MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gamaredon

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1
SHA3-384 hash:	6becdaf9b9119c766eca4616d2bb0181c22faf3cff4d9abe3f30818224d28670c995c6c71f451aec1336fc90e7705916
SHA1 hash:	d6f60cc868d28352c7d3fcde9e4308fd771b035e
MD5 hash:	58ceaf1e01ae08be019837c3d3ff355c
humanhash:	bakerloo-paris-asparagus-ink
File name:	3_8_2_7442_13.11.2025.rar
Download:	download sample
Signature	Gamaredon Create hunting rule
File size:	2'921 bytes
First seen:	2025-11-13 09:10:23 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	48:ZSimupa1EYBd2OaD3BFzaWUzPEzJ3egiu35Yy+mlj0OOcM7vooqCPEDXveB53rhY:ZSdd2LX5UzszJ3egjGlgj0OA79J0e3ba
TLSH	T183515BDB7304F5EEB3688439DB3F635652141DE801ABCC627CE001AEB6C892EA44192A
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	smica83
Tags:	apt CVE-2025-6218 CVE-2025-8088 gamaredon rar

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_3_8_2_7442_13.11.2025.HTA
File size:	3'580 bytes
SHA256 hash:	5c93b9b1fe5de1838c67941176851f5ab4222b2f6e75ef3c8312c15f2bcffecb
MD5 hash:	52de7ee0117d8b3256d8a2193a1b493c
MIME type:	text/html
Signature	Gamaredon

File name:	Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf
File size:	1'544 bytes
SHA256 hash:	4ce83c4209c55111c69b1c2506a7496068be56e5e507eac8f23e9e04cf901f65
MD5 hash:	f2195916410525d631a31447aa56c82f
MIME type:	text/plain
Signature	Gamaredon

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6915a08928ddbbca4d8db720

Tags:

n/a

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6915a086f3256b221530bc2c/reports/8dcf22ec-068a-4ba6-9038-f9776c925a3e/overview

Verdict:

Suspicious

Labled as:

CVE-2025-8088

Link:

https://www.hybrid-analysis.com/sample/a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1

Verdict:

Malicious

File Type:

rar

First seen:

2025-11-13T06:08:00Z UTC

Last seen:

2025-11-14T00:52:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1/results?tab=lookup

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Rar Archive

Link:

https://app.malva.re/file/58ceaf1e01ae08be019837c3d3ff355c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-11-13 09:11:21 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

5 of 24 (20.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ugbs5hcyxgz5gvlxl3fkmvt5s4t7ji446nzpvhd4fnbnoduy2dqq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

adware discovery spyware

Link:

https://tria.ge/reports/251113-lrsnqsbl4t/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	SUSP_RAR_NTFS_ADS Create hunting rule
Author:	Proofpoint
Description:	Detects RAR archive with NTFS alternate data stream
Reference:	https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Rule name:	WinRAR_CVE_2025_8088_Exploit Create hunting rule
Author:	marcin@ulikowski.pl
Description:	Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample