Astaroth Returns: 1,680 Fake Brazilian Hosting Accounts, Reflective .NET Loading, and a Compromised Spanish Web Server Still Serving Malware
Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-16
TL;DR
A fresh Astaroth/Guildma banking trojan sample dropped today. The dropper is a UTF-16LE PowerShell script that gates execution behind connectivity checks and a 12-tool analysis blacklist, downloads a .NET DLL stored as comma-separated bytes from HostGator Brazil's free subdomain platform, then reflectively loads it via Assembly.Load() and invokes InstallUtil as a LOLBIN for AppLocker bypass. The final payload -- a ConfuserEx-protected .NET assembly hosted on a compromised Spanish web server with 14 unpatched CVEs -- contains 14 hardcoded banking certificate SHA256 fingerprints for intercepting Brazilian financial institution HTTPS sessions. URLscan indexing reveals 1,680+ staging subdomains registered under auto-generated Brazilian names, all active within the past 90 days. The final payload at catalogo.castrouria.com/bl.txt was still live at time of analysis.
The Dropper: sthzr.ps1
The sample sthzr.ps1 arrived as a 6KB UTF-16LE encoded PowerShell file.
| Property | Value |
|---|---|
| Filename | sthzr.ps1 |
| SHA256 | 4ba3c1a20ce0bdc7f78820d9bfc337cabc75087bfce2a080e15f694d29ae4715 |
| MD5 | e81f0cfad01ee0d80968ca43dd95685d |
| SHA1 | 14b7740ca4356f90c6f2c9aecc6afd31641d2b3b |
| Size | ~6 KB |
| Encoding | UTF-16LE (Little Endian, BOM: FF FE) |
| Sandbox submission | 2026-03-16 06:48 UTC |
UTF-16LE: The First Evasion Layer
UTF-16LE is a deliberate choice. Most signature engines and YARA rules are written to match ANSI or UTF-8 byte patterns. In UTF-16LE, every ASCII character is followed by a null byte, doubling the representation:
UTF-8: 49 6E 76 6F 6B 65 ("Invoke")
UTF-16LE: 49 00 6E 00 76 00 6F 00 6B 00 65 00
A YARA rule matching "Invoke-Expression" in its default ASCII/wide configuration will match this. A rule matching { 49 6E 76 6F 6B 65 } as a hex string will not. The encoding turns every naive byte-pattern signature into a miss. Defenders writing detection rules for PowerShell droppers must explicitly include the wide modifier or match on the UTF-16LE BOM (FF FE) as a precondition.
Anti-Analysis: Connectivity Gate
Before executing any payload logic, the dropper verifies internet connectivity:
$OSpBT = Test-Connection 'www.google.com' -ErrorAction SilentlyContinue
$EFiyr = $OSpBT -is [Array]
if ($EFiyr) { } else { jTifh ; exit }
The logic is subtle. Test-Connection sends ICMP echo requests and returns an array of reply objects on success. In a properly connected environment, $OSpBT -is [Array] evaluates to $true. In a sandbox that intercepts or blocks ICMP, the result is either $null or a single error object -- not an array. The malware exploits this type-checking behavior as an implicit sandbox detection mechanism.
If the check fails, the dropper calls jTifh -- a function that executes:
"Resta" + "rt-Computer -Force"
That string concatenation is the second layer of evasion within the evasion. Signature engines scanning for Restart-Computer as a single token will not match the split form. The forced reboot is aggressive and deliberate: it destroys the analysis session, clears transient forensic state from memory, and forces any sandbox orchestrator to decide whether to continue the analysis from a cold boot. Most do not.
Anti-Analysis: 12-Process Blacklist
If connectivity passes, the dropper checks for running analysis tools:
get-process 'handle','autoruns','Dbgview','tcpvcon','any.run','sandbox',
'tcpview','OLLYDBG','ImmunityDebugger','Wireshark','apateDNS','analyze'
If any of these twelve processes are found, the same forced reboot is triggered. The blacklist covers the full spectrum of reverse engineering tooling:
| Process Name | Tool | Category |
|---|---|---|
handle | Sysinternals Handle | Process analysis |
autoruns | Sysinternals Autoruns | Persistence analysis |
Dbgview | Sysinternals DebugView | Debug output capture |
tcpvcon | Sysinternals TCPView CLI | Network analysis |
tcpview | Sysinternals TCPView | Network analysis |
OLLYDBG | OllyDbg | Debugger |
ImmunityDebugger | Immunity Debugger | Debugger |
Wireshark | Wireshark | Packet capture |
apateDNS | ApateDNS | Fake DNS server |
any.run | ANY.RUN sandbox | Sandbox platform |
sandbox | Generic sandbox process | Sandbox detection |
analyze | Generic analysis process | Catch-all |
The inclusion of any.run as a process name is notable -- it targets the ANY.RUN interactive sandbox platform specifically. The catch-all entries sandbox and analyze cast a wide net for any tool that might self-identify through its process name.
The consequence of detection is not graceful termination. It is a forced reboot. No payload artifacts are written. No network connections are made. The only forensic evidence is a Restart-Computer entry in the Windows event log -- easily overlooked in triage.
Proxy Bypass and Network Configuration
The dropper configures its web client to bypass corporate proxy infrastructure:
$qgtpk = New-Object System.Net.WebClient
$qgtpk.Proxy = $null
$qgtpk.Headers.Add("Cache-Control", "no-cache")
$qgtpk.Headers.Add("Pragma", "no-cache")
Setting Proxy = $null bypasses proxy servers that might log or inspect the traffic. The no-cache headers prevent intermediate caches from serving stale payloads, ensuring each download retrieves the current version -- critical for an actor that rotates staged files within minutes of sandbox detection.
Kill Chain: Four Stages to Banking Credential Theft
+------------------+ +-------------------+ +-------------------+ +------------------+
| STAGE 1 | | STAGE 2 | | STAGE 3 | | STAGE 4 |
| sthzr.ps1 |---->| cxbcw_01.ps1 |---->| ClassLibrary3 |---->| bl.txt DLL |
| | | | | .NET DLL | | |
| UTF-16LE PS1 | | Dynamic PS1 | | Reflective Load | | ConfuserEx PE |
| Anti-analysis | | Assembly.Load() | | InstallUtil | | 14 cert hashes |
| URL decode | | Byte conversion | | Process inject | | Banking hook |
| | | | | | | |
| HostGator URL | | C:\Users\Public | | castrouria.com | | HTTPS intercept |
+------------------+ +-------------------+ +-------------------+ +------------------+
| | | |
v v v v
meusitehostgator cdzbc.txt installutil.exe Brazilian banks
.com.br/03.txt (byte array) (LOLBIN bypass) (credential theft)
Stage 1: URL Decode and Payload Fetch
The dropper constructs its C2 URL using base64-encoded string segments concatenated from three separate variables. This three-part split prevents any single variable from containing a complete URL that could be flagged by static analysis:
https://andrefelipedonascime1772127941945.0062186.meusitehostgator.com.br
/eFvijUeNvf_27_02_Meus_ArquivosDeTexto/03.txt
The URL path decodes to Portuguese: "Meus ArquivosDeTexto" = "My Text Files." The _27_02_ segment is February 27th -- the campaign creation date. The random prefix eFvijUeNvf serves as a per-campaign unique identifier, allowing the actor to track which dropper variants map to which staging directory.
The decoded URL is written to C:\Users\Public\jyyjq.txt, then the dropper downloads 03.txt -- a text file containing the ClassLibrary3 .NET DLL encoded as comma-separated decimal byte values, wrapped between %x% delimiters. The byte data is saved to C:\Users\Public\cdzbc.txt.
Stage 2: Dynamic PowerShell Construction
The dropper does not contain the Stage 2 script statically. It constructs it character-by-character at runtime as a concatenated string, writes it to C:\Users\Public\cxbcw_01.ps1, and executes it with -ExecutionPolicy bypass. This runtime construction means the Stage 2 logic never exists as a static pattern in the original dropper -- each execution generates it fresh.
The dynamically constructed script performs four operations:
- Reads the comma-separated byte values from
cdzbc.txt - Splits on commas and converts each string to an integer byte value
- Calls
[System.Reflection.Assembly]::Load($bytes)-- reflective loading that avoids writing the DLL to disk as a PE file - Resolves
ClassLibrary3.Class1and invokes theprFVImethod with five parameters
Stage 3: Reflective .NET Loading and InstallUtil Abuse
The prFVI method in ClassLibrary3 receives five parameters that configure the final payload delivery:
| Parameter | Value | Purpose |
|---|---|---|
| 1 | Reversed-base64 URL | Decodes to https://catalogo.castrouria.com/bl.txt |
| 2 | C:\Users\Public\jllbm[CJK chars]s | Staging path with Chinese character noise |
| 3 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil | LOLBIN path |
| 4 | $true | Enable persistence/injection flag |
| 5 | HostGator PeYes endpoint URL | Main C2 callback |
The secondary URL (parameter 1) uses reversed string encoding: the base64-encoded URL string is stored backwards in the source. The DLL reverses it before decoding -- a simple but effective trick that breaks static extraction of URLs from the binary.
The InstallUtil path (parameter 3) is the signature Astaroth technique. installutil.exe is a Microsoft-signed .NET Framework utility designed to run installer components in assemblies. Because it is signed by Microsoft, it is trusted by default in AppLocker and WDAC policies (MITRE T1218.004). The malware abuses this trust to load arbitrary .NET code under the guise of a legitimate system tool. The D DD prefix observed in the parameter string is likely parsed and stripped by the DLL's argument handler before the path is consumed.
The Chinese characters injected into the staging path (parameter 2) serve as OPSEC noise -- they complicate log parsing and may cause encoding issues in security tools that do not handle CJK characters gracefully.
Stage 4: Final Payload -- bl.txt
The bl.txt file hosted at catalogo.castrouria.com contains the final banking trojan payload. It uses a novel two-layer encoding scheme:
Layer 1 -- Byte order reversal: The 619,520 decimal byte values of the PE are stored in reverse order. The last byte of the PE appears first in the file, and the first byte (4D -- the "M" in "MZ") appears last.
Layer 2 -- Digit reversal: Each decimal byte value has its individual digits reversed. 128 becomes 821. 90 becomes 09. 255 becomes 552. Single-digit values remain unchanged.
# Decoding the entire payload is a Python one-liner:
raw = open('bl.txt').read()
parts = raw.split(',')[::-1] # Reverse byte order
decoded = bytes(int(p[::-1]) for p in parts) # Reverse digits in each value
# decoded[0:2] == b'MZ' -- valid PE header
The encoding is trivially reversible by anyone who recognizes the pattern, but it defeats automated payload extraction tools that expect standard encodings (base64, hex, XOR). The double-reversal creates an output that does not resemble any common encoding scheme at first glance.
The decoded PE is a 619KB .NET assembly with the following characteristics:
| Property | Value |
|---|---|
| Format | PE32 .NET assembly |
| Size | 619,520 bytes |
| Protection | ConfuserEx |
| Metadata | Stripped -- GUID-based method and class names |
| Obfuscation | Heavy control flow, string encryption, anti-tamper |
| SHA256 | 0cb0277ade2fb8bfc49c702621c31096e1268d38d7aee06436311affa06fe750 |
| MD5 | b62a4b2b55ac89dfec803c27436b84ce |
The assembly imports cryptographic primitives (AesCryptoServiceProvider, RSACryptoServiceProvider, RijndaelManaged) and Win32 injection APIs (LoadLibrary, GetProcAddress, GetDelegateForFunctionPointer, OpenProcess) -- the toolkit for process injection and encrypted C2 communication.
The Banking Hook: 14 Certificate Fingerprints
The decoded DLL embeds 14 SHA256 certificate fingerprints hardcoded as string constants. These are thumbprints used to identify TLS server certificates presented by specific Brazilian banking portals during HTTPS connections. When Astaroth detects a TLS handshake whose server certificate matches one of these hashes, it interposes on the connection to capture banking credentials through overlay attacks or form-grabbing injection.
This is more targeted than generic man-in-the-browser attacks. The malware only activates when it identifies a connection to a monitored institution, reducing noise and detection risk. The fingerprint approach also survives domain changes -- fingerprints remain valid as long as the same TLS certificate is in use. The 14 fingerprints are consistent with the major Brazilian banks historically targeted by Astaroth: Itau Unibanco, Bradesco, Caixa Economica Federal, Banco do Brasil, and Santander Brasil.
03DCEB56B5842C722DE2821DA9906CD70AB73267EAB1A3947BFD894D19372BC7
0E448EF5E5E60630BDDB19388CB6378436E3C65D03DD66DA7C6EBFF563BD857A
128605DD5EC3F87EB915E0EDA22D0F52C595C0CF7986D911ED2CA1C403FB7B83
4BED3ADC52D4904075F6BBF279EC4ACEDE079533B95E229A29809542EA324A7B
59058FDDE6089BCA6236FD2AE2D98B3ABB38A7BC80D8DD4C75CEFD7A5D247074
62E6F13B53D67FDD780E20D89A6E8EE503B197AC16AC3F1D2571C147FDD324C9
742EB14EC82FD7DCE8A8B8165C5AE7AABD3935C69B50E82F066C4890BD7C5D1F
7F535673D836D3D77A97DB03EB3D71EA780F44372F5AEBECEBEDD696AAEB8378
841F6FF48991C286754FBA5647CA30986070C8F457C22D30959D113010CC164C
97E613E5A3A47DEC76B7E50D47644B35EA4322F00D594D80D2F1C1F3644F8A4A
C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18
C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6
D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5
F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348
Defenders at Brazilian financial institutions should cross-reference these fingerprints against their production TLS certificate thumbprints to determine which institutions are being targeted.
Infrastructure: HostGator Brazil as a Malware CDN
The primary staging infrastructure abuses HostGator Brazil's free subdomain hosting service at meusitehostgator.com.br. The actor registers subdomains using a deterministic naming convention:
[BrazilianFullName][UnixTimestampMs].[NumericID].meusitehostgator.com.br
The components break down as follows:
| Component | Example | Purpose |
|---|---|---|
| BrazilianFullName | andrefelipedonascime | Persona name (truncated at ~20 chars) |
| UnixTimestampMs | 1772127941945 | Registration timestamp (ms precision) |
| NumericID | 0062186 | HostGator internal account ID |
The names are drawn from common Brazilian first and last names -- Andre Felipe do Nascimento, Lucas Nobre, Tiago Souza dos Santos -- auto-generated from name dictionaries. Names are truncated to fit subdomain length limits, which is why andrefelipedonascime cuts off "nto" from "Nascimento."
URLscan reveals 1,680+ subdomains following this convention, registered between late 2025 and the present day. The actor burns through staging infrastructure faster than blocklists can keep up -- by the time a subdomain appears on a threat feed, the payload has been rotated and a fresh subdomain is in use.
Active subdomains observed in the 48 hours surrounding this sample:
lucasnobre1773638933811.1291976.meusitehostgator.com.br
tiagosouzadossantos1773600235000.1952054.meusitehostgator.com.br
anacarolinaelviradea1773599696606.0772036.meusitehostgator.com.br
renanafonsoalvesferr1773580835000.1152144.meusitehostgator.com.br
mayarasilveiradonasc1773581350597.1631961.meusitehostgator.com.br
fabiojuniooliveirado1773571239669.1511913.meusitehostgator.com.br
andrefelipedonascime1772127941945.0062186.meusitehostgator.com.br <-- THIS SAMPLE
Timestamp Reconstruction
The embedded timestamps allow full reconstruction of registration cadence. The actor registers multiple subdomains per day in clusters, suggesting automated registration scripts. The andrefelipe persona used in this sample was created February 27 -- two weeks before the dropper was submitted, consistent with a staging window where payloads are uploaded and tested before distribution.
The earliest observed subdomain for this persona maps to 1768785037020 -- approximately November 18, 2025. This actor has been operating continuously for at least four months. All HostGator subdomains resolve through Cloudflare (AS13335), hiding the origin server IP.
The Compromised Spanish Server
The secondary C2 at catalogo.castrouria.com is not actor-controlled infrastructure. It is a compromised legitimate Spanish website belonging to a business in Ourense, Galicia.
| Property | Value |
|---|---|
| Domain | catalogo.castrouria.com |
| IP | 185.209.61.135 |
| Main domain IP | 217.61.209.185 |
| Hosting | Grupo Loading Systems S.L. |
| Country | Spain |
| Web stack | Plesk, Nginx, MariaDB, Postfix |
| Known CVEs | 14 |
| SSL cert issued | 2026-01-29 |
| WHOIS last modified | 2026-02-24 |
The server exposes 14 known CVEs, several of which are critical:
| CVE | Service | Impact | CVSS |
|---|---|---|---|
| CVE-2023-38408 | OpenSSH agent | Remote code execution via agent forwarding | 9.8 |
| CVE-2023-48795 | OpenSSH | Terrapin prefix truncation (integrity bypass) | 5.9 |
| CVE-2025-26465 | OpenSSH | MitM vulnerability | 6.8 |
| CVE-2025-32728 | OpenSSH | SSH vulnerability | -- |
CVE-2023-38408 (OpenSSH agent RCE, CVSS 9.8) provides a plausible initial access vector. The SSL certificate for catalogo.castrouria.com was issued January 29, 2026 -- the actor gained access roughly six weeks before this sample surfaced.
The payload bl.txt was still live and serving the 619KB DLL at time of analysis (2026-03-16 09:29 UTC).
Campaign Timeline
| Date | Event |
|---|---|
| 2025-03-14 | meusitehostgator.com.br domain created (HostGator Brazil service launch) |
| 2025-11-18 | Earliest observed andrefelipe staging account (timestamp 1768785037020) |
| 2026-01-29 | catalogo.castrouria.com SSL cert issued (infrastructure prep) |
| 2026-02-06 | URLscan records earliest andrefelipedonascime* subdomain (HTTP 200) |
| 2026-02-24 | castrouria.com WHOIS last modified |
| 2026-02-27 | This sample's HostGator account created (timestamp 1772127941945) |
| 2026-03-13 | Earliest scan of eFvijUeNvf_27_02_Meus_ArquivosDeTexto/03.txt path |
| 2026-03-15 | /02.txt variant scanned (previous campaign iteration) |
| 2026-03-16 06:48 | sthzr.ps1 submitted to sandbox |
| 2026-03-16 06:56 | URLscan of HostGator C2 URL returns 404 (payload already rotated) |
| 2026-03-16 09:29 | bl.txt on castrouria.com confirmed LIVE |
The HostGator payload was rotated within 8 minutes of the sandbox submission. The castrouria.com payload was not. The actor monitors HostGator subdomains (likely via URLscan or VirusTotal feeds) and rotates aggressively when scanned. The compromised Spanish server, lacking this monitoring, was left serving malware hours later. The /02.txt variant from March 15 indicates daily payload iteration.
Attribution: Astaroth / Guildma
Confidence: HIGH
This is Astaroth. The attribution is based on eight independent indicators, each of which is consistent with documented Astaroth TTPs and collectively provide high-confidence attribution:
- Brazilian Portuguese infrastructure: Directory names ("Meus ArquivosDeTexto" = "My Text Files"), HostGator Brazil subdomain abuse, 1,680+ staging accounts using Brazilian full names
- InstallUtil LOLBIN abuse: Signature Astaroth technique documented since Cofense's 2019 analysis and consistently observed in every subsequent campaign
- Multi-stage PS1 to .NET to process injection: The canonical Astaroth infection chain, unchanged in architecture since 2018
- Reflective
Assembly.Load()from comma-separated byte array: Matches Astaroth's documented in-memory loading pattern, avoiding PE files on disk - Forced reboot on analysis detection: A behavior unique to Brazilian banking trojans, documented specifically in Astaroth by Microsoft DART and Cybereason
- ConfuserEx protection on .NET payloads: Common in the Brazilian threat actor ecosystem, consistently observed in Astaroth/Guildma/Grandoreiro/Casbaneiro families
- Comma-separated byte DLL delivery via
.txtfiles: Astaroth's signature staging technique, unchanged across years of campaigns - Banking certificate fingerprint hooking: Consistent with Brazilian bank targeting (Itau, Bradesco, Caixa, Banco do Brasil, Santander BR) -- the same institutions targeted by Astaroth since its inception
OPSEC Failures
Despite the multi-layer obfuscation and aggressive anti-analysis measures, the actor made several operational security mistakes that enabled comprehensive campaign mapping:
- Timestamps in subdomain names -- Embedding Unix timestamps in hostnames allows full reconstruction of the campaign registration timeline, revealing operational cadence, working hours, and infrastructure lifespan
- Portuguese path names in URLs -- "Meus_ArquivosDeTexto" explicitly identifies the actor's language and cultural context
- Reused persona name -- The "andrefelipedonascime" persona appears across multiple staging accounts spanning months, creating a linkable thread across campaigns
- Unpatched compromised server --
castrouria.comhas 14 CVEs including a critical OpenSSH RCE, making it trivially identifiable as compromised infrastructure rather than actor-controlled - Payload left live --
bl.txtwas still serving the banking trojan DLL hours after the dropper was submitted to a public sandbox - Trivially reversible encoding -- The digit-reversal plus byte-order-reversal scheme is a Python one-liner to decode, providing no meaningful protection against analyst review
- Deterministic naming convention -- The
[name][timestamp].[id].meusitehostgator.com.brpattern enables bulk enumeration of all campaign infrastructure via URLscan regex searches
Indicators of Compromise
File Hashes
| Type | Hash | Description |
|---|---|---|
| SHA256 | 4ba3c1a20ce0bdc7f78820d9bfc337cabc75087bfce2a080e15f694d29ae4715 | Stage 1 dropper (sthzr.ps1) |
| MD5 | e81f0cfad01ee0d80968ca43dd95685d | Stage 1 dropper |
| SHA1 | 14b7740ca4356f90c6f2c9aecc6afd31641d2b3b | Stage 1 dropper |
| SHA256 | 0cb0277ade2fb8bfc49c702621c31096e1268d38d7aee06436311affa06fe750 | Decoded bl.txt DLL payload |
| MD5 | b62a4b2b55ac89dfec803c27436b84ce | Decoded bl.txt DLL payload |
URLs
| URL | Status | Role |
|---|---|---|
https://andrefelipedonascime1772127941945.0062186.meusitehostgator.com.br/eFvijUeNvf_27_02_Meus_ArquivosDeTexto/03.txt | 404 (rotated) | ClassLibrary3 DLL download |
https://andrefelipedonascime1772127941945.0062186.meusitehostgator.com.br/eFvijUeNvf_27_02_Meus_ArquivosDeTexto/PeYes | Unknown | Secondary payload/C2 callback endpoint |
https://catalogo.castrouria.com/bl.txt | LIVE | Final DLL payload (619KB) |
Domains
| Domain | Role | ASN | Country |
|---|---|---|---|
andrefelipedonascime1772127941945.0062186.meusitehostgator.com.br | C2 staging | AS13335 (Cloudflare) | BR |
meusitehostgator.com.br | C2 apex (HostGator Brazil free hosting) | AS13335 (Cloudflare) | BR |
catalogo.castrouria.com | Final payload host (compromised) | Grupo Loading Systems S.L. | ES |
castrouria.com | Compromised legitimate Spanish domain | Grupo Loading Systems S.L. | ES |
IP Addresses
| IP | Role | Organization | Country |
|---|---|---|---|
172.64.145.200 | Cloudflare CDN edge (HostGator C2) | Cloudflare, Inc. (AS13335) | US |
2a06:98c1:3101::6812:2a38 | Cloudflare CDN edge (IPv6) | Cloudflare, Inc. | US |
2606:4700:440a::ac40:91c8 | Cloudflare CDN edge (IPv6) | Cloudflare, Inc. | US |
185.209.61.135 | catalogo.castrouria.com server | Unknown | ES |
217.61.209.185 | castrouria.com main server | Grupo Loading Systems S.L. | ES |
File System Artifacts
| Path | Purpose |
|---|---|
C:\Users\Public\jyyjq.txt | Decoded C2 URL storage |
C:\Users\Public\cdzbc.txt | ClassLibrary3 DLL as comma-separated bytes |
C:\Users\Public\cxbcw_01.ps1 | Dynamically constructed Stage 2 script |
C:\Users\Public\jllbm[CJK chars]s | Staging path (Chinese characters as OPSEC noise) |
Related Campaign Subdomains (High Confidence -- Same Actor)
lucasnobre1773638933811.1291976.meusitehostgator.com.br
tiagosouzadossantos1773600235000.1952054.meusitehostgator.com.br
anacarolinaelviradea1773599696606.0772036.meusitehostgator.com.br
renanafonsoalvesferr1773580835000.1152144.meusitehostgator.com.br
mayarasilveiradonasc1773581350597.1631961.meusitehostgator.com.br
fabiojuniooliveirado1773571239669.1511913.meusitehostgator.com.br
julianaleonardodealm1773341781000.0772036.meusitehostgator.com.br
simonexavierrodrigue1770689279612.0222165.meusitehostgator.com.br
leonardonogueiraenm1771861933000.2252177.meusitehostgator.com.br
alessandrasantos1773272542000.0252144.meusitehostgator.com.br
robsondossantos1773370056376.1101934.meusitehostgator.com.br
angelareginaalveslim1773319707171.2552165.meusitehostgator.com.br
andrefelipedonascime1768785037020.1552093.meusitehostgator.com.br
Embedded Banking Certificate SHA256 Fingerprints (14)
03DCEB56B5842C722DE2821DA9906CD70AB73267EAB1A3947BFD894D19372BC7
0E448EF5E5E60630BDDB19388CB6378436E3C65D03DD66DA7C6EBFF563BD857A
128605DD5EC3F87EB915E0EDA22D0F52C595C0CF7986D911ED2CA1C403FB7B83
4BED3ADC52D4904075F6BBF279EC4ACEDE079533B95E229A29809542EA324A7B
59058FDDE6089BCA6236FD2AE2D98B3ABB38A7BC80D8DD4C75CEFD7A5D247074
62E6F13B53D67FDD780E20D89A6E8EE503B197AC16AC3F1D2571C147FDD324C9
742EB14EC82FD7DCE8A8B8165C5AE7AABD3935C69B50E82F066C4890BD7C5D1F
7F535673D836D3D77A97DB03EB3D71EA780F44372F5AEBECEBEDD696AAEB8378
841F6FF48991C286754FBA5647CA30986070C8F457C22D30959D113010CC164C
97E613E5A3A47DEC76B7E50D47644B35EA4322F00D594D80D2F1C1F3644F8A4A
C356AFF1A01C2B0DA472E584C8E3C8F875B9A24280435D42836A77B19F5A8C18
C61B1941CF756EB7551F7C661743802362728B785ADC22E860D269713DFB01A6
D5B7247C497788CF0031CEB06E3DF77A45FEF59F1E49633DC7159816D64759B5
F1C3EBE78BD8C38559BF3CFCC9A9FA37D221E31780774A3787E26160A61F5348
Anti-Analysis Process Blacklist
| Process Name | Tool | Category |
|---|---|---|
handle | Sysinternals Handle | Process analysis |
autoruns | Sysinternals Autoruns | Persistence analysis |
Dbgview | Sysinternals DebugView | Debug output capture |
tcpvcon | Sysinternals TCPView CLI | Network analysis |
any.run | ANY.RUN sandbox | Sandbox platform |
sandbox | Generic sandbox process | Sandbox detection |
tcpview | Sysinternals TCPView | Network analysis |
OLLYDBG | OllyDbg debugger | x86 debugger |
ImmunityDebugger | Immunity Debugger | x86 debugger |
Wireshark | Wireshark network analyzer | Packet capture |
apateDNS | ApateDNS fake DNS server | DNS analysis |
analyze | Generic analysis process | Catch-all |
MITRE ATT&CK
| ID | Technique | Implementation |
|---|---|---|
| T1059.001 | PowerShell | Primary execution engine across all four stages |
| T1027 | Obfuscated Files or Information | UTF-16LE encoding, base64, string splitting, reversed byte encoding, comma-separated byte DLL |
| T1027.010 | Command Obfuscation | "Resta" + "rt-Computer", "Lo"+"ad", "inv"+"oke" string concatenation |
| T1036.008 | Masquerade File Type | PowerShell script encoded as UTF-16LE wide-character format |
| T1497.001 | System Checks (Sandbox Evasion) | Google ICMP ping array check, 12-process blacklist |
| T1497.003 | Time Based Evasion | Start-Sleep -Seconds 5 delays between stages |
| T1529 | System Shutdown/Reboot | Forced Restart-Computer -Force on analysis detection |
| T1105 | Ingress Tool Transfer | Downloads 03.txt (Stage 2 DLL), PeYes (C2 callback), bl.txt (final payload) |
| T1071.001 | Web Protocols | HTTPS C2 over TLS 1.2 with no-cache headers and proxy bypass |
| T1620 | Reflective Code Loading | [System.Reflection.Assembly]::Load() from in-memory byte array |
| T1218.004 | InstallUtil | installutil.exe as AppLocker/WDAC bypass for .NET payload execution |
| T1055 | Process Injection | LoadLibrary, GetProcAddress, GetDelegateForFunctionPointer, OpenProcess |
| T1140 | Deobfuscate/Decode Files | Base64 decode, reversed byte array reconstruction, digit reversal |
| T1553 | Subvert Trust Controls | 14 banking certificate fingerprints for targeted TLS interception |
| T1539 | Steal Web Session Cookie | Browser injection for banking session credential capture |
| T1552 | Unsecured Credentials | Banking credential theft via overlay/hook on targeted HTTPS sessions |
Defensive Recommendations
Immediate Network Controls
-
Block
*.meusitehostgator.com.brat DNS and proxy level. The scale of abuse (1,680+ malicious subdomains) warrants blanket blocking. Legitimate Brazilian blogs hosted on the platform will be collateral damage -- an acceptable tradeoff given the volume of malicious activity. -
Block
catalogo.castrouria.comandcastrouria.comat your network perimeter. Both IPs (185.209.61.135and217.61.209.185) should be added to firewall deny lists. -
Block
-ExecutionPolicy bypassvia Windows Defender Application Control (WDAC) or AppLocker constrained language mode. This is the execution policy override used by Astaroth in every documented campaign.
Endpoint Detection
-
Alert on
[System.Reflection.Assembly]::Loadin PowerShell Script Block Logging (Event ID 4104). This is the reflective loading call that brings the .NET DLL into memory without touching disk. -
Alert on
installutil.exeexecution from non-standard parent processes, especially when the working directory isC:\Users\Public\. Legitimate InstallUtil usage originates from Visual Studio or MSBuild, not from PowerShell scripts in public directories. -
Monitor
C:\Users\Public\for.ps1and.txtfile creation. Astaroth consistently stages artifacts in this directory across campaigns -- it is world-writable and rarely monitored. -
Enable PowerShell Script Block Logging if not already configured:
HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging. This captures the deobfuscated script content at execution time, bypassing the UTF-16LE encoding evasion.
Threat Hunting
-
Hunt for these specific file paths on all Windows endpoints:
C:\Users\Public\jyyjq.txtC:\Users\Public\cdzbc.txtC:\Users\Public\cxbcw_01.ps1
-
Hunt for unexpected Restart-Computer events in Windows event logs. A forced reboot immediately following PowerShell execution is a strong indicator of Astaroth's anti-analysis gate firing on an infected endpoint.
-
Hunt for Test-Connection to google.com in PowerShell logs followed by process termination or reboot. This two-step sequence (connectivity check then abort/reboot) is characteristic of this dropper family.
Notification and Takedown
-
Notify HostGator Brasil (abuse@hostgator.com.br) regarding the 1,680+ subdomains being abused for malware staging. Provide the naming convention regex for bulk identification:
^[a-z]+\d{13}\.\d{7}\.meusitehostgator\.com\.br$ -
Notify Grupo Loading Systems S.L. regarding the castrouria.com compromise and the 14 unpatched CVEs on their server. The
bl.txtpayload was still live at time of publication.
This investigation was conducted by automated OSINT pipelines using sandbox submissions, passive DNS, URLscan, WHOIS records, certificate transparency logs, and static analysis of publicly submitted samples. No unauthorized access was performed.
Breakglass Intelligence -- Automated OSINT by BGI