2021-08-31 (TUESDAY) - ASTAROTH/GUILDMA INFECTION FROM BRAZIL MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2021-08-31-Astaroth-Guildma-IOCs.txt.zip   3.4 kB (3,366 bytes)
• 2021-08-31-Astaroth-Guildma-malspam-1637-UTC.eml.zip   32.1 kB (32,107 bytes)
• 2021-08-31-Astaroth-Guildma-infection-traffic.pcap.zip   4.5 MB (4,493,345 bytes)
• 2021-08-31-Astaroth-Guildma-malware-and-artifacts.zip   4.2 MB (4,240,710 bytes)

NOTES:

• Previous posts on this site for Astaroth/Guildma:

• 2021-07-02 - Astaroth/Guildma from Brazil malspam
• 2021-04-12 - Guildma (Astaroth) from Brazil-based malspam

 

Shown above:  Screenshot from the email.

 

Shown above:  Downloading a zip archive from link in the email.

 

Shown above:  Contents of the zip archive are a Windows shortcut designed to infect a vulnerable Windows host.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Windows shortcut in the startup menu to keep the infection persistent.

 

Shown above:  Artifact from the infection--a text file with path for the persistent malware.

 

Shown above:  An .hta file used for the infection.

 

Shown above:  More malware and artifacts from the infection.

 

Click here to return to the main page.