{
	"id": "0de442f1-2dd0-4b6d-9b23-646db5c571cb",
	"created_at": "2026-04-06T00:21:48.425846Z",
	"updated_at": "2026-04-10T03:22:09.474727Z",
	"deleted_at": null,
	"sha1_hash": "0edcc1847560ec4fa24136b20be2abaa1ba773ca",
	"title": "Grandoreiro: How engorged can an EXE get?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 812829,
	"plain_text": "Grandoreiro: How engorged can an EXE get?\r\nBy ESET Research\r\nArchived: 2026-04-05 14:04:23 UTC\r\nIn this installment of our series, we introduce Grandoreiro, a Latin American banking trojan targeting Brazil, Mexico,\r\nSpain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards\r\na modular architecture.\r\nWe have seen Grandoreiro being distributed solely through spam. The authors usually utilize a fake Java or Flash\r\nupdate, but recently, perhaps unsurprisingly, we have observed their spam abusing the fear around COVID-19 as well.\r\nWe have named this malware family based on its most notable characteristic – its binaries being bloated to at least a\r\nfew hundred megabytes. Its development is quite rapid and feature changes and additions are happening very often. In\r\nthis blogpost, we will focus on the most noteworthy.\r\nCharacteristics\r\nGrandoreiro is another Delphi-written Latin American banking trojan we have identified during our research.\r\nGrandoreiro has been active at least since 2017 targeting Brazil and Peru, expanding to Mexico and Spain in 2019\r\n(see Figure 1 for a current detection heat map). The fact that it attacks its victims by displaying fake pop-up windows\r\nthat try to persuade victims to divulge sensitive information should come as no surprise to anyone who has read the\r\nprevious pieces in the series.\r\n.\r\nFigure 1. Heat map showing ESET's detections of Grandoreiro.\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 1 of 13\n\nGrandoreiro, as with any other Latin American banking trojan, employs backdoor functionality, being capable of:\r\nmanipulating windows\r\nupdating itself\r\ncapturing keystrokes\r\nsimulating mouse and keyboard actions\r\nnavigating the victim’s browser to a chosen URL\r\nlogging the victim out or restarting the machine\r\nblocking access to chosen websites\r\nPersistence is ensured by creating a .LNK file in the Windows startup directory. Of importance is the fact that\r\nGrandoreiro uses the same algorithm for decrypting its internal strings as Casbaneiro. We believe this is due to\r\ninformation sharing between authors of banking trojans in Latin America.\r\nGrandoreiro collects the following information about its victims:\r\ncomputer name\r\nusername\r\noperating system version and bitness\r\nwhether Diebold Warsaw GAS Tecnologia (an application, popular in Brazil, to protect access to online\r\nbanking) is installed\r\nlist of installed security products\r\nIn some versions, it also steals credentials stored in the Google Chrome web browser and data stored in Microsoft\r\nOutlook.\r\nThe authors of Grandoreiro seem to be developing the banking trojan very rapidly, as we observe at least several new\r\nversions each month. We also suspect they are developing at least two variants simultaneously.\r\nThe authors seem to focus mainly on two areas. The first is hiding the actual C\u0026C address using the Domain\r\nGeneration Algorithm (DGA) described in next section. The second is making the banking trojan modular. This is an\r\ninteresting approach as the authors first introduced separate Delphi forms for each bank targeted (which is quite\r\ncommon), but lately even created separate DLLs for each targeted bank. We have not seen this approach in any other\r\nLatin American banking trojan we have analyzed.\r\nDGA\r\nGrandoreiro’s DGA uses two strings (prefix and suffix) hardcoded in the binary and the local date as inputs. Those\r\nvalues are processed by a simple algorithm yielding a result in the form https://sites.google[.]com/view/%DATA%,\r\nwhere %DATA% is the generated string (we provide pseudocode in Figure 2). The C\u0026C domain and port are used as\r\nthe site title, as you can see in Figure 3. Note that based on the DGA, a different website is required for each day. We\r\nhave observed some variants also using a custom base64 alphabet.\r\ndef dga(prefix, suffix):\r\nts = get_current_time()\r\nmid_data = \"%02d/%02d/%04d\" % (ts.day, ts.month, ts.year)\r\nmid_data = b64encode(mid_data)\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 2 of 13\n\nmid_data = mid_data.replace(\"==\", \"\")\r\nreturn \"https://sites.google.com/view/\" + prefix + mid_data + suffix\r\nFigure 2. Pseudocode of Grandoreiro’s DGA\r\nFigure 3. Example of a Google site set up by authors of Grandoreiro (translation: “Title of your page”)\r\nConfiguration data\r\nIn older versions of Grandoreiro, there was a small .ini file distributed alongside the banking trojan that served as a\r\nprimitive configuration file, containing only a version identifier and an index into a table in the binary that decided\r\nwhich C\u0026C server should be used.\r\nLately, the configuration mechanism has been changed and is now stored in the Windows Registry at\r\nHKCU\\Software\\ under keys with names like %USERNAME% and ToolTech-RM. Those names, as well as the\r\nnames of values they contain, change frequently, but the information contained consists of:\r\nan identifier unique for each victim (generated via CoCreateGuid API)\r\nexecutable name and path\r\ngeolocation of the victim (retrieved via http://ipinfo.io/json)\r\nstrings necessary for creating and deleting the startup .LNK file\r\nnotes specific to the victim device (the C\u0026C operator supplies these, if any, via a backdoor command)\r\nflags to indicate an action has already been performed, such as\r\nstealing Google Chrome stored credentials\r\nstealing Outlook data\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 3 of 13\n\nC\u0026C communication\r\nGrandoreiro implements communication with its C\u0026C server using the RealThinClient SDK. This component uses a\r\nprotocol that operates over HTTP. After connecting to the server, Grandoreiro performs a handshake and then\r\nperiodically checks for commands every few seconds. If the trojan misses a check, the server drops the connection.\r\nAs we described in our Botconf presentation in December 2019, and as reported recently by SonicWall, there is a very\r\ninteresting thing about the first “command” received from the C\u0026C server. It is always a list of all currently connected\r\nvictims, including all the collected information about their machines, as you can see in Figure 4. Note that not all the\r\nvictims are identified by a string with the same format. Due to Grandoreiro’s rapid development, this string changes\r\nquite often, but victims compromised with different variants still connect to the same C\u0026C server.\r\nFigure 4. C\u0026C server responding to initial Grandoreiro connection with a list of currently connected victims.\r\nDistribution\r\nSpam seems to be the sole distribution method for Grandoreiro. The spam emails appear to contain a link pointing to a\r\nwebsite offering fake Flash or Java updates (see Figure 5). Notice the red arrow in lower left corner tailored for the\r\nGoogle Chrome web browser, but displayed in other browsers too. We have seen Grandoreiro abusing the fear around\r\nCOVID-19 as well (see Figure 6), as we already announced on our @ESETresearch Twitter account.\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 4 of 13\n\nFigure 5. Fake Flash (left) and Java (right) update websites (the left checkbox states that the user agrees with terms\r\nand conditions; the text on the right urges the user to install the latest version of Java to avoid issues with security\r\nand vulnerabilities)\r\nFigure 6. Fake COVID-19 website. Clicking the video leads to the ZIP archive being downloaded (translation:\r\n\"Construction of 2 hospitals in 7 days: accelerated video shows construction of hospital in China in 7 days\")\r\nUnlike the majority of Latin American banking trojans, Grandoreiro utilizes quite small distribution chains. For\r\ndifferent campaigns, it may choose a different type of downloader, as we illustrate in Figure 7. These downloaders are\r\noften stored on well-known public online sharing services such as GitHub, Dropbox, Pastebin, 4shared and 4Sync.\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 5 of 13\n\nFigure 7. Possible ways that Grandoreiro distribution chains may appear (different colors show different paths the\r\nchain may take). The final ZIP archive may be encrypted and in some cases also protected by a password.\r\nThe final payload is a ZIP archive that is usually encrypted by the algorithm shown in Figure 8 and, in a significant\r\nnumber of cases, we saw it being password-protected as well.\r\ndef decrypt_archive(data_enc, key):\r\ndata_dec = list()\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 6 of 13\n\nfor (i, c) in enumerate(data_enc):\r\nd = c ^ (~(key \u003e\u003e (i % 32))) \u0026 0xFF\r\ndata_dec.append(d)\r\nreturn data_dec\r\nFigure 8. Pseudocode of the archive decryption algorithm used by Grandoreiro\r\nDistributing the final payload in a ZIP archive is very common among these banking trojans, but in the case of\r\nGrandoreiro, it holds extra importance, as you will see in the next section.\r\nBinary padding\r\nThe vast majority of Grandoreiro samples utilize a very interesting application of the binary padding technique. This\r\ntechnique is all about making the binaries large and we have seen it being used even by more sophisticated malware.\r\nWe have also observed some other Latin American banking trojans employing it occasionally, but only in the simplest\r\nform of appending a large amount of junk at the end of the binary.\r\nGrandoreiro chooses a different approach – a simple, yet very effective one. The resources section of the PE file is\r\naugmented by (usually 3) grande BMP images, making each binary at least 300 MB in size. Notice in Figure 9 that\r\nthe size of the whole EXE is 425 MB, yet the size of the code is only 4 MB and the size of the .rsrc section 419 MB\r\n(98.5% of the total size). After examining the contents of the .rsrc section, we see three images with sizes of 112 MB,\r\n112 MB and 105 MB respectively (taking up 78.5% of the section size). We provide examples of such images in\r\nFigure 10.\r\nFigure 9. Details of a Grandoreiro binary. Several Grandoreiro binaries are shown in the image on the left. The rest\r\nshow details of one such binary.\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 7 of 13\n\nFigure 10. BMP images used by Grandoreiro for binary padding. Their artistic “style” suggests the malware’s\r\nauthors create them manually.\r\nBecause of the structure of those BMP files, compressing the binary into a ZIP archive yields a file of only a few MB,\r\nmaking it much easier to distribute the payload. The BMP files seem to change frequently, most likely to avoid\r\ndetection. The images shown in Figure 10 come from three different builds of Grandoreiro. The visible similarities\r\nlead us to believe the authors update the images manually.\r\nLet us look at the possible outcomes of this technique because, even though it is very simple, it is surprisingly\r\neffective. The upload file size limit on VirusTotal was changed to 550 MB during 2019, but used to be 256 MB, so a\r\nvictim was unable to scan the file using that platform. Working with such a huge file is harder in general, making any\r\nautomated or manual analyses much slower. At the same time, it is very hard to get rid of these large images while\r\nkeeping a valid PE file, and by discarding the whole .rsrc section, interesting information such as the fake pop‑up\r\nwindows is lost.\r\nSelf-protection \u0026 anti-emulation\r\nFor a Latin American banking trojan, Grandoreiro utilizes a surprisingly large number of tricks to evade detection and\r\nemulation. In this section, we talk about the most notable ones that appeared in several recent versions we have\r\nanalyzed.\r\nDiebold Warsaw GAS Tecnologia and Trusteer are known banking access protection software popular in Latin\r\nAmerica. Every banking trojan described so far in our series has implemented some sort of check for these programs.\r\nGrandoreiro is no exception, by\r\nhooking the LdrLoadDll and LoadLibrary(Ex) APIs to prevent loading DLLs belonging to those products\r\nchecking if any of those modules are already loaded\r\ntrying to kill their running processes (based on process names)\r\nblocking Diebold Warsaw on the firewall level\r\ntrying to break Trusteer by changing its file system path (see Figure 11)\r\nchanging ACLs on main Trusteer binary by running this command twice:\r\ncacls %PROGRAM_DATA%; Trusteer\\Rapport\\store\\exts\\RapportCerberus\\baseline\\RapportGH.dll\"\r\n/T /E /C /P user:perm\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 8 of 13\n\nwith user:perm set to Todos:N and then Everyone:N\r\nFigure 11. Simple BAT script used by Grandoreiro to change Trusteer file path in hopes of making it unable to execute\r\nBesides that, it also monitors hooks on important functions. If such a function starts with 0xE9 (assembly opcode for\r\nthe jmp instruction), the trojan reloads the function from the corresponding library. Based on window and process\r\nnames, it also checks for tools like RegMon, RegShot, Wireshark and Process Explorer. It tries to avoid being\r\ndebugged by calling the IsDebuggerPresent API and setting up a hook via SetWindowsHookEx that returns\r\nERROR_ACCESS_DENIED on the WH_DEBUG event.\r\nGrandoreiro also employs a technique for privilege escalation described in more detail here. The method relies on\r\nregistering a binary as the default handler for .MSC files and then running such a file. By doing so, the binary will be\r\nexecuted with elevated privileges. This technique no longer works on patched systems due to a fix released in 2017.\r\nFinally, Grandoreiro detects two virtual environments – VMWare via its special I/O port and Virtual PC via the vpcext\r\ninstruction. Both methods are described in detail here (techniques 1 and 2).\r\nSpam tool\r\nDuring our investigation, we discovered a tool used for Grandoreiro’s spam campaigns. It is not a tool that\r\nautomatically registers large numbers of email accounts, as in the case of Amavaldo and Casbaneiro; it is actually\r\nused to create and send the spam messages. It does so by utilizing the EASendMail SDK.\r\nBesides its main purpose, the tool sets up persistence using the Windows Registry Run key and disables UAC. The\r\nmost probable scenario is that the attackers distribute this tool to some victims via Grandoreiro.\r\nA small backdoor component is included and used to receive configuration files. Those files dictate what the emails\r\nwill look like, what they will point to or where to send them. We provide a complete list of the configuration files and\r\ntheir purpose in Table 1.\r\nTable 1. List of configuration files used by Grandoreiro's spam tool\r\nFilename Purpose Description\r\nID.txt None Seems not to be used for the spam emails\r\nhtml.txt Email body template\r\nTemplate for the email body (including placeholders - those are\r\nreplaced by values from other config files)\r\nassunto.txt\r\nSubject template (assunto\r\n= subject)\r\nTemplate for subject (similar to html.txt for email body)\r\nnomes.txt List of fake names Replaces [NOME] placeholder in the templates\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 9 of 13\n\nFilename Purpose Description\r\nlink.txt List of malicious URLs The email will link to one of these\r\nlista.txt List of recipients The email will be sent to all of these\r\nlogin.txt List of usernames\r\nInformation required to log into the email account that will be used to\r\nsend the emails\r\nsenha.txt List of passwords #rowspan#\r\nsmtp.txt SMTP server address #rowspan#\r\nAs you can see, the tool is not fully automated, but relies completely on the configuration data. This shows a lower\r\nlevel of sophistication. Its implementation shows similarities with the Grandoreiro banking trojan, which is why we\r\nbelieve it was written by the same authors.\r\nConclusion\r\nIn this installment of our series, we have focused on Grandoreiro, a Latin American banking trojan known to target\r\nBrazil, Mexico, Spain and Peru. We have mentioned aspects that are typical for that type of banking trojan, such as\r\nbeing written in Delphi, containing backdoor functionality, targeting Latin America and using fake pop-up windows to\r\nattack its victims.\r\nA novel feature of Grandoreiro is its great effort to evade detection. That includes many techniques to detect or even\r\ndisable banking protection software. It also utilizes a very specific application of the binary padding technique we\r\nhave not seen before that makes it hard to get rid of the padding while keeping a valid file.\r\nSpam appears to be the exclusive distribution method for Grandoreiro. The emails contain a link that points victims to\r\nfake websites set up by the operators. While they usually use simple mechanisms such as fake Flash or Java updates,\r\nwe have seen them exploiting the current fear of COVID-19 as well.\r\nGrandoreiro shows similarities with other banking trojans previously described in this series, mainly Casbaneiro, with\r\nwhich it shares the string decryption algorithm.\r\nFor any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nGrandoreiro banking trojan\r\nSHA-1 Description ESET Detection name\r\n40FBC932BD45FEB3D2409B3A4C7029DDDE881389\r\nOlder version of\r\nGrandoreiro (2017)\r\nWin32/Spy.Grandoreiro.A\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 10 of 13\n\nSHA-1 Description ESET Detection name\r\n7905DB9BBE2CB29519A5371B175551C6612255EF Grandoreiro Win32/Spy.Grandoreiro.AE\r\nBD88A809B05168D6EFDBA4DC149653B0E1E1E448 Grandoreiro Win32/Spy.Grandoreiro.AJ\r\nGrandoreiro Win32 downloaders\r\nSHA-1 Description ESET detection name\r\n7C2ED8B4AA65BEFCC229A36CE50539E9D6A70EE3\r\nGrandoreiro\r\ndownloader\r\nWin32/TrojanDownloader.Banload.YJR\r\n27A434D2EF4D1D021F283BCB93C6C7E50ACB8EA6\r\nGrandoreiro\r\ndownloader\r\nWin32/TrojanDownloader.Banload.YLZ\r\n28D58402393B6BCA73FF0EAC319226233181EDC9\r\nGrandoreiro\r\ndownloader\r\nWin32/TrojanDownloader.Banload.YJB\r\n42892DF64F00F4C091E1C02F74C2BB8BAD131FC5\r\nGrandoreiro\r\ndownloader\r\nWin32/TrojanDownloader.Banload.YMI\r\nGrandoreiro spam tool\r\nSHA-1 Description ESET detection name\r\nBCED5D138ACEADA1EF11BFD22C2D6359CDA183DB\r\nGrandoreiro spam\r\ntool\r\nWin32/Spy.Grandoreiro.AD\r\nWindows Registry\r\nHKCU\\Software\\%USER_NAME%\r\nHKCU\\Software\\ToolTech-RM\r\nUser-Agent\r\nh55u4u4u5uii5\r\nFilenames\r\n%INSTALL_DIR%\\ *\r\nMDL_YEL_01.dll\r\nMDL_BLU_BR_02.dll\r\nMDL_SIC_BR_03.dll\r\nMDL_SANT_BR_04.dll\r\nMDL_ITA_BR_05.dll\r\nMDL_BRADA_BR_06.dll\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 11 of 13\n\nMDL_SICCB_BR_07.dll\r\nMDL_SAFRA_BR_08.dll\r\nMDL_ORIGI_BR_09.dll\r\nMDL_NORDES_BR_10.dll\r\nMDL_BANEST_BR_11.dll\r\nMDL_BANEZE_BR_12.dll\r\nMDL_AMAZON_BR_13.dll\r\nMDL_UNICRE_BR_14.dll\r\nMDL_BRB_BR_15.dll\r\nMDL_WUPDATE_BR_001.dll\r\n*\r\n %INSTALL_DIR% is the path where Grandoreiro is installed\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1192 Spearphishing Link\r\nGrandoreiro distribution chains start with an email\r\nlink pointing to a fake website.\r\nExecution T1106 Execution through API\r\nGrandoreiro is executed either by WinExec or\r\nWScript.Shell.Exec API.\r\nPersistence T1060\r\nRegistry Run Keys / Startup\r\nFolder\r\nGrandoreiro ensures persistence by creating a .LNK\r\nfile in the startup folder.\r\nPrivilege\r\nEscalation\r\nT1088\r\nBypass User Account\r\nControl\r\nGrandoreiro bypasses UAC by registering as the\r\ndefault handler for .MSC files.\r\nDefense\r\nEvasion\r\nT1009 Binary Padding\r\nGrandoreiro inserts large BMP files into its .rsrc\r\nsection to make the binaries much larger.\r\nT1089 Disabling Security Tools\r\nGrandoreiro tries to disable Diebold Warsaw and\r\nTrusteer banking protection software.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nGrandoreiro is distributed in a ZIP archive that\r\nusually needs to be decrypted.\r\nT1222\r\nFile and Directory\r\nPermissions Modification\r\nGrandoreiro changes the ACL for Trusteer to disable\r\nit.\r\nT1036 Masquerading\r\nDownloaders that distribute Grandoreiro\r\nmasquerade as fake update installation files.\r\nT1112 Modify Registry\r\nGrandoreiro stores its configuration in the Windows\r\nRegistry.\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 12 of 13\n\nTactic ID Name Description\r\nT1064 Scripting\r\nGrandoreiro implements some of its distribution\r\nchain stages in VBScript.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nGrandoreiro detects VMWare and Virtual PC.\r\nCredential\r\nAccess\r\nT1503\r\nCredentials from Web\r\nBrowsers\r\nGrandoreiro steals credentials from the Google\r\nChrome browser.\r\nT1081 Credentials in Files\r\nGrandoreiro parses Outlook .pst files to extract\r\nemail addresses.\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery\r\nGrandoreiro discovers various security tools based\r\non window names.\r\nT1083 File and Directory Discovery\r\nGrandoreiro discovers protection software based on\r\nfile system paths.\r\nT1057 Process Discovery\r\nGrandoreiro discovers security tools based on\r\nprocess names.\r\nT1063 Security Software Discovery\r\nGrandoreiro detects the presence of banking\r\nprotection products.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nGrandoreiro collects information about the victim's\r\nmachine, such as %USERNAME%,\r\n%COMPUTERNAME%, and product names.\r\nCollection T1056 Input Capture Grandoreiro is capable of capturing keystrokes.\r\nCommand\r\nand Control\r\nT1483\r\nDomain Generation\r\nAlgorithms\r\nGrandoreiro generates its C\u0026C address using a\r\nDGA.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nGrandoreiro’s network protocol is implemented by\r\nRealThinClient, which is built over HTTP.\r\nExfiltration T1041\r\nExfiltration Over Command\r\nand Control Channel\r\nGrandoreiro sends the data it retrieves to its C\u0026C\r\nserver.\r\nFurther reading\r\nSource: https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nhttps://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/\r\nPage 13 of 13\n\nform of appending a large Grandoreiro chooses a amount of different approach junk at the end – a simple, of the binary. yet very effective one. The resources section of the PE file is\naugmented by (usually 3) grande BMP images, making each binary at least 300 MB in size. Notice in Figure 9 that\nthe size of the whole EXE is 425 MB, yet the size of the code is only 4 MB and the size of the .rsrc section 419 MB\n(98.5% of the total size). After examining the contents of the .rsrc section, we see three images with sizes of 112 MB,\n112 MB and 105 MB respectively (taking up 78.5% of the section size). We provide examples of such images in\nFigure 10.       \nFigure 9. Details of a Grandoreiro binary. Several Grandoreiro binaries are shown in the image on the left. The rest\nshow details of one such binary.      \n   Page 7 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/"
	],
	"report_names": [
		"grandoreiro-how-engorged-can-exe-get"
	],
	"threat_actors": [],
	"ts_created_at": 1775434908,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0edcc1847560ec4fa24136b20be2abaa1ba773ca.pdf",
		"text": "https://archive.orkl.eu/0edcc1847560ec4fa24136b20be2abaa1ba773ca.txt",
		"img": "https://archive.orkl.eu/0edcc1847560ec4fa24136b20be2abaa1ba773ca.jpg"
	}
}