BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

AsyncRAT

10
Global rank
5 infographic chevron month
Month rank
6 infographic chevron week
Week rank
9000
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
16 April, 2024
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
16 April, 2024
Last seen

IOCs

IP addresses
193.161.193.99
193.222.96.41
147.185.221.19
94.156.8.213
173.211.46.114
193.233.132.56
194.37.80.5
45.138.16.125
15.228.35.69
38.180.62.112
77.232.132.25
185.172.128.33
147.185.221.18
23.94.99.6
193.176.87.183
38.181.35.175
154.23.178.70
45.88.186.209
91.207.102.163
194.147.140.157
Hashes
0471994d95609f0e7fcb0b98e9845f8e85890b186b26b12797ed28af0e30b185
ba90cd814fe86045b581e1295b644230027163536dee1bcdc6179d974c0f9635
1ee507d6272609c749d3d8fb349cf401b5b8cb4b5da1495b4f0dd809bb0e3f0b
2cdb4743c6084653715446d7103b5ab3ea2b81d1785f2e5d0af5f34dc851de5e
2a14dccc7056df7f2f869e110db0f3520ef0ce609cd7c6506ed3c935691680a0
9b81fa0c8c36848f7e39a4288053a9d840411c3c236d97d7e8d25e9c0001ecf1
8fddbee892c966256fa50cf9dbc392f98794382de1bd7597e31155b473095cac
222bf90aea280b6aeefa439ceb36ecfe25674f355bbe5e5982dbce4794a7dc19
6a4517ec2db605045b24ff00b4d00210455f816b69ad1814ace10b60b9b3b54c
9c98af46658c1d03d1befdb088719d324f3891f05c1a6b1b2ee436a5a5552ec4
7d407269b23ca6bf23d62169e233f7042638c8b34c406e8d3e8ea36740d93ca9
6a5e172a5d6d726582dfffc40f5d6d9de97ccce97f1902cbdc106afe5ddd4b60
a4e5835fc82a65c01f2a6e4563bd16aa31dce70be307d6f2daf1539a0f203159
c799680d4161545d4456ba496b31b2b8313a33dbabaa8da4944ef2b76ac9ba7b
d416ad5267a497a67d314beb2384446ccbd3ea6bd0cdb3a53f2cb69c12b35d99
f01e3304551550957edf9eb8d1d8e0f2191ceb64ccdc32b717cd23a89aecbed5
8b444405ee16adccf6a8c49a7a02757afbe0a9f17c57b92be0fb4126b76f5850
fd6fa376f35d6a0ab9ad388f1fe180837336e5e754919b213e7add97b044f0da
db0263afaaa9962f0cc8404ca574951a600c47bff12520f2919057dc1e93d86a
d8ec53ad1ab9dfb89de5dc56dd9467225cfeb5ace4e4da8faee3d2a19fe009a7
Domains
mercadao.tech
escolavolutaria.fun
borges.press
vendasdecasa.shop
suacasa.host
batatadoce.host
lojasbrasil.cloud
construbrisa.online
casadospet.shop
casafreitas.shop
doceria.shop
construsonhos.cloud
doceria.tech
piracanjuba.fun
floricultura.website
frutaria.shop
aguamineral.shop
sucos.shop
petssp.shop
sucos.fun
URLs
https://pastebin.com/raw/KUG8ddNV
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
http://bhaighhdebikfge.top/ac41wr0hbfhtr.php
http://bhaighhdebikfge.top/b%20hzioh%20h.php
https://pastebin.com/raw/XhgDEdz5
https://pastebin.com/raw/KYABc84p
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
https://pastebin.com/raw/z5PQ82wE
https://pastebin.com/raw/Rk7dYWg9
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://pastebin.com/fKP8f3MV
https://pastebin.com/raw/w1ddxLWM
https://pastebin.com/raw/SdmtSfAn
https://pastebin.com/raw/PZYKcydX
https://pastebin.com/raw/ZQRGYcGR
https://pastebin.com/raw/t84D1NBp
https://pastebin.com/raw/L6fX3GgP
https://pastebin.com/raw/LwwcrLg4
https://pastebin.com/raw/cc2XUtcH
https://pastebin.com/raw/y83x1j1x
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 156
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

AsyncRAT malware configuration

Figure 1: AsyncRAT malware configuration extracted by ANY.RUN

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy