MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c436f665f9618e9a01ca3ac1d642defb554c12fa98586d2a744882929cb1182. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Guildma


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c436f665f9618e9a01ca3ac1d642defb554c12fa98586d2a744882929cb1182
SHA3-384 hash: 8d4663b352e0a045bc81905607082a508f675f67fa29a42668f294c891dcb70410c6959b4adc0714e5137af56fd649ca
SHA1 hash: 9b2c4c71e0534874fc93c4edd38413f1fd036b56
MD5 hash: fcfd4a9f0c3084a2c89a3851f20de140
humanhash: jupiter-arizona-lemon-diet
File name:7730f5e319b0042261a99bfdc42a0aef8bc4e35b606a3f6ec8c7f847cda9420e.7z
Download: download sample
Signature Guildma
Create hunting rule
File size:561 bytes
First seen:2026-04-14 19:30:35 UTC
Last seen:Never
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 12:sg78DaJi5KP7+uEVNvfgcWYk3cHn/9oOtHlIYMZ9y7qK+cUpsn1:s1aJi5f7vIYk3cloWpMjy7qLY
TLSH T12CF0056E8FD099B5D532557282C859DF572CD12FB1442D2D88E623CD4D73B01ECD670A
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika sevenzip
Reporter johnk3r
Tags:7z Astaroth banker guildma


Avatar
johnk3r
C2:

"prisonsal[.]balancoexpress[.]sbs",
"prapaz[.]balancoexpress[.]sbs",
"truroncol002[.]contabilsmart[.]cloud",
"strilenmonvir75[.]contabilsmart[.]cloud",
"strisantez[.]contabilsmart[.]cloud",
"treronbenjal[.]contabilidadeonline[.]top",
"plenonzol4[.]contabilsmart[.]cloud",
"trevaz[.]contabilsmart[.]cloud",
"vawinmonvaz[.]contabilidadeonline[.]top",
"procantal82[.]balancoexpress[.]sbs",
"vafil[.]contabilsmart[.]cloud",
"tridenlinmol[.]contabilidadeonline[.]top",
"strelenmonsal[.]contabilidadeonline[.]top",
"stredor[.]contabilidadeonline[.]top",
"scribil[.]contabilidadeonline[.]top",
"tridensintal[.]contabilsmart[.]cloud",
"scrovinvel[.]contabilfacil[.]sbs",
"scrigungem[.]contabilidadeonline[.]top",
"stresonlingor[.]contabilsmart[.]cloud",
"trexoncal[.]contabilidadeonline[.]top",
"trelannal[.]contabilfacil[.]sbs",
"stretar7[.]contabilfacil[.]sbs",
"plisul[.]contabilidadeonline[.]top",
"planmol[.]contabilidadeonline[.]top",
"scrotentanpor[.]contabilidadeonline[.]top",
"screzinlhar[.]balancoexpress[.]sbs",
"stritancil[.]contabilfacil[.]sbs",
"vadinminpaz[.]contabilfacil[.]sbs",
"plomanvel[.]balancoexpress[.]sbs",
"pribanhennal[.]contabilsmart[.]cloud",
"plilinlhar[.]contabilfacil[.]sbs",
"trutal[.]contabilsmart[.]cloud",
"stritez64[.]contabilsmart[.]cloud",
"prigir[.]balancoexpress[.]sbs",
"pruninlhar[.]balancoexpress[.]sbs",
"plasonsil[.]contabilfacil[.]sbs",
"staval45[.]contabilsmart[.]cloud",
"stazinim[.]balancoexpress[.]sbs",
"pliqual[.]contabilidadeonline[.]top",
"plinil33[.]balancoexpress[.]sbs",
"plininransar[.]contabilfacil[.]sbs",
"prudintum[.]contabilsmart[.]cloud",
"prutendiz[.]contabilfacil[.]sbs",
"pliral[.]balancoexpress[.]sbs",
"plalenmonsal675[.]contabilidadeonline[.]top",
"plinindor[.]balancoexpress[.]sbs",
"vasom[.]contabilsmart[.]cloud",
"ploral5[.]contabilfacil[.]sbs",
"prumintil[.]contabilfacil[.]sbs",
"stroim75[.]balancoexpress[.]sbs",
"sprutil[.]contabilsmart[.]cloud",
"prutentonsil[.]balancoexpress[.]sbs",
"procanjankil0[.]contabilidadeonline[.]top",
"plenongunnal41[.]contabilfacil[.]sbs",
"scrotentum[.]contabilfacil[.]sbs",
"grugoncinnal[.]contabilsmart[.]cloud",
"prisonpaz[.]contabilsmart[.]cloud",
"scrotentonriz[.]contabilsmart[.]cloud",
"pridenvir[.]contabilidadeonline[.]top",
"tridengoncol[.]balancoexpress[.]sbs",
"treronbel[.]balancoexpress[.]sbs",
"sprumannal[.]contabilsmart[.]cloud",
"prepinfel850[.]balancoexpress[.]sbs",
"presar08[.]contabilsmart[.]cloud",
"plaminpor[.]contabilsmart[.]cloud",
"pliqual28[.]contabilfacil[.]sbs",
"propinmenpal[.]contabilsmart[.]cloud",
"pruval[.]contabilfacil[.]sbs",
"plemindor[.]contabilfacil[.]sbs",
"grupunzol332[.]contabilidadeonline[.]top",
"stakinransar[.]balancoexpress[.]sbs",
"grukil33[.]balancoexpress[.]sbs",
"stratenim[.]contabilfacil[.]sbs",
"vadintum[.]balancoexpress[.]sbs",
"prafinbel[.]contabilidadeonline[.]top",
"planbel[.]contabilfacil[.]sbs",
"trexontunral[.]contabilfacil[.]sbs",
"stripanfincol[.]contabilsmart[.]cloud",
"vatar[.]contabilidadeonline[.]top",
"priconvaz742[.]contabilidadeonline[.]top",
"tritonvaz[.]contabilsmart[.]cloud",
"pruzinpanpaz[.]contabilidadeonline[.]top",
"truronnil86[.]balancoexpress[.]sbs",
"tricanfel[.]contabilfacil[.]sbs",
"gruval[.]contabilidadeonline[.]top",
"stacinlhar[.]balancoexpress[.]sbs",
"sprutenim6[.]contabilfacil[.]sbs",
"plogunconrol[.]contabilidadeonline[.]top",
"provaz[.]balancoexpress[.]sbs",
"pritez607[.]contabilfacil[.]sbs",
"pruwintanpaz[.]contabilsmart[.]cloud",
"trigem8[.]contabilsmart[.]cloud",
"sprumanim[.]contabilsmart[.]cloud",
"prepaz[.]contabilidadeonline[.]top",
"pleninrangir[.]contabilidadeonline[.]top",
"strinal[.]contabilidadeonline[.]top",
"sprofil566[.]contabilfacil[.]sbs",
"tridenpaz[.]contabilfacil[.]sbs",
"prisonronmol[.]balancoexpress[.]sbs",
"trujanpunbil[.]contabilsmart[.]cloud",
"ploral5[.]balancoexpress[.]sbs",
"prananhal[.]contabilidadeonline[.]top",
"vazinpanpor[.]balancoexpress[.]sbs",
"grugonwinnal[.]balancoexpress[.]sbs",
"stritonpaz51[.]contabilsmart[.]cloud",
"plosul[.]contabilfacil[.]sbs",
"plenonsandiz4[.]contabilsmart[.]cloud",
"plikinal[.]contabilfacil[.]sbs",
"prial73[.]contabilidadeonline[.]top",
"scregunconriz[.]contabilfacil[.]sbs",
"sprolenfincal48[.]contabilfacil[.]sbs",
"stralhar[.]balancoexpress[.]sbs",
"plepal240[.]contabilsmart[.]cloud",
"grural[.]contabilsmart[.]cloud",
"sprusom[.]contabilidadeonline[.]top",
"plilinvintez[.]balancoexpress[.]sbs",
"plolintar[.]contabilsmart[.]cloud",
"scrotar[.]contabilidadeonline[.]top",
"trunanhal[.]balancoexpress[.]sbs",
"praronsonbil[.]contabilidadeonline[.]top",
"scredinlencil[.]contabilidadeonline[.]top",
"scriwingem[.]contabilfacil[.]sbs",
"presinqual0[.]balancoexpress[.]sbs",
"scregunvir[.]contabilsmart[.]cloud",
"plansonval[.]contabilfacil[.]sbs",
"pleninnal[.]contabilfacil[.]sbs",
"pritez[.]balancoexpress[.]sbs",
"sprutentum[.]contabilsmart[.]cloud",
"vaguntum[.]contabilfacil[.]sbs",
"sprovinconrol6[.]balancoexpress[.]sbs",
"grunonmanvel[.]contabilsmart[.]cloud",
"plominsom[.]contabilidadeonline[.]top",
"prisonrongor[.]contabilsmart[.]cloud",
"prafinhenkil[.]balancoexpress[.]sbs",
"sprudor[.]contabilsmart[.]cloud",
"pliral5[.]contabilidadeonline[.]top",
"prilanfunxil[.]balancoexpress[.]sbs",
"scrotentanfar[.]contabilidadeonline[.]top",
"proronmenpal[.]contabilidadeonline[.]top",
"pruzinim[.]balancoexpress[.]sbs",
"tritum[.]contabilidadeonline[.]top",
"sprominpor[.]contabilfacil[.]sbs",
"tritonriz[.]contabilsmart[.]cloud",
"scroder[.]contabilsmart[.]cloud",
"scrogunim[.]contabilidadeonline[.]top",
"planal[.]contabilsmart[.]cloud",
"sprotil[.]contabilidadeonline[.]top",
"stravinpanfar[.]contabilsmart[.]cloud",
"stakinlhar40[.]contabilfacil[.]sbs"

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:7730f5e319b0042261a99bfdc42a0aef8bc4e35b606a3f6ec8c7f847cda9420e.vbs
File size:802 bytes
SHA256 hash: 7730f5e319b0042261a99bfdc42a0aef8bc4e35b606a3f6ec8c7f847cda9420e
MD5 hash: 2af4c095e81bccd80ada7e79fedfc66f
MIME type:text/plain
Signature Guildma
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Foxhole.Vbs_7z.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69de9617f68adfe10039d6a4
Tags:
phishing virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated soft-404
Link:
https://www.filescan.io/uploads/69de95dfc33dc5a985d8aa03/reports/8bf53ba2-98b3-4901-b9aa-c666f5104902/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1c436f665f9618e9a01ca3ac1d642defb554c12fa98586d2a744882929cb1182
Verdict:
Malicious
File Type:
7z
First seen:
2026-04-14T17:50:00Z UTC
Last seen:
2026-04-14T18:03:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1c436f665f9618e9a01ca3ac1d642defb554c12fa98586d2a744882929cb1182/results?tab=lookup
Score:
90%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/1c436f665f9618e9a01ca3ac1d642defb554c12fa98586d2a744882929cb1182
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c436f665f9618e9a01ca3ac1d642defb554c12fa98586d2a744882929cb1182/
Threat name:
Win32.Trojan.Qwexlafiba
Create hunting rule
Status:
Malicious
First seen:
2026-04-14 19:31:30 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
10 of 37 (27.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=drbw6zs7symotia4uowb2zbn562vjqjpvgcynuvhisecskolcgba._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/260414-ymzbyaet5v/
Behaviour
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.57
Link:
https://yomi.yoroi.company/submissions/1c436f665f9618e9a01ca3ac1d642defb554c12fa98586d2a744882929cb1182

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments