MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gamaredon


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af
SHA3-384 hash: 9e289daeb9b4358eae8383f5df6059a8b97b11c9d18bd36292a831f7ae803d1f3f982f4c6dbd6029d313d7db9366b496
SHA1 hash: f27840c4e29401ab5e9b5d55a8e1af69ea049973
MD5 hash: 8315cdbef9807ceebde567728ac8a7a9
humanhash: one-three-spring-finch
File name:r9eVwGhe.hta
Download: download sample
Signature Gamaredon
Create hunting rule
File size:163'598 bytes
First seen:2025-11-23 15:38:56 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 3072:82esKiWoGidSREFqX7IHTmMUnS6eTrT0bkn046Gt3g0zcXqQZEveaXSjNZNvNwN6:9JKiUREFqJnSnrobkn046Gt3glZSNa
TLSH T17FF37D659F4931148ABA130295DE3CD673D2230AB9B29C9EB50CC4CDC6FB5E6D2CD0AD
Magika vba
Reporter M128BitOff
Tags:apt dropper gamaredon hta


Avatar
M128BitOff
This malware sample was downloaded from Gamaredons Payload Delivery Infrastructure in the following analysis:
https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
FR FR
Vendor Threat Intelligence
Gathering data
Gathering data
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af/results/dashboard
Payload URLs
URL
File name
http://5.181.2.158
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive lolbin obfuscated wscript
Link:
https://www.filescan.io/uploads/69232aa65d3feebe12d8322f/reports/2dc31333-60fc-4613-aad1-75cb69b007d8/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader/VBS.NetLoader
Link:
https://www.hybrid-analysis.com/sample/aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af
Result
Gathering data
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af
Verdict:
Malware
YARA:
3 match(es)
Tags:
adodb.stream Base64 Block Contains Base64 Block Html msxml2.domdocument.3.0 msxml2.xmlhttp Scripting.FileSystemObject vbscript.regexp WScript.Shell
Link:
https://app.malva.re/file/8315cdbef9807ceebde567728ac8a7a9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af/
Verdict:
Malicious
Threat:
Worm.Script
Link:
https://tip.neiki.dev/file/aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vjlskmvldsfhght3umxjpoqyajuo52hgu5fcxhcnypx3m2pnxgxq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
adware defense_evasion discovery persistence ransomware spyware stealer
Link:
https://tria.ge/reports/251123-s3rddaxqgy/
Behaviour
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Badlisted process makes network request
Modifies visibility of file extensions in Explorer
Modifies visibility of hidden/system files in Explorer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gamaredon

HTML Application (hta) hta aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af

(this sample)

  
Link
https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/
  
Delivery method
Distributed via web download

Comments