BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

AsyncRAT

10
Global rank
3 infographic chevron month
Month rank
2 infographic chevron week
Week rank
10993
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
18 June, 2024
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
18 June, 2024
Last seen

IOCs

IP addresses
20.111.27.231
193.32.126.240
91.193.75.20
12.202.180.114
193.26.115.85
45.88.186.213
104.234.195.153
31.124.151.250
172.111.138.100
91.192.100.36
192.169.69.25
91.109.176.3
209.99.40.220
46.246.80.3
81.61.77.92
91.192.100.8
185.81.157.24
91.192.100.22
91.192.100.7
193.161.193.99
Hashes
fad2bb46ab4cd39fb3d98d57a05d98d4d82fe19ba3c7e58661891d2d16b0635d
9726bdd3f537f13bbeac4ee348f54efc901c849741f72543238185b4f525074c
2e6a4680aa9b24612ca07e1492964a84e2fc9bdf5086e1311f05d8e3d034b65e
6da826a94a738b3e50db6273a0743b8a1e15dd366e35596bfa67e33375d465d4
d82e2f74df152f8e9f89cb1fd3dbe3b0e8aa96e439a9acb6afa3fd44074b0110
57c867aabbe4955989e028dc8138f55d9c53c2a1c9b1b84ceb768d985f08421d
8d3c1998cd2cbda52f34457dc4c5419264a526abe4d5a9db342a98d4b4724bff
c91c84016a9dd8bfba1f2b8db33247f8a3fef15063961decaef4ce71a77a708e
9a26938a0e77297b36fdb44bf1b5a7fb9d7a745ac67681c6ae7db9d721ad4c9e
e5670b4bdf8e69ec649cc58757322334fa0d7482521bbed44bb15429d4c0e265
6c84d1f67908c6bec6bb1ac95b9398b6fc339a13c2ce80e04cdc7a6cc3e7333d
95c2090a26fb9ba6fbbbe227d6eb04cbe1b252e1c7aca099ed1a53e9e3b730e4
3a46502189aac6d83d1e1d433330dcee4795b1da040fca84e4b19060008922f3
5899c6cc2b11f9a7ea953496e5808cd87f8bf85bbed2cb419e50524e9c76cf30
42da266eb245b5a3011b346f8380c18d5d8f8e6bca7d44860af43e172ec073e1
e04cc364b53b6af7b8fe20a186f330dc67173f5d5e9b3ec9929f82092c72302f
c9943e8d85447bee75ceef9c483411e53af7a7ba9ed0b20f7d9b2e4b2cae58a8
8c3d68aa5e2ae958d8ee96abbbc3b9486ceb7f0ce7892433ae58ebc37203fda8
0c6aa2376460071121f57ed3acfe08ab39f66e3e78b59993a0346690a457c0a3
f6af7adb006f5495dd458b385ceb8e0c5bb17338ba3d59dc451500b68b712dee
Domains
surveyedgesoft.com
ghdsasync.duckdns.org
rownip.theworkpc.com
queda212.duckdns.org
corporation.warzonedns.com
kizzoyi.duckdns.org
soft.tjsosda.com
kingtexs-tvv.com
updatersvc.duckdns.org
eg-east.com
unknownamehost.ddns.net
majul.com
dedsee2c.accesscam.org
freshg.ddns.net
emmek.crabdance.com
ify.insidedns.com
systenfailued.ddns.com.br
g.top4top.io
manifest.duckdns.org
rownip.dyndnss.net
URLs
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://3d3b-104-137-168-8.ngrok-free.app/
https://pastebin.com/raw/sywzLGAr
https://pastebin.com/raw/qdzaTTaM
https://pastebin.com/raw/eFrDcxfc
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
https://pastebin.com/raw/F7c4dqk3
http://jembhhnabanmeij.top/q782ef6obnhtr.php
http://jembhhnabanmeij.top/j%20ezioh%20n.php
https://pastebin.com/raw/KUG8ddNV
http://bhaighhdebikfge.top/ac41wr0hbfhtr.php
http://bhaighhdebikfge.top/b%20hzioh%20h.php
https://pastebin.com/raw/XhgDEdz5
https://pastebin.com/raw/KYABc84p
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
https://pastebin.com/raw/z5PQ82wE
https://pastebin.com/raw/Rk7dYWg9
https://pastebin.com/fKP8f3MV
https://pastebin.com/raw/w1ddxLWM
https://pastebin.com/raw/SdmtSfAn
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

AsyncRAT malware configuration

Figure 1: AsyncRAT malware configuration extracted by ANY.RUN

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy