Astaroth (Guildma) infection

Published: 2022-02-16
Last Updated: 2022-02-16 05:19:44 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Today's diary is a quick post of an Astaroth (Guildma) malware infection I generated early on Wednesday 2022-02-16 from a malicious email targeting a Brazil-based recipient on Tuesday 2022-02-15.

Images from the infection


Shown above: Screenshot from the email that kicked off the infection.


Shown above:  Downloading a zip archive after clicking link in the email.


Shown above:  Content of the downloaded zip archive is a text-based .cmd file.


Shown above:  Two shortcuts in the Windows Start Menu Startup folder keep this infection persistent.


Shown above: Files used for the Astaroth (Guildma) infection.


Shown above: Traffic from the infection filtered in Wireshark.

Final Words

A packet capture (pcap) of the Astaroth infection traffic with the associated email and malware/artifacts are here.

---

Brad Duncan
brad [at] malware-traffic-analysis.net

 

0 comment(s)
ISC Stormcast For Wednesday, February 16th, 2022 https://isc.sans.edu/podcastdetail.html?id=7882

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .

Diary Archives