MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbe89fda7f44265ebc0cf7a0300a3ca5d68225161c22a29ff196d85b8ca12962. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gamaredon

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	cbe89fda7f44265ebc0cf7a0300a3ca5d68225161c22a29ff196d85b8ca12962
SHA3-384 hash:	eea745a3fe4770cd0c8c8d5c8df25a85c88d19e63e2dfa85dee6eabf80a1a293cf499d21b8ea2ad01a3874804bf30a17
SHA1 hash:	0ada93211e6ba261dab75ed5ed51cc74ae07c0d1
MD5 hash:	2dc45dee7eea5e99951d9fc21f2491bd
humanhash:	charlie-fillet-indigo-mango
File name:	Повідомлення 4726-49.rar
Download:	download sample
Signature	Gamaredon Create hunting rule
File size:	822'102 bytes
First seen:	2026-06-08 11:37:24 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:MGQVK2dBJAq8EowLRp5BP88HeJ+wsgr6CkU0O5X1n45G11pRPsqY:BQXBJAqDfLRp5BP8IDO+CkU/X14527Y
TLSH	T15F0533A792E837E2F64D0D39697CFD71FA8661865C503A8083896677E8083C7ACD7D50
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	smica83
Tags:	apt CVE-2025-6218 CVE-2025-8088 gamaredon rar UKR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

GiftedCrook LNK

Details

Link:

https://research.acce.ciphertechsolutions.com/results/f491574c-a7d0-4765-bd83-122995898148/

Detection(s):

SecuriteInfo.com.RAR.CVE-2025-8088.94778397.UNOFFICIAL

TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a26a98a3e9eff6a6b68cb1f

Tags:

n/a

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/6a26a97b1f652d68656e870c/reports/1997de3f-2b9a-44dd-be59-d215775a1cb2/overview

Verdict:

Malicious

Labled as:

CVE-2025-8088

Link:

https://www.hybrid-analysis.com/sample/cbe89fda7f44265ebc0cf7a0300a3ca5d68225161c22a29ff196d85b8ca12962

Verdict:

Malicious

File Type:

rar

First seen:

2026-06-07T14:02:00Z UTC

Last seen:

2026-06-07T14:09:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/cbe89fda7f44265ebc0cf7a0300a3ca5d68225161c22a29ff196d85b8ca12962/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cbe89fda7f44265ebc0cf7a0300a3ca5d68225161c22a29ff196d85b8ca12962/

Threat name:

Win32.Trojan.Ravartar

Status:

Malicious

First seen:

2026-06-07 18:16:38 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zpuj7wt7iqtf5pam66qdacr4uxliejiwdqrkfh7rs3mfxdfbffra._file

Result

Malware family:

n/a

Score:

3/10

Tags:

adware discovery link pdf spyware

Link:

https://tria.ge/reports/260608-rdkc4aew9l/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/cbe89fda7f44265ebc0cf7a0300a3ca5d68225161c22a29ff196d85b8ca12962

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_RAR_NTFS_ADS Create hunting rule
Author:	Proofpoint
Description:	Detects RAR archive with NTFS alternate data stream
Reference:	https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Rule name:	WinRAR_ADS_Traversal Create hunting rule
Author:	@bartblaze
Description:	Identifies potential ADS traversal in RAR archives, seen in vulnerabilities such as CVE‑2025‑6218 and CVE-2025-8088.
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

Rule name:	WinRAR_CVE_2025_8088_Exploit Create hunting rule
Author:	marcin@ulikowski.pl
Description:	Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample