MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gamaredon

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978
SHA3-384 hash:	bdd12e56545ff6b66e410514ecf74369ad0b6f743b8622598c45259640f3ce4b8b2300514d012e7169cc8a298a95b7de
SHA1 hash:	aba431319baccb3290a8e1810ee0f9bf24ef2457
MD5 hash:	7280cfcbf0895f540a2a3be3e328e1f9
humanhash:	butter-pizza-september-comet
File name:	payload.ps
Download:	download sample
Signature	Gamaredon Create hunting rule
File size:	11'423 bytes
First seen:	2025-11-23 15:53:25 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	192:8tcL0Vu8Zi/1/tSAMbgLAq58f6gdV99BQeT0N0QevWwuEHJf4ibb0ycm:E/Zw1/tOb5k+2e2UoEpLncm
TLSH	T14D326D0DCB847F60EF744310915D1AA66B5AB91938F17D1DBE2B7EC57B8112A60740FC
Magika	vba
Reporter	M128BitOff
Tags:	apt dropper gamaredon powershell ps1

M128BitOff

This malware sample was downloaded from Gamaredons Payload Delivery Infrastructure in the following analysis:
https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6923350da59c70c97d6a07c9

Tags:

ransomware

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 masquerade obfuscated powershell

Link:

https://www.filescan.io/uploads/69233502f96b58f0dc80e7c7/reports/1d90e7a0-0d41-4f1f-aefd-0cd74b1999fc/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978

Result

Gathering data

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978

Verdict:

Malware

YARA:

2 match(es)

Tags:

Base64 Block Batch Command Contains Base64 Block DeObfuscated PowerShell PowerShell Call VBScript Wscript.Shell

Link:

https://app.malva.re/file/7280cfcbf0895f540a2a3be3e328e1f9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978/

Verdict:

Susipicious

Link:

https://tip.neiki.dev/file/f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6gssk46rdm565b2opuu4cxmvesjof5fhfyrbh7nze5gqkvozbf4a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

execution

Link:

https://tria.ge/reports/251123-tvzv8aylhz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Command and Scripting Interpreter: PowerShell

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Base64_Encoded_Powershell_Directives Create hunting rule

Rule name:	SUSP_PowerShell_Base64_Decode Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects PowerShell code to decode Base64 data. This can yield many FP

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)