MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gamaredon

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1
SHA3-384 hash:	9869803aa28c2a480fbb5f672ca4a481e415ffcc90daf343f61db996b07c38e56c3279b77edb39021471b950dc268799
SHA1 hash:	feed25f1e0d291c154e4a7f3404cf7bcf9cd9601
MD5 hash:	0b1aff6971f999c1ffa3125608f093ab
humanhash:	mobile-kitten-video-skylark
File name:	2-3716-25_07.11.2025.rar
Download:	download sample
Signature	Gamaredon Create hunting rule
File size:	5'486 bytes
First seen:	2025-11-11 11:22:18 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	96:ZSlyNTrvTpxISQmdjX2b0aOQKw9X5KepGUhSoGVsbioiIlxmdNAwo1GvsSIFZ7:eWTTp+S1c0arKLePpGV+iIUAwoJSi
TLSH	T133B18C1DD0F81C64F800EA313B3BFDE9342FB551158289B256389606BEB123FE1B0699
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	smica83
Tags:	apt CVE-2025-6218 CVE-2025-8088 gamaredon rar UKR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2-3716-25_07.11.2025.HTA
File size:	7'802 bytes
SHA256 hash:	d101aff41ca5ead86bd9dfd53b4969e69ab31ae5ca31cf27ed44b90d66b9625a
MD5 hash:	9609197ae3c4e492e03850c8e11c3a99
MIME type:	text/html
Signature	Gamaredon

File name:	Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf
File size:	8'910 bytes
SHA256 hash:	0e0d2d2d286e835e13464c87bb70209aaea32994d916aa0bfbb10e2a391b8afc
MD5 hash:	d804b3f2e94afe10b3c6a3475f52e424
MIME type:	text/plain
Signature	Gamaredon

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69131ca4ac1ae236e1796145

Tags:

n/a

Verdict:

Suspicious

Labled as:

CVE-2025-8088

Link:

https://www.hybrid-analysis.com/sample/21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1

Verdict:

Malicious

File Type:

rar

First seen:

2025-11-10T13:35:00Z UTC

Last seen:

2025-11-11T01:41:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1/results?tab=lookup

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Rar Archive

Link:

https://app.malva.re/file/0b1aff6971f999c1ffa3125608f093ab

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1/

Threat name:

Binary.Trojan.Gamaredon

Status:

Malicious

First seen:

2025-11-10 19:36:18 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

4 of 23 (17.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=egwv2bnehvmzwyrfzwedwebvn5fyzvdful6le5c5sdh2mxdm76qq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

adware discovery spyware

Link:

https://tria.ge/reports/251111-nmvzeatrcp/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	SUSP_RAR_NTFS_ADS Create hunting rule
Author:	Proofpoint
Description:	Detects RAR archive with NTFS alternate data stream
Reference:	https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Rule name:	WinRAR_CVE_2025_8088_Exploit Create hunting rule
Author:	marcin@ulikowski.pl
Description:	Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample