2021-12-23 (THURSDAY) - ASTAROTH/GUILDMA INFECTION FROM BRAZIL MALSPAM

NOTES:

ASSOCIATED FILES:

 

IMAGES


Shown above:  Screenshot of email with link for Astaroth/Guildma malware.

 


Shown above:  Downloading zip archive from link in the email.

 


Shown above:  Contents of the downloaded zip archive.

 


Shown above:  Web traffic generated from double-clicking the extracted Windows shortcut, filtered in Wireshark.

 


Shown above:  Saw over 6,000 DNS queries before getting the final two URLs in the web traffic.

 


Shown above:  HTA file used during the infection process.

 


Shown above:  Text file with location of persistent malware.

 


Shown above:  Persistent malware and artifacts from the infection.

 


Shown above:  Shortcut in user's Startup menu's Startup directory keeps this infection persistent after signing off and/or rebooting.

 

Click here to return to the main page.