AsyncRAT

9
Global rank
8
Month rank
8
Week rank
2622
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Remote Access Trojan
Type
Likely Kuwait
Origin
8 January, 2019
First seen
25 September, 2023
Last seen

How to analyze AsyncRAT with ANY.RUN

Remote Access Trojan
Type
Likely Kuwait
Origin
8 January, 2019
First seen
25 September, 2023
Last seen

IOCs

IP addresses
81.161.229.73
172.93.231.202
147.185.221.16
103.241.72.56
62.102.148.158
147.189.169.11
198.44.167.193
194.58.71.17
185.17.0.246
194.5.98.231
134.255.254.224
42.51.40.184
20.196.195.9
194.147.140.145
45.74.4.244
89.23.96.35
194.180.48.53
185.81.157.153
4.151.131.10
185.252.179.66
Hashes
ab6424e5a63b26841e76fcd6525a111bcedce93a6775684a06374dc518e376bc
220c5a0edb106bafb7a8c286a62ebbdd444c1d02d8ff2aae962256b195c579ce
322ae4155bb2e086572d1dd88011d7df98ee56edcdcf15557b4b5580b9535666
79d845cdc5127ee753555f48f2ff555c85894235f2f7d2da74fd83d0d5672599
30e641405af2fa5bc1a705bf239a45bf8b8e42d6bf2c2692d98299d4a8ff344e
cf4308eb47f41e2d78bc9be2efa5bea386f49a7dd605a9c493dc194457553d83
88c2ed25d52e4d89109bf5a65ecf56e6f4d53870e8972c8e7daee7f8864cab86
651a56ee18ac1ce6da9740eba94ecd5027593d13d4bd58c72ed71c8e8a714fe4
31f8adfb437b5fde2edaf3236b1e710287d50e11a17bb0d43e0c7da71653f77b
05847979b4babf7f08a7919fbffe6eb1c6095b58ad481333693222bcf9ff5101
d2f81bbe46925afb1f7e4c266d35e1e9f9fb5144690ae4218e54f4a7d68e1da4
cb67b3686994ab4b88a0ae6c8183d5956d8fb4a1ff1ec82643c1b5bf5a384a1d
c18e6d6b76c564ea73a8d68e960b048be30f86a39315267c50bd0a263eff5672
8bd86efd9607204f60f8d043559c38ba8fefc25774b5d372d28fff29f9fcbb21
40add31e988b2f0b2f5c965489ef3064bfbdd662ca8d9b5d62a606b20e2a473e
963c16437249ebdb1b9b0e873ea9098278568795a1f0e6da7ed98d202002e9f7
6c64cb817eb68c8fd0f051b00fcb20a0a28e26062d06eebe2502d8e8077c6116
f0708715c7c8fbd9e77083048adf331c8be83a2049863a8e71cbf63353ab45a0
8f194a3907173322cdfec4a8ba8e01d74b7d3730f33e2687e6e49b415f5e468d
bf1bd7d13b353fcfcfac7fb3735575afb0a20eb6a5a3fd3b25ee95e91bcedd3d
Domains
extra-hack.ddns.net
2.tcp.eu.ngrok.io
mr1robot11.ddns.net
6.tcp.eu.ngrok.io
0.tcp.eu.ngrok.io
11l19secondpop.ddns.net
7.tcp.eu.ngrok.io
kenzeey.duckdns.org
kenzeey.ddns.net
crazydns.linkpc.net
paisaloro.kozow.com
pacman.dontexist.org
180.ip.ply.gg
0.tcp.in.ngrok.io
ericfresh.ddns.net
0.tcp.ap.ngrok.io
walder08.duckdns.org
mass2023.duckdns.org
4.tcp.eu.ngrok.io
chromedata.webredirect.org
URLs
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://pastebin.com/raw/dgk14sCK
https://pastebin.com/raw/rrYqabgW
https://pastebin.com/raw/LwwcrLg4
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
https://pastebin.com/raw/iDdcNn8h
tcp://2.tcp.eu.ngrok.io/
tcp://0.tcp.eu.ngrok.io/
https://pastebin.com/raw/CvdXQfhE
https://pastebin.com/raw/VzDdvNxW
https://pastebin.com/raw/D35iGmTZ
https://pastebin.com/raw/rNnPbAU4
https://pastebin.com/raw/pdRjLLjy
https://pastebin.com/raw/30zGs3sF
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
https://pastebin.com/raw/YUtN6HEu
https://pastebin.com/raw/sFLjiX99
https://pastebin.com/sFLjiX99
https://pastebin.com/raw/rjQ7f10D
http://pastebin.com/raw/ZQPqEZPE
Last Seen at

Recent blog posts

Malware Analysis for Keeping Up with the Late...
watchers 465
comments 0
ChatGPT-powered Malware Analysis: Review Sand...
watchers 2477
comments 2
How to Hire the Right Malware Analyst for You...
watchers 663
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

AsyncRAT malware configuration

Figure 1: AsyncRAT malware configuration extracted by ANY.RUN

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy