MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a3f15daaafd75dac5c3ab99538ba22f9bc59aaa631e0df5d84cee3ebba41c4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gamaredon


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a3f15daaafd75dac5c3ab99538ba22f9bc59aaa631e0df5d84cee3ebba41c4a
SHA3-384 hash: 6db69465c85ee1da4aeed1dd0c2ed83ae3b2692d93a7f09c29ba1a6ac8f2f7947ef41bf07cbcdf108fc0e8ed70b31e48
SHA1 hash: d6c608a135895ee8ae2f79701110d2062d83123f
MD5 hash: e7c3699066c48bad84262fa31d704e1f
humanhash: montana-idaho-venus-august
File name:1_11_2_1984_25.12.2025.rar
Download: download sample
Signature Gamaredon
Create hunting rule
File size:7'398 bytes
First seen:2025-12-25 18:11:05 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 192:vRxk0cTSfH16pgDA+pqLzq/Ti2YQXiCUst95RR4NN9l:v0dBAAWqvCTxxXTt9D2Njl
TLSH T123E1AF89EB6A59F9DABC20F6497DB8572A719B34787564F0418C08AD56CC4CF902EA00
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter smica83
Tags:CVE-2025-6218 CVE-2025-8088 gamaredon rar UKR

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
HU HU
File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:Передати засобами АСУ Дніпро_1_11_2_1984_25.12.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_.._Startup_1_11_2_1984_25.12.2025.HTA
File size:15'495 bytes
SHA256 hash: 2c69fd052bfaa03cd0e956af0f638f82bc53f23ee8d0c273e688e257dac8c550
MD5 hash: 9775cc2d5541f2b6692d09478f3fd047
MIME type:text/html
Signature Gamaredon
File name:Передати засобами АСУ Дніпро_1_11_2_1984_25.12.2025.pdf
File size:1'383 bytes
SHA256 hash: 9578822f7ea5f7aa608507a085913dbcb707e43f5a206a2dc44c0f7b79d29c20
MD5 hash: 8ba0ab21b59c2c9e09c586cd7b559c9d
MIME type:text/plain
Signature Gamaredon
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/e51f0ec7-b97b-402f-a597-54aa79fec032/
Detection(s):
TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL
Create hunting rule

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=694d7e4401c7b4a8fe55c3e4
Tags:
n/a
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/694d7e413f8fdbf8e95208f5/reports/74d35464-2d61-4ffd-9fd8-967e2b279296/overview
Verdict:
Malicious
Labled as:
CVE-2025-8088
Link:
https://www.hybrid-analysis.com/sample/9a3f15daaafd75dac5c3ab99538ba22f9bc59aaa631e0df5d84cee3ebba41c4a
Verdict:
Malicious
File Type:
rar
First seen:
2025-12-25T13:00:00Z UTC
Last seen:
2025-12-25T16:55:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/9a3f15daaafd75dac5c3ab99538ba22f9bc59aaa631e0df5d84cee3ebba41c4a/results?tab=lookup
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
Rar Archive
Link:
https://app.malva.re/file/e7c3699066c48bad84262fa31d704e1f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a3f15daaafd75dac5c3ab99538ba22f9bc59aaa631e0df5d84cee3ebba41c4a/
Threat name:
Win32.Downloader.ShortSeek
Create hunting rule
Status:
Malicious
First seen:
2025-12-25 18:11:17 UTC
File Type:
Binary (Archive)
Extracted files:
3
AV detection:
8 of 24 (33.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ti7rlwvk7v25vrodvomvhc5cf6n4lgvkmmpa35oyjtxd5o5edrfa._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9a3f15daaafd75dac5c3ab99538ba22f9bc59aaa631e0df5d84cee3ebba41c4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:SUSP_RAR_NTFS_ADS
Create hunting rule
Author:Proofpoint
Description:Detects RAR archive with NTFS alternate data stream
Reference:https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats
Rule name:WinRAR_CVE_2025_8088_Exploit
Create hunting rule
Author:marcin@ulikowski.pl
Description:Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments