BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

AsyncRAT

15
Global rank
4
Month rank
9 infographic chevron week
Week rank
0
IOCs

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
14 October, 2024
Last seen

How to analyze AsyncRAT with ANY.RUN

RAT
Type
Likely Kuwait
Origin
8 January, 2019
First seen
14 October, 2024
Last seen

IOCs

IP addresses
20.111.27.231
193.32.126.240
91.193.75.20
18.133.124.202
188.215.229.22
99.75.73.147
43.143.12.71
20.52.33.123
103.149.13.196
23.105.131.212
103.142.218.222
45.144.225.194
185.16.39.143
91.193.75.202
37.0.8.93
20.188.60.159
45.63.42.221
203.159.80.52
185.161.210.60
45.132.1.226
Hashes
7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
65650a651ababab6083fd92dcf7629d697693cae701ff696d77df9df8727499c
e55d1db22d0aeb018ed7fc2a5cf6d0c72941cb0ea0af08ffd370aa89b38fea37
ac313512f6b7553e1551d6331749d32d33f3bf40f0203bcfb314adde235e3de7
be94da4664ff6d839b13bc22cffca6dd0cef6b18f5337b006cf2369072c6d3cb
470556fb4a6a391d85e137d35fd76f1b8f9f984b4e4c8dadf3da3a072e901112
034941c1ea1b1ae32a653aab6371f760dfc4fc43db7c7bf07ac10fc9e98c849e
318c951ae40163f9b44defc9a73e15c15069942cc1443a60cb205dc731613eac
07785f272579a3070cc68f19f02da4d03a6023c3d3296b1692b8158b5246592a
d9b58487d96d7da8ffc4001a417d02a954954d4e068051b0534a657027a662f9
bfb2e5167f047b351c6bf1beaa1851ea86f2b1f7745fb465ed1e02180ed1e1f4
7357d7d8e71250b888c0a25ccb689b104a05b0adc6a99a6c9ef779ad6ae90769
5c48926e78bf5371f020125703a07ca8f7ae278925af7a3dca5a978b27ef490c
4b4d40c1dfe7d17bd8350d1e8e23c107495df13be32a19b48eb2ec99c88c2bcb
066ef3d12fa8b4ff426c0d68ba2fce143d0acfdb9bbadd5103650db99e5471ac
b0f74aa319c96598525c3334aa3a7963ca67e07a1b9ccb0530d647bc727e4807
5d852a7d0ca63dacbc5acba1929ed2521ed6f414e97858d93b219657e426d222
e6d3b5e5e32627fd5ebfe02729366a88a0af661ac60cf50e5acba8a575908732
97408d7e8bc468c12cdab4ee900fa9224aef926caf6733a2b339f2f075ef3977
0046e756ce377c45a67bfa847d054a99180be68f277591fcf68c7de3fbe5ceca
Domains
oeiti-47629.portmap.host
strekhost2043.duckdns.org
spookyfroot-52933.portmap.host
yhsfgs.duckdns.org
kadumello.ddns.net
mvcx.serveftp.com
mauriciocarrascallora09.duckdns.org
420cloud.duckdns.org
sebasguerranjdd3ewdadf.duckdns.org
monastery2626.duckdns.org
23.ip.gl.ply.gg
kenmolle.ddns.net
windows-cam.casacam.net
antivirus-ssl.myiphost.com
form-skin.gl.at.ply.gg
cloudhost420.sytes.net
cloudhost420.duckdns.org
dilescemo.servegame.com
fusion71050500-40756.portmap.io
fdgfdgfdhgfj.duckdns.org
URLs
https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/send
https://api.telegram.org/bot5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI/send
https://pastebin.com/raw/s14cUU5G
https://api.telegram.org/bot1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug/send
https://pastebin.com/raw/k1u1X8jW
https://pastebin.com/raw/cm8rTnEx
https://pastebin.com/raw/Ry2bW8gq
https://pastebin.com/raw/tJgHrCMu
tcp://2.tcp.ngrok.io/
https://pastebin.com/raw/uFNL8ewp
https://pastebin.com/raw/siVJww5C
https://xianggangip.oss-cn-hongkong.aliyuncs.com/IDS.txt
https://pastebin.com/raw/Hptt9DTv
http://pastebin.com/raw/hbwHfEg3
https://pastebin.com/raw/cNkWMDMA
https://pastebin.com/raw/xaLN0L9h
http://update-checker-status.cc/OCB-Async.txt
https://3d3b-104-137-168-8.ngrok-free.app/
https://pastebin.com/raw/sywzLGAr
https://pastebin.com/raw/qdzaTTaM
Last Seen at

Recent blog posts

post image
Private AI Assistant for Malware Analysis in...
watchers 925
comments 0
post image
5 Characteristics of Good Threat Intelligence...
watchers 467
comments 0
post image
New PhantomLoader Malware Distributes SSLoad:...
watchers 4027
comments 0

What is AsyncRAT malware

In 2019 and 2020, researchers observed the first campaigns distributing AsyncRAT. A modified version of the malware was arriving in spam email campaigns with mentions of the Covid-19 pandemic. In another tactic, attackers impersonated local banks and law enforcement institutions. The malware was gaining popularity and, in late 2020, surfaced in numerous threads in Chinese underground forums.

In 2021, AsyncRAT was spotted in a phishing campaign called Operation Spalax. In an unrelated incident, it was dropped by an HCrypt loader. Soon after, researchers saw the first strain of AsyncRAT loading using VBScripts. And in 2022, a heavily modified version of the malware appeared, which was spread in a spear phishing campaign using an attachment that downloaded ISO files. This strain could bypass most security measures.

Because of the open-sourced nature of this malware, attackers have developed numerous alterations of AsyncRAT throughout its lifetime. In 2022, researchers found a new variant that can be distributed in fileless form. It is thought to spread through email using compressed file attachments.

AsyncRAT mainly infects victims in the IT, hospitality, and transportation industries across North, South, and Central America, though its distribution is not limited to these regions. RAT users aim to steal personal credentials or banking details and use them as leverage to demand ransom.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

How to analyze AsyncRAT malware

Researchers can analyze AsyncRAT sample, track the whole execution process, and collect IOCs in real-time using ANY.RUN sandbox.

AsyncRAT process tree

Figure 1: AsyncRAT process tree in ANY.RUN

AsyncRAT execution process

Just like any other malware, the execution process of AsyncRAT may vary and change over time and versions. As mentioned before, its open-source origin made it easy to change its functionality. The execution process is plain and straightforward, just like a lot of other malware. This RAT may make just a single process on the infected system or infects system processes.

AsyncRAT malware configuration

Figure 2: AsyncRAT malware configuration extracted by ANY.RUN

In our example, the AsyncRAT execution chain started from a malicious document that dropped a payload. After that, malware added itself to autorun and made a little sleep through timeout. In the end, AsyncRAT ran itself as a child process and tried to connect to C2. Malware configuration was successfully extracted from the sample, so analysts can save a lot of time on manual steps.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of AsyncRAT

AsyncRAT uses a couple of distribution methods. It is usually spread with spam email campaigns as malicious attachments or via infected ads on compromised websites. Sometimes the RAT is dropped by other malware, which first infects the system through a VBS script. The Threat Analysis Unit also warned that it can arrive via exploit kits.

How to detect AsyncRAT using ANY.RUN?

The oldest versions of AsyncRAT were identified by writing the key and name D04F4D4D0DF87BA77AAE in the registry. The newest version of the malicious program sends the stolen info to its panel just right after the start of the execution. The detection will happen after less than a minute. Apart from that, AsyncRAT is caught by YARA rules.

Conclusion

It’s difficult to say whether the original release of AsyncRAT was meant to be a harmless remote administration tool. The notes claimed that it was designed for educational purposes. But it could be that the creator simply found a clever way to market malware on a legitimate site.

Regardless of the intent, the code uploaded to GitHub already had enough malicious capabilities to cause monetary losses to organizations. Since then, it has been heavily modified to support countless distribution methods, including fileless delivery, making this RAT highly dangerous.

But researchers can easily identify any of its strains by running an analysis in ANY.RUN sandbox. It takes only 2 minutes on average to launch an emulation, diagnose AsyncRAT and collect indicators of compromise.

Create your free ANY.RUN account to analyze malware and phishing without limits!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More