MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f88d597200e44ffddf0e4d0230cdc42437a436b3d62b676d7dfac000ef72b2ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Guildma

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments 1

SHA256 hash:	f88d597200e44ffddf0e4d0230cdc42437a436b3d62b676d7dfac000ef72b2ed
SHA3-384 hash:	efec2cce63de51e36e42727a28a3a039745bafc6b28775c0b808bf9503d25ca2b3973428ad668d8412b967ac090cf553
SHA1 hash:	af1553070910f3f6767ec88425cbbbd6a4d5d43a
MD5 hash:	3efa12130439f3b64ac2e50ec5bbfab0
humanhash:	arizona-march-triple-maryland
File name:	254186535_PDF.zip
Download:	download sample
Signature	Guildma Create hunting rule
File size:	4'643 bytes
First seen:	2026-04-08 20:42:11 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	96:dBdKzuZignSYkqQ7SzKRj+/VTHFz17oxhzdqY:dBdKFVRqQwKjeFz17wzgY
TLSH	T18AA18FC8E1B5D194C437CC67C7266760E9E02779E35936CE59746322C07309782E0E0B
Magika	zip
Reporter	johnk3r
Tags:	Astaroth banker guildma plafel-webtreinerauto-autos proronsar-webtreinerbr-autos zip

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:	254186535_PDF.mp4
File size:	1'909 bytes
SHA256 hash:	b628e59bf6517f5fd97693b02785c2a07bc6a6cb27618780c69828c474d30e98
MD5 hash:	b944f3a50538d433054536cb98dfb781
MIME type:	text/plain
Signature	Guildma

File name:	254186535_PDF.pdf
File size:	1'909 bytes
SHA256 hash:	3ba679661c42b7e189025e28f4792007ed849d9a300a7c4348770dc91a82b397
MD5 hash:	52187a50f7a157c74c8debc37f3ff944
MIME type:	text/plain
Signature	Guildma

File name:	254186535_PDF.lNk
File size:	1'412 bytes
SHA256 hash:	d328933d97c084026ac13c6efea830feb5bfdc8ece251893a7e23b63d0c89d95
MD5 hash:	50d10fe0939af84d62428c2365354e1a
MIME type:	application/octet-stream
Signature	Guildma

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/b0d04596-9654-49b1-bf19-5e9aac70b030/

Detection(s):

Sanesecurity.Foxhole.Lnk_Zip_1.UNOFFICIAL

Sanesecurity.Foxhole.Zip_pdf.UNOFFICIAL

TwinWave.EvilLNK.AstarothHeadLikeAHole.20221019.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69d6bdb56a61012f6ad02e22

Tags:

dropper shell sage

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

masquerade

Link:

https://www.filescan.io/uploads/69d6bdb0799d5bf325f32a2c/reports/341c7abb-f90d-4a40-8c4d-4b7680b908c3/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/f88d597200e44ffddf0e4d0230cdc42437a436b3d62b676d7dfac000ef72b2ed

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f88d597200e44ffddf0e4d0230cdc42437a436b3d62b676d7dfac000ef72b2ed

Verdict:

Malicious

File Type:

zip

First seen:

2026-04-09T08:07:00Z UTC

Last seen:

2026-04-09T16:31:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/f88d597200e44ffddf0e4d0230cdc42437a436b3d62b676d7dfac000ef72b2ed/results?tab=lookup

Score:

Verdict:

Benign

File Type:

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Download_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies download artefacts in shortcut (LNK) files.

Rule name:	Execution_in_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies execution artefacts in shortcut (LNK) files.

Rule name:	High_Entropy_LNK Create hunting rule
Author:	@bartblaze
Description:	Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.

Rule name:	SUSP_LNK_CMD Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the reference to cmd.exe inside an lnk file, which is suspicious

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

Padawan commented on 2026-04-09 12:08:48 UTC

C2:

glacanriz[.]velmoratrud[.]cfd
ploninranvir3[.]xentari[.]cfd
cribel[.]openstern[.]yachts
blopaz[.]hairmont[.]hair
trugonmennal81[.]talnori[.]boats
glasar634[.]timeford[.]watch
dranal[.]bravion[.]boats
dresul[.]lomvera[.]boats
fravir[.]horan[.]watch
vadinnal[.]qpodio[.]qpon
glebel[.]terrae[.]rest
blugor2[.]solvia[.]rest
spromangem[.]solvia[.]rest
planpenpal[.]motoryn[.]autos
prilinpensul[.]maren[.]rest
frunongem[.]timeford[.]watch
sprogunim[.]horan[.]watch
sprocongir[.]motoryn[.]autos
sprotil[.]horan[.]watch
glopunzinim[.]seltrix[.]makeup
glupal5[.]timeford[.]watch
glecol[.]velmoratrud[.]cfd
glubondor330[.]talnori[.]boats
stravingem570[.]motoryn[.]autos
plelintez42[.]horan[.]watch
plilintar[.]talnori[.]boats
spromannal44[.]openstern[.]yachts
crironnil245[.]solvia[.]rest
blubengonwel15[.]hairmont[.]hair
grunonmanvir[.]bravion[.]boats
gruwel[.]timeford[.]watch
croronnil[.]bravion[.]boats
cresar[.]altriven[.]qpon
glulinfil[.]qpodio[.]qpon
plirinder35[.]lomvera[.]boats
tribanriz643[.]timeford[.]watch
glasinmensul[.]seltrix[.]makeup
scriwindenrol[.]norvexa[.]rest
grunil[.]darsion[.]boats
plominbil[.]maren[.]rest
graim[.]horan[.]watch
truriz[.]qpodio[.]qpon
frepanpor[.]altriven[.]qpon
clejanfer[.]lomvera[.]boats
strenal6[.]horan[.]watch
glunonbil[.]altriven[.]qpon
screpanbansil[.]timeford[.]watch
crotunkindor[.]timeford[.]watch
blosal[.]horan[.]watch
fragoncal[.]motoryn[.]autos
planbenhal[.]seltrix[.]makeup
screzinlhar464[.]qpodio[.]qpon
clamol[.]motoryn[.]autos
brupenbonzol2[.]hairmont[.]hair
flosil[.]seltrix[.]makeup
fretum[.]talnori[.]boats
scribil[.]lomvera[.]boats
strasanmonvaz[.]lomvera[.]boats
grurinmandiz[.]horan[.]watch
flimonxoncal[.]altriven[.]qpon
plenal[.]talnori[.]boats
trugonmenpal[.]motoryn[.]autos
plomintil[.]openstern[.]yachts
cretongonbel[.]timeford[.]watch
trerongor[.]timeford[.]watch
prunindiz188[.]solvia[.]rest
plemintendiz[.]norvexa[.]rest
crojanral[.]lomvera[.]boats
prasincol0[.]horan[.]watch
stasul[.]norvexa[.]rest
drosongoncol[.]terrae[.]rest
staral[.]horan[.]watch
stravingem[.]seltrix[.]makeup
crovaz10[.]darsion[.]boats
prukintenfar[.]timeford[.]watch
glefenfunval[.]horan[.]watch
glonal[.]maren[.]rest
striranal[.]xentari[.]cfd
sprotar5[.]solvia[.]rest
flixonhal[.]timeford[.]watch
flivel[.]horan[.]watch
brudenpaz551[.]qpodio[.]qpon
flojanfunral[.]bravion[.]boats
frubonim[.]solvia[.]rest
stripangonjal[.]openstern[.]yachts
clananronpal[.]darsion[.]boats
scrotar[.]motoryn[.]autos
plizol[.]terrae[.]rest
flojanlunsul[.]darsion[.]boats
fravir1[.]seltrix[.]makeup
fralinmenkil[.]solvia[.]rest
blufenel3[.]bravion[.]boats
glokil37[.]timeford[.]watch
trulincol[.]velmoratrud[.]cfd
plequal[.]bravion[.]boats
drapunbil[.]altriven[.]qpon
cretez785[.]motoryn[.]autos
clavaz[.]hairmont[.]hair
clexonsul836[.]horan[.]watch
tritum8[.]motoryn[.]autos
glogonzindor[.]norvexa[.]rest
graim8[.]maren[.]rest
screbil[.]timeford[.]watch
stakintil[.]terrae[.]rest
cretonfinsil702[.]maren[.]rest
gramtar355[.]timeford[.]watch
stresanvir[.]darsion[.]boats
prafar035[.]velmoratrud[.]cfd
trepaz834[.]altriven[.]qpon
screfil[.]lomvera[.]boats
gramzinransar[.]xentari[.]cfd
prepor[.]openstern[.]yachts
pliqual[.]lomvera[.]boats
truroncol[.]horan[.]watch
trefincal03[.]talnori[.]boats
staninvinal[.]norvexa[.]rest
strader[.]qpodio[.]qpon
pruqual5[.]hairmont[.]hair
plarancanriz[.]altriven[.]qpon
vakinvintez434[.]motoryn[.]autos
drarintentum217[.]velmoratrud[.]cfd
platanlankil[.]motoryn[.]autos
clemenrintar[.]velmoratrud[.]cfd
clananbel[.]altriven[.]qpon
frarol[.]timeford[.]watch
stasul5[.]horan[.]watch
glonal[.]hairmont[.]hair
stromindiz520[.]bravion[.]boats