The sub-techniques beta is now live! Read the release blog post for more info.


Astaroth is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. [1] [2]

ID: S0373
Platforms: Windows
Contributors: Carlos Borges, @huntingneo, CIP
Version: 1.1
Created: 17 April 2019
Last Modified: 11 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries.[1]

Enterprise T1059 Command-Line Interface

Astaroth spawns a CMD process to execute commands.[1]

Enterprise T1223 Compiled HTML File

Astaroth uses ActiveX objects for file execution and manipulation.[2]

Enterprise T1003 Credential Dumping

Astaroth uses an external software known as NetPass to recover passwords.[1]

Enterprise T1132 Data Encoding

Astaroth encodes data using Base64 before sending it to the C2 server.[2]

Enterprise T1074 Data Staged

Astaroth collects data in a plaintext file named r1.log before exfiltration.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code.[1]

Enterprise T1129 Execution through Module Load

Astaroth uses the LoadLibraryExW() function to load additional modules.[1]

Enterprise T1041 Exfiltration Over Command and Control Channel

Astaroth exfiltrates collected information from its r1.log file to the external C2 server.[1]

Enterprise T1143 Hidden Window

Astaroth loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window.[1]

Enterprise T1056 Input Capture

Astaroth logs keystrokes from the victim's machine.[2]

Enterprise T1027 Obfuscated Files or Information

Astaroth obfuscates its JScript code.[1]

Enterprise T1057 Process Discovery

Astaroth searches for different processes on the system.[1]

Enterprise T1093 Process Hollowing

Astaroth searches for unins000.exe (GAS Tecnologia software), Syswow64\userinit.exe or System32\userinit.exe to evasively create a new process in suspended state.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Astaroth creates a startup item for persistence.[2]

Enterprise T1117 Regsvr32

Astaroth can be loaded through regsvr32.exe.[1]

Enterprise T1105 Remote File Copy

Astaroth uses certutil and BITSAdmin to download additional malware.[2][1]

Enterprise T1064 Scripting

Astaroth uses JavaScript to perform its core functionalities.[2]

Enterprise T1063 Security Software Discovery

Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder.[2]

Enterprise T1023 Shortcut Modification

Astaroth's initial payload is a malicious .LNK file.(Citation :Cybereason Astaroth Feb 2019)[2]

Enterprise T1045 Software Packing

Astaroth uses a software packer called Pe123\RPolyCryptor.[1]

Enterprise T1082 System Information Discovery

Astaroth collects the machine name and keyboard language from the system.[2][1]

Enterprise T1016 System Network Configuration Discovery

Astaroth collects the external IP address from the system.[2]

Enterprise T1124 System Time Discovery

Astaroth collects the timestamp from the infected machine.[2]

Enterprise T1047 Windows Management Instrumentation

Astaroth uses WMIC to execute payloads.[2]

Enterprise T1220 XSL Script Processing

Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain.[1]