MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gamaredon


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230
SHA3-384 hash: 30562d48585d89ae9c03346545160c07f0bb36535f180fc471f1760d7cf4fa5b10919f47bd4c090bb30a01c0496d5b49
SHA1 hash: f54d9c5f91179f6185cd0b6ece98765727600f3b
MD5 hash: f9e49180954587bea9a0049f69ff5aa3
humanhash: east-neptune-oscar-moon
File name:9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230.hta
Download: download sample
Signature Gamaredon
Create hunting rule
File size:168'541 bytes
First seen:2025-11-23 15:44:16 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3072:/5LzgAwEOpBNJl0sQ4zdoALK2hzgUtB1RbqWSfTINXrNFi2nYmxV:RLzgyOpBN1Xzdoc8SRbqW007+2nYmxV
TLSH T103F37D669E453124CBBA134295DE3D87B3D2134679B24C8EB11DC0CE82EF9E5E6C90BD
TrID 80.6% (.HTM/HTML) HyperText Markup Language with DOCTYPE (12501/2/4)
19.3% (.HTML) HyperText Markup Language (3000/1/1)
Magika vba
Reporter M128BitOff
Tags:apt dropper gamaredon hta


Avatar
M128BitOff
This malware sample was downloaded from Gamaredons Payload Delivery Infrastructure in the following analysis:
https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/

Intelligence

File Origin
# of uploads :
1
# of downloads :
27
Origin country :
FR FR
Vendor Threat Intelligence
Gathering data
Gathering data
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230/results/dashboard
Payload URLs
URL
File name
http://5.181.2.158
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230
Result
Gathering data
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230/results?tab=lookup
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230
Verdict:
Malware
YARA:
3 match(es)
Tags:
adodb.stream Base64 Block Contains Base64 Block Html msxml2.domdocument.3.0 msxml2.xmlhttp Scripting.FileSystemObject vbscript.regexp WScript.Shell
Link:
https://app.malva.re/file/f9e49180954587bea9a0049f69ff5aa3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230/
Verdict:
Malicious
Threat:
Worm.Script
Link:
https://tip.neiki.dev/file/9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230
Threat name:
Script-WScript.Trojan.Gamaredon
Create hunting rule
Status:
Malicious
First seen:
2025-11-23 15:46:02 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
2 of 36 (5.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t7bkerzrhmdy26kudg35dr6azwihueb2jrsoxk3ms3o3poky2iya._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
adware defense_evasion discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/251123-s612zstjgn/
Behaviour
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Badlisted process makes network request
Modifies visibility of file extensions in Explorer
Modifies visibility of hidden/system files in Explorer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gamaredon

HTML Application (hta) hta 9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230

(this sample)

Gamaredon

PowerShell (PS) ps1 7f467084343ca7986a188108390c1de3c98bb211e304cc4bc700125c1ea495f6

  
Link
https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 7f467084343ca7986a188108390c1de3c98bb211e304cc4bc700125c1ea495f6
  
Dropping
MD5 8f235f4138a3362a67caee9ff82a4fc4

Comments