MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gamaredon


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7
SHA3-384 hash: 28dc24f55f463c0a183566404d726363a4133961a115e896b9137270ce1410b7968039d77991c481cd80b4e1643415c2
SHA1 hash: 3f53dad341bc52fe433a27e2563a5f6ea433c036
MD5 hash: 9b1c9a813d94f161127099e9e0352e80
humanhash: pasta-orange-nitrogen-michigan
File name:payload.ps
Download: download sample
Signature Gamaredon
Create hunting rule
File size:95'353 bytes
First seen:2025-11-23 15:41:51 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:+TdiOH1rl2E2TQT5iSCsl7SPtHpytFxvOSP9gdIqXtbhbcb5bsb7qMJywSV0GJ:SVrl2EtkJslctHpytFESP92HqMJUV0E
TLSH T10D933A1B740312A48B1636C7C6873347DEA895793A362892F1319CA72917CB9FB4ED3D
Magika vba
Reporter M128BitOff
Tags:apt dropper gamaredon ps1


Avatar
M128BitOff
This malware sample was downloaded from Gamaredons Payload Delivery Infrastructure in the following analysis:
https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/

Intelligence

File Origin
# of uploads :
1
# of downloads :
18
Origin country :
FR FR
Vendor Threat Intelligence
Gathering data
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive masquerade obfuscated
Link:
https://www.filescan.io/uploads/692334fb5d3feebe12d835ee/reports/da6b18b3-65ea-4a0d-86ea-595c79d1ef80/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7
Result
Gathering data
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7
Verdict:
Malware
YARA:
1 match(es)
Tags:
adodb.stream msxml2.domdocument.3.0 msxml2.xmlhttp Scripting.FileSystemObject VBScript vbscript.regexp WScript.Shell
Link:
https://app.malva.re/file/9b1c9a813d94f161127099e9e0352e80
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7/
Verdict:
Malicious
Threat:
Trojan-Downloader.VBS.SLoad
Link:
https://tip.neiki.dev/file/008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7
Threat name:
Script-WScript.Trojan.Gamaredon
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 16:23:24 UTC
File Type:
Text (VBS)
AV detection:
1 of 36 (2.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=acfpst6qjrkvqlm5rvsup4jhnqcfeneuwjph76hy6g64irfl6htq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Link:
https://tria.ge/reports/251123-tvzkfsylhw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gamaredon

PowerShell (PS) ps1 008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7

(this sample)

  
Link
https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/
  
Delivery method
Distributed via web download

Comments