API tools faq
paste
Bank_Security

Guildma: the Latin American Banking Trojan that targets Brazil exclusively.

Bank_Security
Sep 14th, 2020
14,934
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.16 KB | None | 0 0
raw download clone embed print report
  1. Indicators of Compromise (IoCs)
  2. Hashes
  3. SHA-1 Description ESET Detection name
  4. 45c58bc40768dce6a6c611e08fd34c62441aa776 Main module loader 1 Win32/Spy.Guildma.BM
  5. 861f20b0dcc55f94b4c43e4a7e77f042c21506cf Main module injector Win32/Spy.Guildma.BJ
  6. 37fd19b1ab1dcc25e07bc96d4c02d81cf4edb8a1 Main module loader 2 Win32/Spy.Guildma.Q
  7. a7b10b8de2b0ef898cff31fa2d9d5cbaae2e9d0d Main module Win32/Spy.Guildma.BS
  8. 4f65736a9d6b94b376c58b3cdcb49bbd295cd8cc Contacts stealer and form grabber Win32/Spy.Guildma.D
  9. 6c9304c5862d4e0de1c86d7ae3764f5e8358daff RAT module (DLL) Win32/Spy.Guildma.BR
  10. 89fbffe456de850f7abf4f97d3b9da4bad6afb57 RAT module (EXE) Win32/Spy.Guildma.BR
  11. af0d495ecc3622b14a40ddcd8005873c5ddc3a2d MailPassView Win32/PSWTool.MailPassView.E
  12. 92bcf54079cbba04f584eac4486473c3abdd88cd WebBrowserPassView Win32/PSWTool.WebBrowserPassView.E
  13. a2048f435f076988bf094274192a196216d75a5f JScript dropper module Win32/Spy.Guildma.BP
  14. Filenames
  15. C:\Users\Public\Libraries\qlanl\*
  16.  
  17. Startup link
  18. Location
  19. %APPDATA%\Microsoft\Programs\StartUp\reiast%USERNAME%%COMPUTERNAME%.lnk
  20.  
  21. Targets
  22. C:\Program Files (x86)\Internet Explorer\ExtExport.exe
  23. C:\Program Files\Internet Explorer\ExtExport.exe
  24.  
  25. Args
  26. <install dir> <rand> <rand>
  27. (where <rand> is a random, 5 to 9 character long string generated from the alphabet qwertyuiop1lgfdsas2dfghj3zcvbnmm)
  28.  
  29. C&C servers
  30. https://www.zvatrswtsrw[.]ml
  31. https://xskcjzamlkxwo[.]gq
  32. https://www.vhguyeu[.]ml
  33. https://www.carnataldez[.]ml
  34. https://www.movbmog[.]ga
  35. https://iuiuytrytrewrqw[.]gq
  36. https://www.gucinowertr[.]tk
  37. https://equilibrios[.]ga
  38. https://www.clooinfor[.]cf
  39. https://ambirsr[.]tk
  40. https://dbuhcbudyu[.]tk
  41. https://nvfjvtntt[.]cf
  42. http://whia7g.acquafufheirybveru[.]online
  43.  
  44. MITRE ATT&CK techniques
  45. Tactic ID Name Description
  46. Initial Access T1193 Spearphishing Attachment Guildma distribution chains start with a malicious email attachment.
  47. Execution T1073 Rundll32 Guildma utilizes rundll32.exe to execute its binary modules.
  48. T1047 Windows Management Instrumentation Guildma abuses WMIC.exe to execute some of its distribution chain stages.
  49. Persistence T1060 Registry Run Keys / Startup Folder Guildma ensures persistence by creating a LNK file in the %STARTUP% folder.
  50. Defense Evasion T1197 BITS Jobs BITSAdmin.exe is used to download binary modules.
  51. T1089 Disabling Security Tools Guildma disables Windows Defender.
  52. T1140 Deobfuscate/Decode Files or Information The majority of Guildma modules need to be decrypted after downloading.
  53. T1073 DLL Side-Loading Guildma abuses ExtExport.exe for DLL Side-Loading.
  54. T1096 NTFS File Attributes Guildma utilizes ADS to hide its modules on disk.
  55. T1055 Process Injection Guildma utilizes process injection when executing its modules.
  56. T1064 Scripting Guildma implements its distribution chain stages in various scripting languages (mainly JScript).
  57. T1220 XSL Script Processing Guildma utilizes XSL script(s) in its distribution chains.
  58. Credential Access T1081 Credentials in Files Guildma extracts credentials stored by web browsers and email clients in files.
  59. T1214 Credentials in Registry Guildma extracts credentials stored by web browsers and email clients in Windows Registry.
  60. Discovery T1083 File and Directory Discovery Guildma uses presence of certain files to determine whether banking and security tools are installed.
  61. T1010 Application Window Discovery Guildma uses window discovery to find and terminate older versions of itself and to detect when interesting programs (e.g. banking applications or web browsers) are running.
  62. T1063 Security Software Discovery Guildma detects the presence of several security products.
  63. T1082 System Information Discovery Guildma collects OS version and bitness, computer name and system locale.
  64. T1497 Virtualization/Sandbox Evasion Guildma uses directory names, computer names, volume IDs, and existence of named objects to detect sandboxes and virtualized environments.
  65. Collection T1113 Screen Capture Guildma is capable of taking screenshots.
  66. Command and Control T1024 Custom Cryptographic Protocol New C&C addresses are encrypted using custom encryption algorithms.
  67. Exfiltration T1041 Exfiltration Over Command and Control Channel Guildma uploads screenshots and log files to the C&C server.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!