Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

AsyncRAT

11
Global rank
7
Month rank
6
Week rank
0
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
14 December, 2024
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
14 December, 2024
Last seen

IOCs

IP addresses
20.111.27.231
193.32.126.240
91.193.75.20
160.179.188.127
147.189.174.47
91.92.248.48
20.21.57.76
31.214.240.57
80.253.246.12
94.26.246.198
130.211.201.48
82.64.156.123
207.32.217.176
141.255.146.104
85.209.176.108
45.66.230.96
20.214.161.67
147.189.172.2
45.81.39.110
141.255.147.254
Domains
2escob4r.ddns.net
absolutely-joy-instantly-violence.trycloudflare.com
trackmyshiptng.site
msc4dfl1ed7eb485ad6ahelixpflanzen.de
mta1.candledmush.net
lila152512.duckdns.org
kmaybelsrka.art
ratatioe.store
syncca.theworkpc.com
prtmscaup.cyou
icq-hang-toe-specific.trycloudflare.com
deadpoolstart2025.duckdns.org
dhanachy.duckdns.org
window10.duckdns.org
prtmscaup.sbs
kmaybelsrka.cyou
ronymahmoud.casacam.net
anachymom.duckdns.org
kmaybelsrka.biz
kmaybelsrka.club
URLs
tcp://0.tcp.sa.ngrok.io/
https://pastebin.com/raw/mchxnAbT
http://pastebin.com/raw/hbwHfEg3
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
https://pastebin.com/raw/uqaaCRiU
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://pastebin.com/raw/s14cUU5G
tcp://nasdnasnd-55496.portmap.host/
tcp://nasdnasnd-55496.portmap.host:55496/
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
tcp://gg123213123sadas-38622.portmap.host/
https://pastebin.com/raw/sXFJs1iM
https://pastebin.com/raw/k1u1X8jW
https://pastebin.com/raw/cm8rTnEx
https://pastebin.com/raw/Ry2bW8gq
https://pastebin.com/raw/tJgHrCMu
tcp://2.tcp.ngrok.io/
https://pastebin.com/raw/uFNL8ewp
https://pastebin.com/raw/siVJww5C
https://xianggangip.oss-cn-hongkong.aliyuncs.com/IDS.txt
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 298
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1586
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1933
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

AsyncRAT malware configuration

Figure 2: AsyncRAT malware configuration extracted by ANY.RUN

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Gathering threat intelligence on AsyncRAT malware

To collect up-to-date intelligence on AsyncRAT, use Threat Intelligence Lookup.

This service gives you access to a vast database filled with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox.

With over 40 customizable search parameters, including IPs, domains, file names, and process artifacts, you can efficiently gather relevant data on threats like AsyncRAT.

AsyncRAT ANY.RUN Search results for AsyncRAT in Threat Intelligence Lookup

For example, you can search directly for the threat name or use related indicators like hash values or network connections. Submitting a query such as threatName:"asyncrat" AND domainName:"" will generate a list of files, events, domain names, and other data extracted from AsyncRAT samples along with sandbox sessions that you can explore in detail to gain comprehensive insights into this malware’s behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
WarmCookie screenshot
WarmCookie
badspace
WarmCookie is a backdoor malware that cyber attackers use to gain initial access to targeted systems. It is often distributed through phishing emails, frequently using job recruitment lures to entice victims into downloading and executing the malware.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More