Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Astaroth
Trojan:Win32/Astaroth!pz is a sophisticated information-stealing Trojan known for using various living-off-the-land binaries (LoLBAS) like mshta, regsvr32, rundll32, and PowerShell for execution and persistence. It employs advanced techniques such as API hooking to steal credentials, leverages BITS jobs and scheduled tasks for persistence, and can perform data encoding and remote file operations for exfiltration.
Relevant strings associated with this threat: - xGERAL.AR (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
0b142c056c31efe2bd8a33f713ade52d29a6026a9ec581e98b8bc8a683577c21Immediately isolate the infected system. Perform a full system scan to remove the threat and any related components. Review system logs for signs of persistence (e.g., scheduled tasks, BITS jobs) and change all user and administrative credentials that may have been compromised.