BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

AsyncRAT

10
Global rank
2 infographic chevron month
Month rank
3 infographic chevron week
Week rank
11236
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
14 July, 2024
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
14 July, 2024
Last seen

IOCs

IP addresses
20.111.27.231
193.32.126.240
91.193.75.20
18.197.239.5
82.102.28.107
3.126.37.18
3.17.7.232
185.140.53.137
3.13.191.225
193.161.193.99
91.207.102.163
178.175.142.195
18.156.13.209
52.14.18.129
3.127.138.57
3.131.123.134
184.75.214.163
3.134.125.175
3.22.30.40
79.134.225.17
Hashes
1b003797a43807e83f85b2431f1239e9db680d51657be09985f891d4f6612a2d
8179c37e9e0ca753511fa51e394c3c940baf5e549b115f700ebbfa63c8814caf
a1579de125a77fe85191b95708172b633da166e5d89942df7cf4979a88a41d41
0fd3b714c43ceb15f6267a6d0703e8af3742a186b9cdaaa3c63f9c0dd1b00cb3
8d3c1998cd2cbda52f34457dc4c5419264a526abe4d5a9db342a98d4b4724bff
dda816fef8415866f07ab155da236e83ebca3a4d3d3bd79f590f3723b5367fe9
85b33ffeb2fe98c14ea12b4838aa9150a71fff24f4486f65b7a8737b4bb75e11
31729effedca5d5e8e97321f59c0b2d135a9878623fcf2498e0f06f5203d4696
688baae5b293118ab827754c38fded1cb9b449574b8c670230defdd9c955ac3d
c89e372d3f0b095360504f1048a31457d1f5a53c77bb2ceb7c23a7fde82bb8fd
5e5b573c131eb1d29bf94b6dc11eb5f787a11682f7e4b39673f4e50e82731878
c91c84016a9dd8bfba1f2b8db33247f8a3fef15063961decaef4ce71a77a708e
13546253d56a7b5a334d8ddd674027eb339591b13ad12a4c491b27ea2c526520
6c84d1f67908c6bec6bb1ac95b9398b6fc339a13c2ce80e04cdc7a6cc3e7333d
8021df2fa8fb84db11f61596e1c4e5c3b23180095f3b6376728639eb9812f5f3
54f07a632a4cb325a1a82ec9dc5598bf0df898d65bd7ad885fbb6901357704e5
b6b963ab764079ec260b39c79772c167143f2eee27262977c22dda2c751358c5
5899c6cc2b11f9a7ea953496e5808cd87f8bf85bbed2cb419e50524e9c76cf30
42da266eb245b5a3011b346f8380c18d5d8f8e6bca7d44860af43e172ec073e1
f6af7adb006f5495dd458b385ceb8e0c5bb17338ba3d59dc451500b68b712dee
Domains
pop12.linkpc.net
drewizzy.duckdns.org
amazon34.duckdns.org
aviranpreschool.com
during-goto.gl.at.ply.gg
planpnl.duckdns.org
jvjv2044duck33.duckdns.org
celsperial.hopto.org
lomklauekabjikaiwoge.com
asd1112.f3322.net
sommernph.com
an6969.duckdns.org
stevenhead.ddns.net
miopsbn.con-ip.com
fa-histsedueg.screenconnect.com
microsoftdell5.duckdns.org
s1mpl3.simple-url.com
verizon-tops-sports-gba.trycloudflare.com
webextension.accesscam.org
741qu.bounceme.net
URLs
http://update-checker-status.cc/OCB-Async.txt
http://pastebin.com/raw/hbwHfEg3
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
https://3d3b-104-137-168-8.ngrok-free.app/
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://pastebin.com/raw/sywzLGAr
https://pastebin.com/raw/qdzaTTaM
https://pastebin.com/raw/eFrDcxfc
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
https://pastebin.com/raw/F7c4dqk3
http://jembhhnabanmeij.top/q782ef6obnhtr.php
http://jembhhnabanmeij.top/j%20ezioh%20n.php
https://pastebin.com/raw/KUG8ddNV
http://bhaighhdebikfge.top/ac41wr0hbfhtr.php
http://bhaighhdebikfge.top/b%20hzioh%20h.php
https://pastebin.com/raw/XhgDEdz5
https://pastebin.com/raw/KYABc84p
https://pastebin.com/raw/z5PQ82wE
https://pastebin.com/raw/Rk7dYWg9
https://pastebin.com/fKP8f3MV
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q2, 2024 
watchers 1338
comments 0
post image
A Guide to Common Encryption Algorithms in Mo...
watchers 359
comments 0
post image
Search for Network Threats by Suricata in TI...
watchers 682
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

AsyncRAT malware configuration

Figure 1: AsyncRAT malware configuration extracted by ANY.RUN

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy