Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Indicators of Compromise (IoCs)
- Hashes
- SHA-1 Description ESET Detection name
- 45c58bc40768dce6a6c611e08fd34c62441aa776 Main module loader 1 Win32/Spy.Guildma.BM
- 861f20b0dcc55f94b4c43e4a7e77f042c21506cf Main module injector Win32/Spy.Guildma.BJ
- 37fd19b1ab1dcc25e07bc96d4c02d81cf4edb8a1 Main module loader 2 Win32/Spy.Guildma.Q
- a7b10b8de2b0ef898cff31fa2d9d5cbaae2e9d0d Main module Win32/Spy.Guildma.BS
- 4f65736a9d6b94b376c58b3cdcb49bbd295cd8cc Contacts stealer and form grabber Win32/Spy.Guildma.D
- 6c9304c5862d4e0de1c86d7ae3764f5e8358daff RAT module (DLL) Win32/Spy.Guildma.BR
- 89fbffe456de850f7abf4f97d3b9da4bad6afb57 RAT module (EXE) Win32/Spy.Guildma.BR
- af0d495ecc3622b14a40ddcd8005873c5ddc3a2d MailPassView Win32/PSWTool.MailPassView.E
- 92bcf54079cbba04f584eac4486473c3abdd88cd WebBrowserPassView Win32/PSWTool.WebBrowserPassView.E
- a2048f435f076988bf094274192a196216d75a5f JScript dropper module Win32/Spy.Guildma.BP
- Filenames
- C:\Users\Public\Libraries\qlanl\*
- Startup link
- Location
- %APPDATA%\Microsoft\Programs\StartUp\reiast%USERNAME%%COMPUTERNAME%.lnk
- Targets
- C:\Program Files (x86)\Internet Explorer\ExtExport.exe
- C:\Program Files\Internet Explorer\ExtExport.exe
- Args
- <install dir> <rand> <rand>
- (where <rand> is a random, 5 to 9 character long string generated from the alphabet qwertyuiop1lgfdsas2dfghj3zcvbnmm)
- C&C servers
- https://www.zvatrswtsrw[.]ml
- https://xskcjzamlkxwo[.]gq
- https://www.vhguyeu[.]ml
- https://www.carnataldez[.]ml
- https://www.movbmog[.]ga
- https://iuiuytrytrewrqw[.]gq
- https://www.gucinowertr[.]tk
- https://equilibrios[.]ga
- https://www.clooinfor[.]cf
- https://ambirsr[.]tk
- https://dbuhcbudyu[.]tk
- https://nvfjvtntt[.]cf
- http://whia7g.acquafufheirybveru[.]online
- MITRE ATT&CK techniques
- Tactic ID Name Description
- Initial Access T1193 Spearphishing Attachment Guildma distribution chains start with a malicious email attachment.
- Execution T1073 Rundll32 Guildma utilizes rundll32.exe to execute its binary modules.
- T1047 Windows Management Instrumentation Guildma abuses WMIC.exe to execute some of its distribution chain stages.
- Persistence T1060 Registry Run Keys / Startup Folder Guildma ensures persistence by creating a LNK file in the %STARTUP% folder.
- Defense Evasion T1197 BITS Jobs BITSAdmin.exe is used to download binary modules.
- T1089 Disabling Security Tools Guildma disables Windows Defender.
- T1140 Deobfuscate/Decode Files or Information The majority of Guildma modules need to be decrypted after downloading.
- T1073 DLL Side-Loading Guildma abuses ExtExport.exe for DLL Side-Loading.
- T1096 NTFS File Attributes Guildma utilizes ADS to hide its modules on disk.
- T1055 Process Injection Guildma utilizes process injection when executing its modules.
- T1064 Scripting Guildma implements its distribution chain stages in various scripting languages (mainly JScript).
- T1220 XSL Script Processing Guildma utilizes XSL script(s) in its distribution chains.
- Credential Access T1081 Credentials in Files Guildma extracts credentials stored by web browsers and email clients in files.
- T1214 Credentials in Registry Guildma extracts credentials stored by web browsers and email clients in Windows Registry.
- Discovery T1083 File and Directory Discovery Guildma uses presence of certain files to determine whether banking and security tools are installed.
- T1010 Application Window Discovery Guildma uses window discovery to find and terminate older versions of itself and to detect when interesting programs (e.g. banking applications or web browsers) are running.
- T1063 Security Software Discovery Guildma detects the presence of several security products.
- T1082 System Information Discovery Guildma collects OS version and bitness, computer name and system locale.
- T1497 Virtualization/Sandbox Evasion Guildma uses directory names, computer names, volume IDs, and existence of named objects to detect sandboxes and virtualized environments.
- Collection T1113 Screen Capture Guildma is capable of taking screenshots.
- Command and Control T1024 Custom Cryptographic Protocol New C&C addresses are encrypted using custom encryption algorithms.
- Exfiltration T1041 Exfiltration Over Command and Control Channel Guildma uploads screenshots and log files to the C&C server.
Add Comment
Please, Sign In to add comment