AstarionRAT (Malware Family)

AstarionRAT

aka: MIMICRAT

VTCollection

According to Huntress, AstarionRAT is a full-featured RAT with 24 commands, including credential theft, SOCKS5 proxy, port scanning, reflective code loading, and shell execution, with RSA-encrypted C2 communication disguised as application telemetry.

References

2026-02-19 ⋅ Elastic ⋅ Elastic Security Labs, Salim Bitam
MIMICRAT: ClickFix Campaign Delivers Custom RAT via Compromised Legitimate Websites
AstarionRAT

2026-02-16 ⋅ Huntress Labs ⋅ Anna Pham, Michael Tigges
ClickFix Won't Die. Neither Will Matanbuchus. A New RAT and a Hands-on-Keyboard Intrusion
AstarionRAT Matanbuchus

Yara Rules

[TLP:WHITE] win_astarion_rat_auto (20260504 | Detects win.astarion_rat.)

rule win_astarion_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.astarion_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.astarion_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488b4f48 e8???????? 488bcf e8???????? 4c8b642448 488b6c2458 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488b4f48             | lea                 eax, [esp + 0x5c]
            //   e8????????           |                     
            //   488bcf               | mov                 edx, 0x8004667e
            //   e8????????           |                     
            //   4c8b642448           | dec                 ecx
            //   488b6c2458           | mov                 ecx, esp

        $sequence_1 = { 85c0 7506 8885f0010000 8b4c2478 488d542450 ff15???????? 85c0 }
            // n = 7, score = 100
            //   85c0                 | movdqu              xmm0, xmmword ptr [ebp + eax + 0x190]
            //   7506                 | je                  0x7fc
            //   8885f0010000         | lea                 ecx, [ebp + 1]
            //   8b4c2478             | dec                 ecx
            //   488d542450           | mov                 eax, 0xffffffff
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [esp + 0x30], ecx

        $sequence_2 = { 0f2805???????? 0f298de0000000 0f280d???????? 66898518010000 0fb605???????? 0f298520010000 0f2805???????? }
            // n = 7, score = 100
            //   0f2805????????       |                     
            //   0f298de0000000       | add                 ebx, eax
            //   0f280d????????       |                     
            //   66898518010000       | dec                 eax
            //   0fb605????????       |                     
            //   0f298520010000       | mov                 edx, edi
            //   0f2805????????       |                     

        $sequence_3 = { 488945f8 48b843004d0044000000 48894550 488d4558 c745a068000000 66897de0 c745dc01010000 }
            // n = 7, score = 100
            //   488945f8             | mov                 ecx, esi
            //   48b843004d0044000000     | dec    esp
            //   48894550             | lea                 esi, [eax + 1]
            //   488d4558             | mov                 ecx, dword ptr [esp + 0x30]
            //   c745a068000000       | mov                 edx, 1
            //   66897de0             | dec                 eax
            //   c745dc01010000       | add                 ecx, eax

        $sequence_4 = { 4c8d053b880100 488d153c880100 e8???????? 4885c0 740f 488bcb 4883c420 }
            // n = 7, score = 100
            //   4c8d053b880100       | lea                 eax, [esp + 0x58]
            //   488d153c880100       | dec                 eax
            //   e8????????           |                     
            //   4885c0               | lea                 edx, [esp + 0x60]
            //   740f                 | test                eax, eax
            //   488bcb               | dec                 eax
            //   4883c420             | mov                 ecx, eax

        $sequence_5 = { e8???????? 488bce e9???????? ff15???????? 488b442460 4533c9 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   488bce               | je                  0x13ea
            //   e9????????           |                     
            //   ff15????????         |                     
            //   488b442460           | nop                 
            //   4533c9               | cmp                 dword ptr [ebx + 4], 0

        $sequence_6 = { e8???????? eb1c 4533c9 488bd7 4533c0 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   eb1c                 | dec                 esp
            //   4533c9               | mov                 ecx, dword ptr [esi + 0x68]
            //   488bd7               | dec                 ecx
            //   4533c0               | mov                 edx, esp

        $sequence_7 = { ff15???????? 85c0 0f8862010000 ba02000000 4489642428 8bca }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   85c0                 | dec                 eax
            //   0f8862010000         | mov                 ecx, ebp
            //   ba02000000           | dec                 eax
            //   4489642428           | mov                 ecx, dword ptr [edi + 0x10]
            //   8bca                 | dec                 eax

        $sequence_8 = { eb08 468bbc0d28010000 488bce ff15???????? 418bcf ff15???????? }
            // n = 6, score = 100
            //   eb08                 | and                 eax, 0x3f
            //   468bbc0d28010000     | dec                 eax
            //   488bce               | mov                 esi, ebx
            //   ff15????????         |                     
            //   418bcf               | dec                 eax
            //   ff15????????         |                     

        $sequence_9 = { 488b4e48 e8???????? 488b4e50 e8???????? 488b4e58 e8???????? 488b4e60 }
            // n = 7, score = 100
            //   488b4e48             | mov                 byte ptr [ebp + ebx + 0x190], ch
            //   e8????????           |                     
            //   488b4e50             | mov                 byte ptr [esp + 0x37], 3
            //   e8????????           |                     
            //   488b4e58             | jb                  0x6f9
            //   e8????????           |                     
            //   488b4e60             | dec                 ecx

    condition:
        7 of them and filesize < 462848
}

Download all Yara Rules

AstarionRAT Propose Change

References

Yara Rules

AstarionRAT