BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

AsyncRAT

10
Global rank
4 infographic chevron month
Month rank
4 infographic chevron week
Week rank
3007
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
28 February, 2024
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
28 February, 2024
Last seen

IOCs

IP addresses
91.134.150.150
5.182.87.154
45.128.96.16
185.222.58.40
82.64.156.123
147.185.221.18
193.161.193.99
193.222.96.201
185.87.150.199
109.205.162.97
141.95.84.40
89.23.100.93
185.169.180.209
147.185.221.17
37.75.98.113
82.115.223.244
194.37.80.5
107.181.189.34
171.233.98.70
45.40.96.97
Hashes
5927292c52d3889c4da6e2b3f9d672b54ecccecf58958c3a2b7017343a2d5a5f
23ce587c170037eb8e01ac4cb38942b0c4873a88fc57af4154a57bcce5910426
125b3156a71249ba5eb73b071edcb58fe1a1ec56638178727ad2d0ea65093ceb
4d2ff3e7abee65984b4ac8f6800bbac243b8a751d3308e8508395f639e2a431f
c63ce128ee4c0442e303b86d27e3e7df8eff15a04a44ada8cabfa965144ccf56
a1a917da02bed91c11d1580710acb803b1c81b97625c5026eb669bb13c201628
7159170db844714a035126cc3924c3150bb4b7246ac0ca2ee75cab81a029390e
f0feba3f2dc468a0d0490e26d267788224336eb7a19f782df3b5627d976355df
12b1e5e8d4318208c0bcecdacd4c6d0fcdda31d423ec1d30a3a7577c4695f19f
112d2164e913af006efee0bd2ef21494f73990546f1e048ff6d24d295a3947be
10d3ed998ea8b636dd7e78ce20cc87cf3373c7d78a4c9a7fbd941e31b6b49203
188599d3566db6b2a16fbc7a8ca1fc58a3a92a75522a13beb4f0cb2f8cd1da7d
d349bf2dac5882293ef395f7381817507697c87cbf156e0c2bfadc513e0b7394
6a5e172a5d6d726582dfffc40f5d6d9de97ccce97f1902cbdc106afe5ddd4b60
5a35b4b2d0cea1f24659454d083bde1155d267437d8ada9f03b7ef1a35f05376
da933c30a70af4a70967a739fa362b0ed32b5ac8a93c23efddee5ca1ad7a5d92
ca836ec06d1add1e3d0caf74ee2ec0b3c1995ff82c125a2a237364e51a2a9b98
d173f0a86e693ad02d756c7f8f1bee445c663aecf2b4f886f733ca01c0911345
0c8f5d9b8055b75ca448590bc78bff4c6065e12c747e99044d40fb86904bac7e
c9943e8d85447bee75ceef9c483411e53af7a7ba9ed0b20f7d9b2e4b2cae58a8
Domains
0.tcp.eu.ngrok.io
alexandertorrenegra.con-ip.com
myryam.con-ip.com
carlosenriquezdomin.con-ip.com
procesoexitos1.duckdns.org
informes8520.duckdns.org
bendicionesdios.dynuddns.net
strongandliving.ddnsfree.com
mrrxr.duckdns.org
0.tcp.sa.ngrok.io
18.ip.gl.ply.gg
seznam.zapto.org
shailputrimt1.publicvm.com
febrerososte.duckdns.org
5ra.webredirect.org
sdd4514136100juciywrldl.ddns.net
17.ip.gl.ply.gg
drax2023.run.place
7.tcp.eu.ngrok.io
b7.bestroyal2025.com.ly
URLs
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
https://pastebin.com/raw/LwwcrLg4
https://pastebin.com/raw/cc2XUtcH
https://pastebin.com/raw/y83x1j1x
tcp://8.tcp.ngrok.io/
https://pastebin.com/raw/LcdXxCV3
https://pastebin.com/raw/Q1VWYp6c
https://pastebin.com/raw/QCMD0FrN
https://pastebin.com/raw/qdXK6W8x
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://pastebin.com/7K8UFSCC
https://pastebin.com/raw/zbgUhKiW
http://playit.gg/claim/fe7a2f95a7
https://pastebin.com/raw/QeEC9AnT
https://pastebin.com/raw/8g5YR6Zp
https://pastebin.com/raw/6Zwt3zFm
https://pastebin.com/raw/2sA3FZN3
https://pastebin.com/raw/yNvApe4L
https://pastebin.com/raw/CP5zUzVw
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 881
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 335
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 316
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

AsyncRAT malware configuration

Figure 1: AsyncRAT malware configuration extracted by ANY.RUN

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy