MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gamaredon

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea
SHA3-384 hash:	5879951a441c50cbed1f51e1a54097709ee5a50cde5594a30a3939eaf69eebd9a9f3f247a6ce5e4ebcb62aea5a130fdb
SHA1 hash:	43dddc6f059d52c3446cd429f598ae220d5d8495
MD5 hash:	eaea21b33841a7b3e29657745d480886
humanhash:	johnny-double-fix-spring
File name:	11-967_10.11.2025.rar
Download:	download sample
Signature	Gamaredon Create hunting rule
File size:	5'003 bytes
First seen:	2025-11-11 11:23:30 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	96:ZS35R27WWvf2XsghrE6UzpokEa/j47hNz8B7nQ8H8MSbt5R3YVkXBYLle:oR277mX/hrEjzWkHb4778B7nPHLSbt5x
TLSH	T18AA17E87357A74B9FBA752745D474B420070A4313B923B56BDC3D8C882FA78F0E5C615
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	smica83
Tags:	apt CVE-2025-6218 CVE-2025-8088 gamaredon rar UKR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_10.11.2025.HTA
File size:	6'005 bytes
SHA256 hash:	0716db7ad22fc3f039848f0bd2ea3b8efaa8ad6b2e1ea4475631fc6e317d3d2b
MD5 hash:	5d793beeffc5d60d4bdb7d0cd35c5094
MIME type:	text/html
Signature	Gamaredon

File name:	Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf
File size:	9'419 bytes
SHA256 hash:	76884bb1338372a61b99fcb6f3a302d5260ced3292d012063ff5f20e0fb62474
MD5 hash:	e63fa3dab3ecbe02742598cfd4bba46f
MIME type:	text/plain
Signature	Gamaredon

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69131ce2e2c9ded75d795913

Tags:

n/a

Verdict:

Suspicious

Labled as:

CVE-2025-8088

Link:

https://www.hybrid-analysis.com/sample/5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea

Verdict:

Malicious

File Type:

rar

First seen:

2025-11-10T12:15:00Z UTC

Last seen:

2025-11-12T01:47:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea/results?tab=lookup

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Rar Archive

Link:

https://app.malva.re/file/eaea21b33841a7b3e29657745d480886

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea/

Threat name:

Script-WScript.Trojan.Gamaredon

Status:

Malicious

First seen:

2025-11-10 17:50:16 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

5 of 23 (21.74%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kq34ppceeo4kzofgmrvmftktpeibvrz3maivjgzf6hgzlozthtva._file

Result

Malware family:

n/a

Score:

3/10

Tags:

adware discovery spyware

Link:

https://tria.ge/reports/251111-nmvzeatrcq/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	SUSP_RAR_NTFS_ADS Create hunting rule
Author:	Proofpoint
Description:	Detects RAR archive with NTFS alternate data stream
Reference:	https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Rule name:	WinRAR_CVE_2025_8088_Exploit Create hunting rule
Author:	marcin@ulikowski.pl
Description:	Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample