MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5
SHA3-384 hash: 113744c44eaa36e269a76c88ef47f011a6f886451f786aab46c0db7d71a1c01b9923e4a89c8ce7b42625db3bfe6b3b08
SHA1 hash: 64f52ea043c6db806ea0038190b3f4f6c2668520
MD5 hash: b10989adfbee76c1b321ffe848d71c17
humanhash: ohio-mexico-oven-ink
File name:video 08.06.2026.mp4.lnk
Download: download sample
File size:1'592 bytes
First seen:2026-06-16 09:53:36 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8oWmHK0AtwnLK6iWUyAWPW5+/CWso3e1YHr8zFuXQFjOUoMNr4I0W84mQdc:8mWtQZURW4o3X1hBFIZI
TLSH T14431CC2027F1535DE6B7CA7EA8BB63205736FC11EA15DB8E0250554D4862610E8B4F2B
Magika lnk
Reporter smica83
Tags:lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
Link:
https://research.acce.ciphertechsolutions.com/results/91e2ab42-01fc-4b0d-a408-56eaf058a2ed/
Detection(s):
Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30517.LnkHeur.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.30537.LnkHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.DottedQuadDancingInHeaven.20220622.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.HTTPDottedQuadPolicykill.20220908.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a311d581a97308eef898f52
Tags:
shell agent sage
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5/results/dashboard
Payload URLs
URL
File name
http://93.190.247.238:4000/photo/6767sev67/get-photo?f=1&token=6767sev67';break
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
calc evasive masquerade powershell
Link:
https://www.filescan.io/uploads/6a311d610bddd27b6e073e52/reports/7e8776c7-2509-4319-876a-de4a2900d03b/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/LNK.NetLoader
Link:
https://www.hybrid-analysis.com/sample/f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5
Verdict:
Malicious
File Type:
lnk
First seen:
2026-06-13T17:19:00Z UTC
Last seen:
2026-06-15T21:52:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.WinLNK.Agent.sb HEUR:Trojan.Multi.Powedon.c HEUR:Trojan.Multi.Powedon.a Trojan-Downloader.JS.Agent.a Trojan-Downloader.Agent.HTTP.C&C Trojan.Win32.Agent.sb NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1928632
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1928632 Sample: video 08.06.2026.mp4.lnk Startdate: 16/06/2026 Architecture: WINDOWS Score: 96 48 Antivirus detection for URL or domain 2->48 50 Windows shortcut file (LNK) starts blacklisted processes 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 6 other signatures 2->54 8 powershell.exe 14 35 2->8         started        13 svchost.exe 2->13         started        15 Calculator.exe 2 2->15         started        process3 dnsIp4 42 93.190.247.238, 4000, 49681, 49682 LEASEWEB-NL-AMS-01NetherlandsNL Canada 8->42 38 C:\Users\user\AppData\...\i2qg02v4.cmdline, Unicode 8->38 dropped 56 Windows shortcut file (LNK) starts blacklisted processes 8->56 58 Bypasses PowerShell execution policy 8->58 60 Loading BitLocker PowerShell Module 8->60 17 powershell.exe 35 8->17         started        20 csc.exe 3 8->20         started        23 conhost.exe 1 8->23         started        25 calc.exe 12 8->25         started        44 127.0.0.1 unknown unknown 13->44 file5 signatures6 process7 file8 46 Loading BitLocker PowerShell Module 17->46 27 csc.exe 17->27         started        30 conhost.exe 17->30         started        36 C:\Users\user\AppData\Local\...\i2qg02v4.dll, PE32 20->36 dropped 32 cvtres.exe 1 20->32         started        signatures9 process10 file11 40 C:\Users\user\AppData\Local\...\gqhfexox.dll, PE32 27->40 dropped 34 cvtres.exe 27->34         started        process12
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5/
Verdict:
Malicious
Threat:
NetTool.PowerShellUA.HTTP
Link:
https://tip.neiki.dev/file/f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-06-15 02:15:00 UTC
File Type:
Binary
AV detection:
10 of 36 (27.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7g2y3mukw7wqddxyuaeqyb2xbmgbqsgz7sl7zo43f4p546naps2q._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260616-lw7cpacv4t/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Badlisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9b58db28ab7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9b58db28ab7ed018ef8a0090c07570b0c1848d9fc97fcbb9b2f1fde79a07cb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Remcos_RAT
Create hunting rule
Author:daniyyell
Description:Detects Remcos RAT payloads and commands
Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:LNK_sospechosos
Create hunting rule
Author:Germán Fernández
Description:Detecta archivos .lnk sospechosos
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments