Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

AsyncRAT

13
Global rank
10 infographic chevron month
Month rank
21 infographic chevron week
Week rank
0
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
6 September, 2025
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
6 September, 2025
Last seen

IOCs

IP addresses
20.111.27.231
193.32.126.240
91.193.75.20
196.251.118.250
196.251.116.191
196.251.116.162
196.251.86.195
196.251.70.2
196.251.71.254
196.251.70.179
196.251.70.132
196.251.80.163
196.251.116.196
196.251.71.226
196.251.70.134
196.251.85.101
196.251.72.211
192.227.228.34
209.99.40.220
46.246.80.3
Domains
100k2.ddns.net
ahmed21018.linkpc.net
abdul666.duckdns.org
72093721.duckdns.org
advisorgoetia-dns.xyz
08099311.duckdns.org
1593572468.ddns.net
4pyramid.duckdns.org
adwa.ddns.net
26deagosto.duckdns.org
adobe.myactivedirectory.com
6227hallo6227.ddns.net
2021bestasync.mypets.ws
akuasync.from-ca.com
51-83-136-132.xyz
9221new.ddns.net
100k0.ddns.net
35asyn88.ddns.net
adgjmptw2.kro.kr
al3nzi1.ddns.net
URLs
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://a36e-78-175-182-33.ngrok-free.app/
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
http://update-checker-status.cc/OCB-Async.txt
https://pastebin.com/raw/cm8rTnEx
https://pastebin.com/raw/s14cUU5G
http://pastebin.com/raw/hbwHfEg3
https://pastebin.com/raw/MWg2CxEm
https://pastebin.com/raw/QeEC9AnT
https://pastebin.com/raw/yQsM8ifk
https://pastebin.com/yQsM8ifk
https://pastebin.com/raw/G5Qyfb2n
tcp://0.tcp.sa.ngrok.io/
https://pastebin.com/raw/mchxnAbT
https://pastebin.com/raw/uqaaCRiU
tcp://nasdnasnd-55496.portmap.host/
tcp://nasdnasnd-55496.portmap.host:55496/
tcp://gg123213123sadas-38622.portmap.host/
https://pastebin.com/raw/sXFJs1iM
Last Seen at

Recent blog posts

post image
Release Notes: Fresh Connectors, SDK Update,...
watchers 433
comments 0
post image
Streamline Your SOC: All-in-One Threat Detect...
watchers 1142
comments 0
post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 1105
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

AsyncRAT malware configuration

Figure 2: AsyncRAT malware configuration extracted by ANY.RUN

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Gathering threat intelligence on AsyncRAT malware

To collect up-to-date intelligence on AsyncRAT, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like AsyncRAT.

AsyncRAT ANY.RUN Search results for AsyncRAT in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"asyncrat" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from AsyncRAT samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

NetSupport RAT screenshot
NetSupport RAT
netsupport
NetSupport RAT is a malicious adaptation of the legitimate NetSupport Manager, a remote access tool used for IT support, which cybercriminals exploit to gain unauthorized control over systems. It has gained significant traction due to its sophisticated evasion techniques, widespread distribution campaigns, and the challenge it poses to security professionals who must distinguish between legitimate and malicious uses of the underlying software.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More
VanHelsing Ransomware screenshot
VanHelsing is a sophisticated ransomware strain that appeared in early 2025, operating via the Ransomware-as-a-Service (RaaS) model and targeting primarily USA and France. It threatens mostly Windows systems but has variants for Linux, BSD, ARM, and ESXi, making it a multi-platform malware. It is also notable for its advanced evasion techniques, double extortion tactics, and rapid evolution.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More
Prometei screenshot
Prometei
prometei
Prometei is a modular botnet malware family that silently infiltrates systems, hijacking their resources for illicit Monero (XMR) mining. Active since at least 2016, it combines stealth, persistence, and lateral movement capabilities. Notable for its global reach and opportunistic infection strategy, it is also used for credential theft.
Read More