHA1 hash: f97b3c10c35608c5d2fa62ddaf680488c1e09e64
MD5 hash: 976bcd30d0d4ebc24049c85a77e66d29
humanhash: october-ink-fix-enemy
File name:unicorn_yuki.gif.lnk
Download: download sample
Signature Kimsuky
File size:161'861 bytes
First seen:2026-06-08 17:45:37 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 3072:RJZ1gQjIP2UkuF1qfXvLOv4OerZ6rCrFzfoRd02yj9bSL+Iy6d4:rnO2FuF1AKv41r9nb9bS5d4
TLSH T13FF3E13CB97ED377E0E4EE2205DD6443F1804AD93B2C996520D60A946F422EB70E676F
Magika lnk
Reporter smica83
Tags:Kimsuky lnk

Intelligence


File Origin
# of uploads :
1
# of downloads :
81
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Tags:
xtreme shell sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 encrypted evasive masquerade powershell
Verdict:
Malicious
File Type:
lnk
First seen:
2026-06-08T01:29:00Z UTC
Last seen:
2026-06-10T09:24:00Z UTC
Hits:
~10
Detections:
Trojan.WinLNK.Agent.sb Trojan.PowerShell.Cobalt.sb HEUR:Trojan.WinLNK.Powecod.e HEUR:Trojan.WinLNK.Agent.gen
Result
Threat name:
Kimsuky
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Leaks process information
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected Kimsuky
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1924605 Sample: unicorn_yuki.gif.lnk Startdate: 08/06/2026 Architecture: WINDOWS Score: 100 43 inini.kesug.com 2->43 45 suspended-domain.net 2->45 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Windows shortcut file (LNK) starts blacklisted processes 2->55 57 12 other signatures 2->57 9 wscript.exe 1 2->9         started        12 powershell.exe 11 2->12         started        signatures3 process4 signatures5 59 Windows shortcut file (LNK) starts blacklisted processes 9->59 61 Suspicious powershell command line found 9->61 63 Wscript starts Powershell (via cmd or directly) 9->63 69 3 other signatures 9->69 14 powershell.exe 39 9->14         started        65 Encrypted powershell cmdline option found 12->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 12->67 18 powershell.exe 12->18         started        20 conhost.exe 1 12->20         started        process6 file7 41 C:\Users\user\AppData\Local\...behaviorgraphHjV6pw.ps1, HTML 14->41 dropped 73 Windows shortcut file (LNK) starts blacklisted processes 14->73 75 Suspicious powershell command line found 14->75 77 Loading BitLocker PowerShell Module 14->77 22 conhost.exe 14->22         started        24 cscript.exe 14->24         started        26 powershell.exe 14->26         started        28 powershell.exe 14 41 18->28         started        signatures8 process9 dnsIp10 47 inini.kesug.com 185.27.134.168, 49724, 49727, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 28->47 49 suspended-domain.net 15.197.240.20, 443, 49725, 49728 AMAZON-02-AmazoncomIncUS Canada 28->49 35 C:\Users\user\AppData\Local\...\wz7DgD4.ps1, HTML 28->35 dropped 37 C:\Users\user\AppData\Local\...\repQ8Ts.vbs, ASCII 28->37 dropped 39 C:\Users\user\AppData\Local\Temp\aes.js, ASCII 28->39 dropped 71 Loading BitLocker PowerShell Module 28->71 33 cscript.exe 1 1 28->33         started        file11 signatures12 process13
Gathering data
Threat name:
Win32.Trojan.Ravartar
Status:
Malicious
First seen:
2026-06-07 03:52:10 UTC
File Type:
Binary
Extracted files:
1
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery execution spyware
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Time Discovery
Drops file in Windows directory
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:High_Entropy_LNK
Author:@bartblaze
Description:Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.
Rule name:Large_filesize_LNK
Author:@bartblaze
Description:Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.
Rule name:PS_in_LNK
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments