Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

AsyncRAT

13
Global rank
21 infographic chevron month
Month rank
17 infographic chevron week
Week rank
0
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
27 September, 2025
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
27 September, 2025
Last seen

IOCs

IP addresses
20.111.27.231
193.32.126.240
91.193.75.20
185.234.247.8
185.234.72.186
37.120.153.102
185.242.5.90
136.243.111.71
186.169.76.124
128.90.106.203
185.246.113.191
37.120.208.40
172.94.126.28
198.244.216.42
46.246.82.18
128.90.102.236
65.21.85.133
45.141.215.63
46.246.82.16
3.125.102.39
Hashes
552893e599e6965f3b154cf9d231fdbd92136ba9250b101e026a9a52910d24ec
923e97ed0064d1943ecdaede7c2e83aab38aafc67982b82a212f53c6c6e12dce
b1249741a4a73fca2bc1d70237f39b08ea0121d502dfe62369f8c10c9cc6542e
639b48926afb874379541ad5a4f098419d675992512dabb9c1f62ce26128ab15
90aaeb0077277b5e45a7cdcbe365ead4781b5a0a5fd755f99ed8a2ec79e5e58c
ba933737962d32600bbb0c8b18f754568b12c0427c538f58a5be68d827fe8158
8e40affe0cd3420b38d0a0456b12eaf4cb8f8bdabd2dbe00e605d05efea316f7
36c8bbd9d68aefde21a9e8d006e3da67781085e157314ac54e27974f43dd1da7
9866f1b16f5bcd388accf6568f76b44162898f0f2b73db0ab4b86588c9030b70
9304b46d3c0df4b97f6ebd008f887ecf317c747edd3af8098c499313c0a102b4
becb399155049bf87f2bd7890ea5ef2c8d1dcdb8933357edbe38c521791723fc
b82990b00b563651bc0f4879114db0530e40d20079da94afb35122808f2428bd
48385a9bde571b365500fe2255d0bf06f56a64e95611c0691711623d36334118
35be5f5150ea3563385f6aa79076bfa369a72513f0a949a0ac6699c2386b878c
cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f
d47a4e239e7431e9f26d4d898a6ef636963e785f025b4fccf2a9d501fb85631e
0236cd4c2e09e57cb46abc4dfbb5130193b17cbe1750197d61c6dead5ceb5869
6957186e56b938108667043112dfc922728fcc7cb0d06b35a1a9741e9b8fbc43
c6752b8f853058afa79583d984185eaf07d1c7541aa9efdad49f4ea9e76f7761
4143d8b56dc7eb2a3f755e4ac8deb431931e50aab6a0e7e3224bf0ccb5834f89
Domains
rownip.3utilities.com
wqemzxncpiou.click
zbqwmnzxopru.click
dual.saltuta.com
googledrive.myftp.org
namoet.de
zcnvqpweoriu.click
asdkjczxmeuw.click
rownip.theworkpc.com
agentpurple.ac.ug
verify.uniupdate.net
googledrive.dynu.net
zxvnqwejlkgh.click
tcp.cloudpub.ru
qowuensmzxcv.click
mznvqiweurty.click
lkjzmxnqpwer.click
nmasdqwpeiru.click
lksmzqwenxop.click
agentttt.ac.ug
URLs
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
tcp://0.tcp.eu.ngrok.io/
tcp://2.tcp.eu.ngrok.io/
tcp://hieuanh-58355.portmap.host:58355/
tcp://hieuanh-49217.portmap.host:49217/
tcp://hieuanh-52625.portmap.host:52625/
tcp://hieuanh1-25700.portmap.host:25700/
tcp://hieuanh1-42498.portmap.host:42498/
tcp://4.tcp.ngrok.io/
tcp://HurensohnListe-31639.portmap.io/
https://api.telegram.org/bot5056556531:AAG9iGmK2jKw13ylU7MlMcVFjufBMeyCnUI/send
tcp://HurensohnListe-31639.portmap.io:31639/
tcp://4.tcp.eu.ngrok.io/
https://api.telegram.org/bot5578120367:AAGWyOK-DTL0bF8pwRmV8kQu24HbLZCy0Os/send
tcp://HurensohnListe-52132.portmap.io/
https://d0cf-47-149-75-215.ngrok.io/
http://standart-south.at.playit.gg/
https://pastebin.com/raw/mchxnAbT
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 400
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1775
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 905
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

AsyncRAT malware configuration

Figure 2: AsyncRAT malware configuration extracted by ANY.RUN

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Gathering threat intelligence on AsyncRAT malware

To collect up-to-date intelligence on AsyncRAT, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like AsyncRAT.

AsyncRAT ANY.RUN Search results for AsyncRAT in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"asyncrat" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from AsyncRAT samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Mamba 2FA screenshot
Mamba 2FA
mamba
Mamba 2FA is an advanced phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) and target Microsoft 365 accounts. It focuses on intercepting authentication flows in real-time and enables threat actors to hijack user sessions and access sensitive systems even when additional security measures are in place.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
HijackLoader screenshot
HijackLoader
hijackloader
HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.
Read More