MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f992f83b464365c6a80b7cb15c58cc42d10e3b9932f516891a11556c7b19b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Guildma


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8f992f83b464365c6a80b7cb15c58cc42d10e3b9932f516891a11556c7b19b1
SHA3-384 hash: 79d9748b6d71b1e2ba99be7e3ff199b0456b3c2b03082e32119eb3a51b87e12a34ab64c609077060a7296cadbae96649
SHA1 hash: 92610dd0a5ec9129dc2cad496a9a83903f87a0d2
MD5 hash: 41036f99a151a57d4f67d776a86085f9
humanhash: hydrogen-hydrogen-video-item
File name:41036f99a151a57d4f67d776a86085f9.msi
Download: download sample
Signature Guildma
Create hunting rule
File size:266'240 bytes
First seen:2022-01-07 07:09:03 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:LnspAtOImXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8Uq0rU:LRtOIiRQYpgjpjew5LLyGx1qo8V0o
Threatray 1'218 similar samples on MalwareBazaar
TLSH T13D447B513BC9C13AD2AE063785BA9B66363A7D350B30D0CF77947D6C5E306D2AA39342
Reporter abuse_ch
Tags:Astaroth BRA geo guildma msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
714
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/217635/
Detection(s):
Win.Virus.Expiro-9932584-0
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/61d7e75002e388f9fdb23a6f/reports/3805f790-4be4-42ae-8df0-02bb1b35a23c/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a8f992f83b464365c6a80b7cb15c58cc42d10e3b9932f516891a11556c7b19b1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/916649
Signature
Obfuscated command line found
Sigma detected: Suspicious MSHTA Process Patterns
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 549127 Sample: LObVpM8cGX.msi Startdate: 07/01/2022 Architecture: WINDOWS Score: 48 58 Sigma detected: Suspicious MSHTA Process Patterns 2->58 10 msiexec.exe 3 16 2->10         started        13 msiexec.exe 5 2->13         started        process3 file4 50 C:\Windows\Installer\MSIE172.tmp, PE32 10->50 dropped 52 C:\Windows\Installer\MSIA1C7.tmp, PE32 10->52 dropped 15 msiexec.exe 5 10->15         started        process5 signatures6 60 Obfuscated command line found 15->60 18 cmd.exe 1 15->18         started        20 expand.exe 8 15->20         started        23 icacls.exe 1 15->23         started        25 2 other processes 15->25 process7 file8 27 cmd.exe 1 18->27         started        29 conhost.exe 18->29         started        31 cmd.exe 2 18->31         started        46 C:\Users\user\AppData\...\dllhst3g.exe (copy), PE32+ 20->46 dropped 48 C:\...\18eb4e515fe6a34986a559e03b2caeb5.tmp, PE32+ 20->48 dropped 33 conhost.exe 20->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        process9 process10 39 cmd.exe 1 27->39         started        process11 41 mshta.exe 18 39->41         started        44 conhost.exe 39->44         started        dnsIp12 54 27iogr.rodeioswebs.bond 172.67.203.153, 49744, 80 CLOUDFLARENETUS United States 41->54 56 www.cloudflare.com 104.16.124.96, 443, 49745 CLOUDFLARENETUS United States 41->56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8f992f83b464365c6a80b7cb15c58cc42d10e3b9932f516891a11556c7b19b1/
Threat name:
Document-OLE.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2022-01-07 07:09:13 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
4 of 43 (9.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vd4zf6b3izbwlrvibn6lcxcyzrbncdr3tezpkfujdiivk3d3dgyq._file
Verdict:
unknown
Similar samples:
1d3e38b463d2d98d6aadb8109f21a59946bf65d2d355f7aac925dcd9cb2123e8
Guildma
2209c5dbbd235b1a48cdcc531f35b662e4d9fca6ddf89d099b45c2daf5d5487a
Guildma
6b2a97d42b3da43843b8cbfc4fa53d954be3b041e853c9cd87bb37fe88a91573
Guildma
78875d9967408207933d0b3bb72776791028f1f463573f8812e2ca6dbefce15c
Guildma
9233da098f6c171c69589dca2cb848c60c68de2f6720e4ac82ecd5feaedcfeed
Guildma
ed09f47bd911f8217f21abd8aab29a19703e997e5543d8a6b80662eeded0205a
Guildma
+ 1'208 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220107-hyvj5accgk/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.91
Link:
https://yomi.yoroi.company/submissions/a8f992f83b464365c6a80b7cb15c58cc42d10e3b9932f516891a11556c7b19b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/217635/

Comments