SYMBOLCOMMON_NAMEaka. SYNONYMS
win.astaroth (Back to overview)

Astaroth

aka: Guildma

First spotted in the wild in 2017, Astaroth is a highly prevalent, information-stealing Latin American banking trojan. It is written in Delphi and has some innovative execution and attack techniques. Originally, this malware variant targeted Brazilian users, but Astaroth now targets users both in North America and Europe.

References
2022-08-19SANS ISCBrad Duncan
@online{duncan:20220819:brazil:ba12b0c, author = {Brad Duncan}, title = {{Brazil malspam pushes Astaroth (Guildma) malware}}, date = {2022-08-19}, organization = {SANS ISC}, url = {https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962}, language = {English}, urldate = {2022-08-28} } Brazil malspam pushes Astaroth (Guildma) malware
Astaroth
2022-01-17Github (pan-unit42)Brad Duncan
@online{duncan:20220117:iocs:2a5e814, author = {Brad Duncan}, title = {{IOCs for Astaroth/Guildma malware infection}}, date = {2022-01-17}, organization = {Github (pan-unit42)}, url = {https://github.com/pan-unit42/tweets/blob/master/2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt}, language = {English}, urldate = {2022-01-25} } IOCs for Astaroth/Guildma malware infection
Astaroth
2021-11-17ARMORAmer Elsad
@online{elsad:20211117:astaroth:04788ff, author = {Amer Elsad}, title = {{Astaroth: Banking Trojan}}, date = {2021-11-17}, organization = {ARMOR}, url = {https://www.armor.com/resources/threat-intelligence/astaroth-banking-trojan/}, language = {English}, urldate = {2021-12-01} } Astaroth: Banking Trojan
Astaroth
2021-03-21BlackberryBlackberry Research
@techreport{research:20210321:2021:a393473, author = {Blackberry Research}, title = {{2021 Threat Report}}, date = {2021-03-21}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf}, language = {English}, urldate = {2021-03-25} } 2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-07-14Kaspersky LabsGReAT
@online{great:20200714:tetrade:c97f76a, author = {GReAT}, title = {{The Tetrade: Brazilian banking malware goes global}}, date = {2020-07-14}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-tetrade-brazilian-banking-malware/97779/}, language = {English}, urldate = {2020-07-15} } The Tetrade: Brazilian banking malware goes global
Astaroth Grandoreiro Melcoz
2020-07-03F-Secure LabsAnartz Martin
@online{martin:20200703:attack:1454a0d, author = {Anartz Martin}, title = {{Attack Detection Fundamentals: Code Execution and Persistence - Lab #1}}, date = {2020-07-03}, organization = {F-Secure Labs}, url = {https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/}, language = {English}, urldate = {2020-09-21} } Attack Detection Fundamentals: Code Execution and Persistence - Lab #1
Astaroth
2020-05-31InfoSec Handlers Diary BlogRenato Marinho
@online{marinho:20200531:guildma:0cad27c, author = {Renato Marinho}, title = {{Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses}}, date = {2020-05-31}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/27482}, language = {English}, urldate = {2021-06-09} } Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses
Astaroth
2020-05-11Cisco TalosNick Biasini, Edmund Brumaghin, Nick Lister
@online{biasini:20200511:astaroth:f325070, author = {Nick Biasini and Edmund Brumaghin and Nick Lister}, title = {{Astaroth - Maze of obfuscation and evasion reveals dark stealer}}, date = {2020-05-11}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/05/astaroth-analysis.html}, language = {English}, urldate = {2020-05-11} } Astaroth - Maze of obfuscation and evasion reveals dark stealer
Astaroth
2020-03-23MicrosoftMicrosoft Defender ATP Research Team
@online{team:20200323:latest:c58e3ed, author = {Microsoft Defender ATP Research Team}, title = {{Latest Astaroth living-off-the-land attacks are even more invisible but not less observable}}, date = {2020-03-23}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/}, language = {English}, urldate = {2020-03-26} } Latest Astaroth living-off-the-land attacks are even more invisible but not less observable
Astaroth
2020-03-05ESET ResearchESET Research
@online{research:20200305:guildma:a339bd6, author = {ESET Research}, title = {{Guildma: The Devil drives electric}}, date = {2020-03-05}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/}, language = {English}, urldate = {2020-03-09} } Guildma: The Devil drives electric
Astaroth
2019-12-06BotconfJuraj Horňák, Jakub Souček
@techreport{hork:20191206:demystifying:1285ddd, author = {Juraj Horňák and Jakub Souček}, title = {{Demystifying banking trojans from Latin America}}, date = {2019-12-06}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf}, language = {English}, urldate = {2020-05-05} } Demystifying banking trojans from Latin America
Astaroth Metamorfo
2019-07-08MicrosoftMicrosoft Defender ATP Research Team
@online{team:20190708:dismantling:7570b60, author = {Microsoft Defender ATP Research Team}, title = {{Dismantling a fileless campaign: Microsoft Defender ATP’s Antivirus exposes Astaroth attack}}, date = {2019-07-08}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/}, language = {English}, urldate = {2019-12-02} } Dismantling a fileless campaign: Microsoft Defender ATP’s Antivirus exposes Astaroth attack
Astaroth
2019-04-25AppGateEdgar Felipe Duarte Porras
@online{porras:20190425:meet:75dbab7, author = {Edgar Felipe Duarte Porras}, title = {{Meet Lucifer: A New International Trojan}}, date = {2019-04-25}, organization = {AppGate}, url = {https://blog.easysol.net/meet-lucifer-international-trojan/}, language = {English}, urldate = {2020-01-07} } Meet Lucifer: A New International Trojan
Astaroth
2019-02-13CybereasonEli Salem
@online{salem:20190213:astaroth:ed892f0, author = {Eli Salem}, title = {{Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data}}, date = {2019-02-13}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research}, language = {English}, urldate = {2020-01-09} } Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data
Astaroth

There is no Yara-Signature yet.