MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97361a91ba80981ca549ed19b2e2b9250fed6231027cd15418578b3db76b02ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97361a91ba80981ca549ed19b2e2b9250fed6231027cd15418578b3db76b02ab
SHA3-384 hash: 510da96664aeb670df23f5a3e2536e0a607e57394a7042d62705e67811d262baf83eb2ea8e4b1d9bfa6cc485612ab5d2
SHA1 hash: 2508e6326ec307d226d79c91e7e123e4a5b5e39e
MD5 hash: 5ae81a09156d61f9c5e05b3f00af5b60
humanhash: mountain-steak-florida-mirror
File name:4_13_1_1389_28.04.2026.rar
Download: download sample
File size:101'162 bytes
First seen:2026-05-13 15:31:32 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 768:DQrQaAvl5mHlN9tttttttttttttttttttttttttttttttttttttttttttttttttx:oY5mHMnXa
TLSH T199A33B130366C8F8DC2F6C173A2C146A7941259036ED4F9AE9C7C69692DF0D63329FE2
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter smica83
Tags:CVE-2025-6218 CVE-2025-8088 rar

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/d1953121-0301-48bd-829a-4e3c451fc5ff/
Detection(s):
TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL
Create hunting rule

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a04998546d6967b3d901af4
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6a04998286e92bda702d4187/reports/d383232d-581b-499a-aff1-58d40c8c0806/overview
Verdict:
Malicious
Labled as:
CVE-2025-8088
Link:
https://www.hybrid-analysis.com/sample/97361a91ba80981ca549ed19b2e2b9250fed6231027cd15418578b3db76b02ab
Verdict:
Malicious
File Type:
rar
First seen:
2026-05-13T07:40:00Z UTC
Last seen:
2026-05-13T14:25:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/97361a91ba80981ca549ed19b2e2b9250fed6231027cd15418578b3db76b02ab/results?tab=lookup
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
Rar Archive
Link:
https://app.malva.re/file/5ae81a09156d61f9c5e05b3f00af5b60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97361a91ba80981ca549ed19b2e2b9250fed6231027cd15418578b3db76b02ab/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-05-13 15:32:22 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s43bven2qcmbzjkj5um3fyvzeuh62yrraj6ncvayk6ft3n3lakvq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/97361a91ba80981ca549ed19b2e2b9250fed6231027cd15418578b3db76b02ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:SUSP_RAR_NTFS_ADS
Create hunting rule
Author:Proofpoint
Description:Detects RAR archive with NTFS alternate data stream
Reference:https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats
Rule name:WinRAR_CVE_2025_8088_Exploit
Create hunting rule
Author:marcin@ulikowski.pl
Description:Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments