^[3]

Astaroth creates a startup item for persistence.^[2]

Astaroth's initial payload is a malicious .LNK file.^[2][1]

Astaroth collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries.^[1]

Astaroth spawns a CMD process to execute commands.^[1]

Astaroth has used malicious VBS e-mail attachments for execution.^[3]

Astaroth uses JavaScript to perform its core functionalities.^[2][3]

Astaroth uses an external software known as NetPass to recover passwords.^[1]

Astaroth encodes data using Base64 before sending it to the C2 server.^[2]

Astaroth collects data in a plaintext file named r1.log before exfiltration.^[2]

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code.^[1][3]

Astaroth has used a DGA in C2 communications.^[1]

Astaroth exfiltrates collected information from its r1.log file to the external C2 server.^[1]

Astaroth loads its module with the XSL script parametervShow set to zero, which opens the application with a hidden window.^[1]

Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.^[3]

Astaroth can launch itself via DLL Search Order Hijacking.^[3]

Astaroth usescertutil andBITSAdmin to download additional malware.^[2][1][3]

Astaroth logs keystrokes from the victim's machine.^[2]

Astaroth uses a software packer called Pe123\RPolyCryptor.^[1]

Astaroth has obfuscated and randomized parts of the JScript code it is initiating.^[1]

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.^[3]

Astaroth has been delivered via malicious e-mail attachments.^[3]

Astaroth searches for different processes on the system.^[1]

Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.^[1][3]

Astaroth uses the LoadLibraryExW() function to load additional modules.^[1]

Astaroth checks for the presence of Avast antivirus in theC:\Program\Files\ folder.^[2]

Astaroth uses ActiveX objects for file execution and manipulation.^[2]

Astaroth can be loaded through regsvr32.exe.^[1]

Astaroth collects the machine name and keyboard language from the system.^[2][1]

Astaroth collects the external IP address from the system.^[2]

Astaroth collects the timestamp from the infected machine.^[2]

Astaroth uses an external software known as NetPass to recover passwords.^[1]

Astaroth has used malicious files including VBS, LNK, and HTML for execution.^[3]

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.^[3]

Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.^[3]

Astaroth uses WMIC to execute payloads.^[2]

Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain.^[1]