Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Astaroth (Guildma) infection - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Astaroth (Guildma) infection


Today's diary is a quick post of an Astaroth (Guildma) malware infection I generated early on Wednesday 2022-02-16 from a malicious email targeting a Brazil-based recipient on Tuesday 2022-02-15.

Images from the infection

Shown above: Screenshot from the email that kicked off the infection.

Shown above:  Downloading a zip archive after clicking link in the email.

Shown above:  Content of the downloaded zip archive is a text-based .cmd file.

Shown above:  Two shortcuts in the Windows Start Menu Startup folder keep this infection persistent.

Shown above: Files used for the Astaroth (Guildma) infection.

Shown above: Traffic from the infection filtered in Wireshark.

Final Words

A packet capture (pcap) of the Astaroth infection traffic with the associated email and malware/artifacts are here.


Brad Duncan
brad [at]



436 Posts
ISC Handler
Feb 16th 2022

Sign Up for Free or Log In to start participating in the conversation!