MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Guildma


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573
SHA3-384 hash: 389ad8a9f66ceabd800781007e6876b6d14cc5520c2b99ffe15c80690c1cd040dc386483c7675c60b4e6bb072240629d
SHA1 hash: b2bc78f134535ffe5ee9ac5c1a4f6dd950d4c623
MD5 hash: cb26a2a0b3aedc740fb14a6061f36674
humanhash: mexico-missouri-undress-potato
File name:cb26a2a0b3aedc740fb14a6061f36674.msi
Download: download sample
Signature Guildma
Create hunting rule
File size:278'528 bytes
First seen:2021-12-04 09:35:20 UTC
Last seen:2021-12-04 11:47:05 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:5RspAtOImXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8JtU6Z62y:5DtOIiRQYpgjpjew5LLyGx1qo8/z
Threatray 13 similar samples on MalwareBazaar
TLSH T1C6446A613BC9C13AD2AA1636C9BA976626367C311B20D0CF7B903D6C5E317D3E939352
Reporter abuse_ch
Tags:BRA geo guildma msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211264/
Detection(s):
SecuriteInfo.com.Trojan.OLE2.Alien.gen.2310.5074.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
fingerprint packed packed
Link:
https://www.filescan.io/uploads/61ab36864d8e6f3a5e0f3daf/reports/d7e4678f-0ce0-49ee-a2be-ae39e8da97e8/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/901378
Signature
Antivirus detection for URL or domain
Obfuscated command line found
Sigma detected: Execution from Suspicious Folder
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533856 Sample: MPEtLYdhdk.msi Startdate: 04/12/2021 Architecture: WINDOWS Score: 72 97 Antivirus detection for URL or domain 2->97 99 Sigma detected: Mshta Spawning Windows Shell 2->99 101 Sigma detected: Suspicious MSHTA Process Patterns 2->101 103 2 other signatures 2->103 12 msiexec.exe 3 16 2->12         started        15 msiexec.exe 5 2->15         started        process3 file4 87 C:\Windows\Installer\MSIE932.tmp, PE32 12->87 dropped 89 C:\Windows\Installer\MSIBA40.tmp, PE32 12->89 dropped 17 msiexec.exe 5 12->17         started        process5 signatures6 95 Obfuscated command line found 17->95 20 cmd.exe 1 17->20         started        23 expand.exe 8 17->23         started        26 chkdsk.exe 1 17->26         started        28 2 other processes 17->28 process7 file8 107 Suspicious powershell command line found 20->107 109 Obfuscated command line found 20->109 30 cmd.exe 1 20->30         started        32 conhost.exe 20->32         started        34 cmd.exe 2 20->34         started        83 C:\...\222503473aa49f4f93face39588a267f.tmp, PE32+ 23->83 dropped 85 C:\Users\user\AppData\...\chkdsk.exe (copy), PE32+ 23->85 dropped 36 conhost.exe 23->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started        signatures9 process10 process11 44 mshta.exe 16 30->44         started        49 conhost.exe 36->49         started        dnsIp12 93 hkaais.abuletangles.us 104.21.22.210, 49754, 80 CLOUDFLARENETUS United States 44->93 91 C:\Users\Public\Videos\...\in.exe, PE32 44->91 dropped 111 Obfuscated command line found 44->111 51 cmd.exe 1 44->51         started        54 cmd.exe 2 44->54         started        57 in.exe 1 44->57         started        59 5 other processes 44->59 file13 signatures14 process15 file16 105 Suspicious powershell command line found 51->105 61 powershell.exe 13 51->61         started        63 conhost.exe 51->63         started        81 C:\Users\Public\lw, ASCII 54->81 dropped 65 conhost.exe 54->65         started        67 conhost.exe 57->67         started        69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        73 conhost.exe 59->73         started        75 2 other processes 59->75 signatures17 process18 process19 77 conhost.exe 61->77         started        79 setupcl.exe 61->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573/
Threat name:
Win32.Trojan.Guildma
Create hunting rule
Status:
Malicious
First seen:
2021-12-04 09:36:12 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmvjpvblhwsdqq5yzp6e7jj5svf6hmcb5bj4ttmhxm375cfjcvzq._file
Verdict:
suspicious
Similar samples:
41da210f64e2b009aaf03e96b2de701a30222faee25e38c6fbbaf958c84f680b
Guildma
7d9ab1a869c3a874b19fbc8c98bfa40dab39e97cbfaeb4d057912c3549124f4d
Guildma
85ac0e8244160430f8ca3d4fb031180ccf656a2d524a8fc2c828379c1c7b9e5f
Guildma
b9f91a108d61f586d76de0da7314c50074b2574bc6bceda176d2bf3b33d905d8
Guildma
bce48ec3b80249139b88d43fef0b6f99aab42c80c1d8fc09b20d721a285825d5
Guildma
d0003c908fdb5d830ecf51ce698e757f920a776d639e731b6a7472122e02b23d
Guildma
dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722
Guildma
fac18345a874ee1b8519072453f8b9ed6142406f5630748be821a17939da302d
Guildma
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/211204-lkxdcaagdr/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/211264/

Comments