MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cee7808524647c0482b051dd6a1967fd7dcd3fd1f8ad49607bb336faceeb4fc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gamaredon


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cee7808524647c0482b051dd6a1967fd7dcd3fd1f8ad49607bb336faceeb4fc2
SHA3-384 hash: 8cea90a3ab830895f5e251d75108a78e998157609b626feb5f8f1c29bae121e3633026d3da25b7f469dfc8ec90f4d2f1
SHA1 hash: 6648e4e184cf142a077b07c20218dbc28bb2d8bd
MD5 hash: 4889dc9bfb84104435af466f8b1ad7ca
humanhash: berlin-grey-carpet-paris
File name:4_3_3_1365_22.11.2025.rar
Download: download sample
Signature Gamaredon
Create hunting rule
File size:4'760 bytes
First seen:2025-11-23 14:21:59 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 96:ZSAiq5Z4fAHg0cb6aK2vIijStXzAIk1IOzLMEloAyM96+xg9BEu:Zt5ZDk33Ii2JzApXMEloDM96Qju
TLSH T1ACA18F4F6F75E77E70A5087A1303E3862BB7EDB52CEAF41B3E941130025625B859558C
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter smica83
Tags:apt CVE-2025-6218 CVE-2025-8088 gamaredon rar UKR

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
HU HU
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:Повістка про виклик підозрюваного_4_3_3_1365_22.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_4_3_3_1365_22.11.2025.HTA
File size:9'003 bytes
SHA256 hash: f7195f2f03347cab6e174f896bb7d029017a1882446e0b9832f93f704b0cab0a
MD5 hash: 43375924b549cd2d0670329672f5456c
MIME type:text/html
Signature Gamaredon
File name:Повістка про виклик підозрюваного_4_3_3_1365_22.11.2025.pdf
File size:1'321 bytes
SHA256 hash: ce3100d7b73cd718eb5b49c84ef4c189eeb83eeb0b3b315ad507b63f9c0e6fc2
MD5 hash: bd3aed5deffd35301d127a80fd24bcec
MIME type:text/plain
Signature Gamaredon
Vendor Threat Intelligence
Gathering data
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692318e4a59c70c97d69f01c
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6923189b7d011c9c3a488ed3/reports/870434eb-8b1a-423d-afa4-46b9163ceda6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cee7808524647c0482b051dd6a1967fd7dcd3fd1f8ad49607bb336faceeb4fc2
Result
Gathering data
Verdict:
Malicious
File Type:
rar
First seen:
2025-11-22T16:50:00Z UTC
Last seen:
2025-11-23T03:45:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/cee7808524647c0482b051dd6a1967fd7dcd3fd1f8ad49607bb336faceeb4fc2/results?tab=lookup
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
Rar Archive
Link:
https://app.malva.re/file/4889dc9bfb84104435af466f8b1ad7ca
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cee7808524647c0482b051dd6a1967fd7dcd3fd1f8ad49607bb336faceeb4fc2/
Threat name:
Script-WScript.Trojan.Electryon
Create hunting rule
Status:
Malicious
First seen:
2025-11-22 21:46:21 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
5 of 36 (13.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z3tybbjemr6ajavqkhowuglh7v642p6r7cwusyd3wm3pvtxlj7ba._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
adware discovery spyware
Link:
https://tria.ge/reports/251123-tn8jsaylaw/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cee7808524647c0482b051dd6a1967fd7dcd3fd1f8ad49607bb336faceeb4fc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:SUSP_RAR_NTFS_ADS
Create hunting rule
Author:Proofpoint
Description:Detects RAR archive with NTFS alternate data stream
Reference:https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats
Rule name:WinRAR_CVE_2025_8088_Exploit
Create hunting rule
Author:marcin@ulikowski.pl
Description:Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
commented on 2025-11-23 17:41:59 UTC

This samples drops the following payload:

https://bazaar.abuse.ch/sample/1f8a3ec047e0f44f1f21e1e3f8af5ea32749ecac3e2bef4fc2ba1a2006934581/#file_info