MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Gamaredon

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22
SHA3-384 hash:	4479bf0d66b929da0b5a26bd87a9b883f6c23850a47ef5a4b1306f0ee258fa756044d4da758ffb8d4ba05a52d4cb8131
SHA1 hash:	adc6f1263c0bd44bcd7bb63be0c091bbbb010391
MD5 hash:	2a0ae8e52f0a7157505f06af5b04323b
humanhash:	william-zebra-helium-island
File name:	2_1_1_7755_12.11.2025.rar
Download:	download sample
Signature	Gamaredon Create hunting rule
File size:	2'234 bytes
First seen:	2025-11-13 07:26:19 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	48:ZS7Jw5El91Q6BYvv/b58nUu0eHBLYycClKiidEprbVw/6vowVI0:ZSG5EFQ6BCv/ds1rhVidEZ2/NwVI0
TLSH	T13D4129C7A0F9C983DB10B06B0B1B79A260411FA4E56EA789CE46508B90227D3E27C2C4
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	smica83
Tags:	apt CVE-2025-6218 CVE-2025-8088 gamaredon rar

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf
File size:	1'378 bytes
SHA256 hash:	04cf7d194a9f3deb0e9e3c9232e09c47185faeebbf8ff8932e55fa8ce054d2a9
MD5 hash:	047cb26c6743c4a66f6e8a8d42bedc87
MIME type:	text/plain
Signature	Gamaredon

File name:	Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_12.11.2025.HTA
File size:	5'626 bytes
SHA256 hash:	49c57c4d29ac80690be8b12f45c678d150fe93ced4e047290f890aa9aa01d504
MD5 hash:	c659295754895056d29e89027a117f8d
MIME type:	text/html
Signature	Gamaredon

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6915882160ebe843fe8da6bc

Tags:

n/a

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/69158821c6d7cfd7f22147a9/reports/64a3a992-c857-43a1-bf22-007cc2d045ba/overview

Verdict:

Suspicious

Labled as:

CVE-2025-8088

Link:

https://www.hybrid-analysis.com/sample/d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22

Verdict:

Malicious

File Type:

rar

First seen:

2025-11-12T16:49:00Z UTC

Last seen:

2025-11-13T01:40:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22/results?tab=lookup

Verdict:

inconclusive

YARA:

1 match(es)

Tags:

Rar Archive

Link:

https://app.malva.re/file/2a0ae8e52f0a7157505f06af5b04323b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22/

Threat name:

Win32.Trojan.Seheq

Status:

Malicious

First seen:

2025-11-12 22:55:21 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3h7mmgsldoyo4fmomwt45kgibgf7d2rbc4ujusgcv2pdoo5vbyra._file

Result

Malware family:

n/a

Score:

3/10

Tags:

adware discovery spyware

Link:

https://tria.ge/reports/251113-k1vn1saq5t/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	SUSP_RAR_NTFS_ADS Create hunting rule
Author:	Proofpoint
Description:	Detects RAR archive with NTFS alternate data stream
Reference:	https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Rule name:	WinRAR_CVE_2025_8088_Exploit Create hunting rule
Author:	marcin@ulikowski.pl
Description:	Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample