MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d3e38b463d2d98d6aadb8109f21a59946bf65d2d355f7aac925dcd9cb2123e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Guildma


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d3e38b463d2d98d6aadb8109f21a59946bf65d2d355f7aac925dcd9cb2123e8
SHA3-384 hash: 0940ccdcf02b8e3de019adf20d04f788204220a58cd6b7aa26e1a7e056aabe201b2a428083fd4f408410cdf47f982e3a
SHA1 hash: 0492e81b162fb70e0a430c0ecf12852ffdadecd9
MD5 hash: 7f99129620ead5c871372b8c43cf1c2f
humanhash: florida-victor-muppet-six
File name:7f99129620ead5c871372b8c43cf1c2f.msi
Download: download sample
Signature Guildma
Create hunting rule
File size:262'144 bytes
First seen:2022-01-06 17:49:43 UTC
Last seen:2022-01-06 19:42:43 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:d2spAtOImXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8iAWvK:d0tOIiRQYpgjpjew5LLyGx1qo83WC
Threatray 1'210 similar samples on MalwareBazaar
TLSH T139446B513BC9C13AD2AA063785BA9B66363A7D710B30D0CB77947D6C5E306D3EA39342
Reporter abuse_ch
Tags:Astaroth BRA geo guildma msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
727
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217586/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.17289.11746.29913.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/61d72bd002e388f9fdb08039/reports/89465e32-f5b4-425f-bf11-234e32c3b3f1/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1d3e38b463d2d98d6aadb8109f21a59946bf65d2d355f7aac925dcd9cb2123e8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/916426
Signature
Obfuscated command line found
Sigma detected: Suspicious MSHTA Process Patterns
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548904 Sample: 3m8nTk4psE.msi Startdate: 06/01/2022 Architecture: WINDOWS Score: 48 58 Sigma detected: Suspicious MSHTA Process Patterns 2->58 10 msiexec.exe 3 16 2->10         started        13 msiexec.exe 5 2->13         started        process3 file4 50 C:\Windows\Installer\MSIE0A4.tmp, PE32 10->50 dropped 52 C:\Windows\Installer\MSI985E.tmp, PE32 10->52 dropped 15 msiexec.exe 5 10->15         started        process5 signatures6 60 Obfuscated command line found 15->60 18 cmd.exe 1 15->18         started        20 expand.exe 4 15->20         started        23 icacls.exe 1 15->23         started        25 2 other processes 15->25 process7 file8 27 cmd.exe 1 18->27         started        29 conhost.exe 18->29         started        31 cmd.exe 2 18->31         started        46 C:\Users\user\AppData\...\systray.exe (copy), PE32+ 20->46 dropped 48 C:\...\ec30eed002e6ea4d99ac262ac5efffb5.tmp, PE32+ 20->48 dropped 33 conhost.exe 20->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        process9 process10 39 cmd.exe 1 27->39         started        process11 41 mshta.exe 18 39->41         started        44 conhost.exe 39->44         started        dnsIp12 54 62eirc.vidanocampo.cfd 104.21.80.208, 49775, 80 CLOUDFLARENETUS United States 41->54 56 www.cloudflare.com 104.16.123.96, 443, 49776 CLOUDFLARENETUS United States 41->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d3e38b463d2d98d6aadb8109f21a59946bf65d2d355f7aac925dcd9cb2123e8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=du7drndd2lmy22vnxaij6inftfdl6zos2nk7pkwjexontszbepua._file
Verdict:
unknown
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
Guildma
1cfa7d9edcfe5a277e5c7f20e702a6b2cfd652e6f812b8203f5ed8fa9070994d
Guildma
2209c5dbbd235b1a48cdcc531f35b662e4d9fca6ddf89d099b45c2daf5d5487a
Guildma
5ecfe4ce56696312991f74569ffbe173a6dda8878dd2eb2c2ee109a4a4d4740f
Guildma
a0fb8417720da120c09f19ad62030bf1dc7f51b74326582f2f9d4488d426a800
Guildma
a155f3d9a75271823b77574f7d694db31ced6555cb6970c2b224f3ff5b0c80e7
Guildma
b722867f944bda8a47366c1f9086040b070bef872f595d9730f854f6304d6e5e
Guildma
d41295c513c151fa5a6a0afd777b1f6cd7d8b7c94af994e22d76f6c7b402f796
Guildma
+ 1'200 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220106-weld1abhcj/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/1d3e38b463d2d98d6aadb8109f21a59946bf65d2d355f7aac925dcd9cb2123e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217586/

Comments