MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efcd02eb478c43356d3ad1860ece5c0dde126882eb892a96b7526a16ae77d212. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	efcd02eb478c43356d3ad1860ece5c0dde126882eb892a96b7526a16ae77d212
SHA3-384 hash:	33b83c009414bec5f64098a7abc17c3370e8780e024a02c4b664b53a88cf574488d3b5496b2b7b9cd7cb0c338066f1ad
SHA1 hash:	44a521528a273da936b9e4bf240b1df9c63e0442
MD5 hash:	3765d9661e74897ee02dbbed8532c0ff
humanhash:	lamp-monkey-wisconsin-magnesium
File name:	Soporte_Tecnico_Nahuel.rar
Download:	download sample
File size:	8'650 bytes
First seen:	2026-03-05 09:44:25 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	192:1gUUl7ICOl7ICLl7ICol7ICTl7ICIBl7ICHl7ICxl7ICll7IC5l7IC6:1LUKrKyKRK6KNBKCKYKYKIK3
TLSH	T1B30250B6BBBD7288DC53B9B03DD2B607BE80BED13321BCE0145564F99E76A00A6645C1
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	smica83
Tags:	CVE-2025-6218 CVE-2025-8088 rar

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 2 file(s), sorted by their relevance:

File name:	CV_Nahuel_2026.pdf:.._.._.._.._.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_batiRAR.bat
File size:	819 bytes
SHA256 hash:	8db87462299efd43a0661a3b1eae50a953df7e0e375ed3c40f95cf929e0dc39a
MD5 hash:	7b5e9d021e8baacda5e3e6a75b29ea4a
MIME type:	text/html

File name:	CV_Nahuel_2026.pdf
File size:	1'655 bytes
SHA256 hash:	fcf03d9198158e32a763e695b44110f1df31953824acb73a949d2dda98c33c3e
MD5 hash:	dd9fdf03300e2aa86932feec72c3bbe1
MIME type:	application/pdf

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/aa1d02f8-ebd3-4d23-b1a6-d6e41c7a89fd/

Detection(s):

SecuriteInfo.com.Exploit.CVE-2025-8088.1.21975.21561.UNOFFICIAL

TwinWave.EvilRAR.GhettoSuperstream.20241120.UNOFFICIAL

TwinWave.EvilRAR.HongKongGarden_CVE-2025-8088.20250812.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a950bf002d37d5c983ef73

Tags:

n/a

Verdict:

Unknown

Threat level:

2.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/69a950c0c58f45aa75100a71/reports/d9f9f3b3-9263-4e2c-bb1c-4b9cd609fa2c/overview

Verdict:

Malicious

Labled as:

CVE-2025-8088

Link:

https://www.hybrid-analysis.com/sample/efcd02eb478c43356d3ad1860ece5c0dde126882eb892a96b7526a16ae77d212

Verdict:

Malicious

File Type:

rar

Link:

https://opentip.kaspersky.com/efcd02eb478c43356d3ad1860ece5c0dde126882eb892a96b7526a16ae77d212/results?tab=lookup

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/efcd02eb478c43356d3ad1860ece5c0dde126882eb892a96b7526a16ae77d212/

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2026-03-05 09:45:41 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=57gqf22hrrbtk3j22gda5ts4bxpbe2ec5oesvfvxkjvbnltx2ija._file

Result

Malware family:

n/a

Score:

10/10

Tags:

actor:romcom actor:storm_0978 adware apt discovery exploit pdf spyware vuln:cve_2025_8088

Link:

https://tria.ge/reports/260305-lyjpeafy2r/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/efcd02eb478c43356d3ad1860ece5c0dde126882eb892a96b7526a16ae77d212

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	SUSP_RAR_NTFS_ADS Create hunting rule
Author:	Proofpoint
Description:	Detects RAR archive with NTFS alternate data stream
Reference:	https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-rats

Rule name:	WinRAR_ADS_Traversal Create hunting rule
Author:	@bartblaze
Description:	Identifies potential ADS traversal in RAR archives, seen in vulnerabilities such as CVE‑2025‑6218 and CVE-2025-8088.
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

Rule name:	WinRAR_CVE_2025_8088_Exploit Create hunting rule
Author:	marcin@ulikowski.pl
Description:	Detects RAR archives exploiting CVE-2025-8088 in WinRAR
Reference:	https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample