{
	"id": "c5544a17-26bd-4504-b920-a900bf9d96b7",
	"created_at": "2026-04-06T00:12:05.501154Z",
	"updated_at": "2026-04-10T03:20:42.094031Z",
	"deleted_at": null,
	"sha1_hash": "d4bb12faf350f719d14ba3e2516138dd6b53942c",
	"title": "Brazil malspam pushes Astaroth (Guildma) malware - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1669151,
	"plain_text": "Brazil malspam pushes Astaroth (Guildma) malware - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 15:34:34 UTC\r\nIntroduction\r\nToday's diary is a quick post of an Astaroth (Guildma) malware infection I generated todayy on Friday 2022-08-19 from a\r\nmalicious Boleto-themed email pretending to be from Grupo Solução \u0026 CIA.  Boleto is a payment method used in Brazil,\r\nwhile Grupo Solução \u0026 CIA is Brazil-based company.\r\nImages from the infection\r\nShown above:  Screenshot of the malicious email with link to download a malicious zip archive.\r\nShown above:  Link from email leads to web page pretending to be from Docusign that provides malicious zip archive for\r\ndownload.\r\nhttps://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962\r\nPage 1 of 6\n\nShown above:  Downloaded zip archive contains a Windows shortcut and a batch file.  Both are designed to infect a\r\nvulnerable Windows host with Astaroth (Guildma).\r\nShown above:  Traffic from the infection filtered in Wireshark (part 1 of 3).\r\nShown above:  Traffic from the infection filtered in Wireshark (part 2 of 3).\r\nhttps://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962\r\nPage 2 of 6\n\nShown above:  Artifact from the infected host's C:\\Users\\Public directory.\r\nShown above:  Artifact on the infected host's C: drive at C:\\J9oIM9J\\J9oIM9J.jS.\r\nhttps://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962\r\nPage 3 of 6\n\nShown above:  Windows shortcut in the infected user's Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup directory\r\nto keep the infection persistent.\r\nShown above:  Directory with persistent files used for the Astaroth (Guildma) infection.\r\nShown above:  Astaroth (Guildma) performs post-infection data exfiltration through HTTP POST requests.\r\nIndicators of Compromise (IOCs)\r\nhttps://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962\r\nPage 4 of 6\n\nLink from email:\r\nhxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloud\r\nIP address and TCP port for initial malicious domain:\r\n172.67.217[.]95 port 80 - w7oaer.infocloudgruposolucaoecia[.]link\r\nURL to legitimate website generated from iframe in the above traffic:\r\nhxxp://www.intangiblesearch[.]it/search/home_page.php?\r\ndb_name=%3Cscript%20src=%22https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js%22%3E%3C/script%3E%3Cscript%20type=%2\r\nTraffic to initial malicious domain that provides zip archive download:\r\nhxxp://w7oaer.infocloudgruposolucaoecia[.]link/P05dWVqI0WghlU4/UeWgmk3mU3p8yeyxkUgI8Um1R1/65837/gruposolucaoeciainfocloudAvD\r\nhxxp://w7oaer.infocloudgruposolucaoecia[.]link//inc.php?/gruposolucaoeciainfocloud\r\nhxxp://w7oaer.infocloudgruposolucaoecia[.]link/YBZJPTBQV/482NJ8NS74J9/N6D6WW/gruposolucaoeciainfocloud_097.88933.61414z64y64\r\nTraffic generated by Windows shortcut or batch file from the downloaded zip archive:\r\n172.67.212[.]174:80 ahaaer.pfktaacgojiozfehwkkimhkbkm[.]cfd GET /?1/\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?59792746413628799\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?59792746413628799\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?33954141807632999\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?33954141807632999\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?71576927405639060\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?71576927405639060\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?59784568396678051\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?59784568396678051\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?40018133101693668\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?40018133101693668\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs HEAD /?33450285101613952\r\n104.21.11[.]4:80 cteasc.ijnkwnkxeguxaxmldwyogggwfk[.]sbs GET /?33450285101613952\r\nData exfiltration through HTTP POST requests:\r\n104.21.25[.]34:80 hcu11m2mkk2.rouepcgomfhejergdahjcfcugarfcmoa[.]tk POST /\r\n172.67.165[.]46:80 j2vfrc7gddo.aeabihjpejprueuibdjmhfmdcpsfr[.]gq POST /\r\nExample of downloaded zip archive:\r\nSHA256 hash: f254f9deeb61f0a53e021c6c0859ba4e745169322fe2fb91ad2875f5bf077300\r\nFile size: 1,091 bytes\r\nFile name: gruposolucaoeciainfocloud_097.88933.61414.zip\r\nContents from the above zip archive:\r\nSHA256 hash: 5ca1e9f0e79185dde9655376b8cecc29193ad3e933c7b93dc1a6ce2a60e63bba\r\nFile size: 338 bytes\r\nFile name: gruposolucaoeciainfocloud_097.88933157.086456.45192.cmd\r\nSHA256 hash: db136e87a5835e56d39c225e00b675727dc73a788f90882ad81a1500ac0a17d6\r\nFile size: 1,341 bytes\r\nFile name: gruposolucaoeciainfocloud_097.88933157.086456.45192.lNk\r\nCommand from Windows shortcut in Windows Startup folder on the infected Windows host:\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -Command\r\nC:\\W45784602214\\Asus.CertificateValidation.2022.1728.641.AutoIt3.exe\r\nC:\\W45784602214\\Asus.CertificateValidation.2022.1728.641.AutoIt3.log\r\nFiles used for persistent infection:\r\nSHA256 hash: 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d\r\nFile size: 893,608 bytes\r\nFile location: C:\\W45784602214\\Asus.CertificateValidation.2022.1728.641.AutoIt3.exe\r\nFile description: Windows EXE for AutoIt v3, not inherently malicious\r\nhttps://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962\r\nPage 5 of 6\n\nSHA256 hash: e31658734d3e0de1d2764636d1b8726f0f8319b0e50b87e5949ec162ae1c0050\r\nFile size: 246,116 bytes\r\nFile location: C:\\W45784602214\\Asus.CertificateValidation.2022.1728.641.AutoIt3.log\r\nFile description: Malicious data binary, AutoIt v3 compiled script run by above Windows EXE for AutoIt v3\r\nFinal words\r\nA pcap of the infection traffic, the associated malware/artifacts, and the email that kicked off this infection are available\r\nhere.\r\nBrad Duncan\r\nbrad [at] malwre-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962\r\nhttps://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962\r\nPage 6 of 6\n\nhttps://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962   \nShown above: Artifact from the infected host's C:\\Users\\Public directory.\nShown above: Artifact on the infected host's C: drive at C:\\J9oIM9J\\J9oIM9J.jS. \n  Page 3 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962"
	],
	"report_names": [
		"28962"
	],
	"threat_actors": [],
	"ts_created_at": 1775434325,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d4bb12faf350f719d14ba3e2516138dd6b53942c.pdf",
		"text": "https://archive.orkl.eu/d4bb12faf350f719d14ba3e2516138dd6b53942c.txt",
		"img": "https://archive.orkl.eu/d4bb12faf350f719d14ba3e2516138dd6b53942c.jpg"
	}
}