2023-01-03 (Tuesday) and 01-04 (Wednesday): Doing this as a separate post as well...

Follow-up on activity reported in today's (2023-01-05) ISC diary at: https://isc.sans.edu/diary/More%20Brazil%20malspam%20pushing%20Astaroth%20%28Guildma%29%20in%20January%202023/29404

A more complete list of indicators, #pcap files, and #Astaroth (#Guildma) malware samples now available at: https://malware-traffic-analysis.net/2023/01/04/index.html

On the first pcap, I opened the banco.bradesco site in a web browser after letting the infection run overnight. So that particular traffic was -not- caused by the malware.

After opening that banking website, the infected host immediately generated more HTTP POST requests, sending encoded data to the C2 server.

@sans_isc A more complete list of indicators, #pcap files, and #Astaroth (#Guildma) malware samples from this diary are now available at: https://malware-traffic-analysis.net/2023/01/04/index.html

@SebastianWalla @sans_isc This #Astaroth/#Guildma malware has consistently used AutoIt for the past year or two, every time I've seen it.

I've generated 10 infections in my lab environment since July 2022 (including one in November and one in December). They all look similar, and they all use AutoIt, which is one of the ways I identitfy this as Astaroth/Guildma.

You might be right about other malware families, though. And AutoIt isn't the only method I've seen for other campaigns targeting Brazil.

Unfortunately for me, this Brazil-targeted Astaroth malware is the only one I personally see using AutoIt.

ISC diary: @malware_traffic finds more #malspam pushing #Astaroth (#Guildma) in January 2023 https://i5c.us/d29404

[Astaroth] 1 La pesca #astaroth
https://anchor.fm/s/8b745078/podcast/play/50663103/https%3A%2F%2Fd3ctxlq1ktw2nl.cloudfront.net%2Fproduction%2Fexports%2F8b745078%2F50663103%2F5337c096263ac9092db59709dd5734f5.m4a via @PodcastAddict

[Astaroth] Presentacion #astaroth
https://anchor.fm/s/8b745078/podcast/play/49324073/https%3A%2F%2Fd3ctxlq1ktw2nl.cloudfront.net%2Fproduction%2F2022-2-20%2F254820462-44100-1-dd20474809e51.m4a via @PodcastAddict

Astaroth’s New Evasion Tactics Make It ‘Painful to Analyze’ - The infostealer has gone above and beyond in its new anti-analysis and obfuscation tactics. more: https://threatpost.com/astaroths-evasion-tactics-painful-analyze/155633/ #malwaredetection #evasiontactics #infostealer #obfuscation #astaroth #malware #youtube

Threat Spotlight: Astaroth — Maze of obfuscation and evasion reveals dark stealer - By Nick Biasini, Edmund Brumaghin and Nick Lister.

Cisco Talos is detailing an information stealer... more: http://feedproxy.google.com/~r/feedburner/Talos/~3/wbuyAZOABoU/astaroth-analysis.html #informationstealers #malwareanalysis #anti-analysis #anti-sandbox #astaroth #brazil

Astaroth (Shinrabansho) nsfw nudist April 2017 Reward
https://www.patreon.com/sollyz_haruz
support get reward

-SFW and NSFW (Nudist)____5$
-all SFW ,NSFW and SFW animated version____10$
-all work & .psd file____20$

**only this month , have nsfw(Nudist) animated!**
**will be sent after the payment has been processed.**
**around 1th-5th May 2017 **

#Astaroth #Shinrabansho #神羅万象 #アスタロット #animated #gif #nudist #r18 #nsfw https://pawoo.net/media/D74wjMCNBkCONodKNx0

Astaroth (Shinrabansho) nsfw nudist April 2017 Reward
https://www.patreon.com/sollyz_haruz
support get reward

-SFW and NSFW (Nudist)____5$
-all SFW ,NSFW and SFW animated version____10$
-all work & .psd file____20$

**only this month , have nsfw(Nudist) animated!**
**will be sent after the payment has been processed.**
**around 1th-5th May 2017 **

#Astaroth #Shinrabansho #神羅万象 #アスタロット #animated #gif #nudist #r18 #nsfw https://pawoo.net/media/D74wjMCNBkCONodKNx0

Astaroth (Shinrabansho) April 2017 Reward
https://www.patreon.com/sollyz_haruz
support get reward

#Astaroth #Shinrabansho #神羅万象 #アスタロット #animated #gif

Astaroth (Shinrabansho) April 2017 Reward
https://www.patreon.com/sollyz_haruz
support get reward

#Astaroth #Shinrabansho #神羅万象 #アスタロット #animated #gif