{ "id": "42de1588-e088-44f4-8d21-207324ef2a87", "created_at": "2026-04-06T00:07:15.689732Z", "updated_at": "2026-04-10T03:35:20.36834Z", "deleted_at": null, "sha1_hash": "015c5fb594cad6ba83f2c1691aad72c1946a658a", "title": "Analyzing AsyncRAT distributed in Colombia by Blind Eagle | Welcome to Jstnk webpage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2498379, "plain_text": "Analyzing AsyncRAT distributed in Colombia by Blind Eagle |\r\nWelcome to Jstnk webpage\r\nBy Jose Luis Sánchez MartínezSecurity Researcher\r\nPublished: 2022-06-01 · Archived: 2026-04-05 15:30:50 UTC\r\nSummary\r\nDuring 2019-2021 I was focused on analyzing campaigns orchestrated by the APT-C-36 group and RATs used by\r\nthis same group and other cybercriminal groups such as RemcosRAT , AsyncRAT , Imminent Monitor RAT , etc. In\r\nthe last few months I have seen some modifications of TTPs in many of these families that have caught my\r\nattention and I wanted to analyze them to see what is new.\r\nTherefore, during this entry we will go through the analysis of a sample of AsyncRAT distributed in Colombia\r\nduring the last month.\r\ninfo\r\nThe objective of the analysis is to provide information on the execution of the binary, genealogy and other stuff,\r\nnot to go into the details of the static part.\r\nAnalysis\r\nStatic\r\nThe basic static information of the sample to be analyzed is shown in the table below.\r\nField Value\r\nFile name Stub.exe\r\nType PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly\r\nMD5 c0b9838ff7d2ddecbfe296eae947e5d6\r\nSHA1 76af794b85e4a4ba75c5703df1207b7a6798bf2e\r\nSHA256 79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3\r\nFile size 45.00 KB (46080 bytes)\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 1 of 24\n\nAfter verifying that the binary was C#, I decided to perform a small analysis of the code to check some of the\r\nactions that the malware should do once executed, before executing it on my systems.\r\nIf we go to the Main function, which is the one defined in the entry point, we see that it contains the structure\r\nshown in the following image.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 2 of 24\n\nThe binary will check a series of conditions to verify if it is being executed among other things in a virtual\r\nenvironment or not, and depending on the results, it will continue its normal flow or kill the process.\r\nThe first check is to verify if a series of settings established in the code, among which are the key, pastebin URL,\r\nversion, etc.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 3 of 24\n\nSecondly, it tries to create a mutex and stop similar processes of the same sample that may be running.\r\nIt then performs several checks to identify the context where it is running (mainly to see if it is a virtual machine\r\nor a sandbox). Different anti-analysis techniques are put in place.\r\nThe first of all is related to the DetectManufacturer method which aims to see if the system is related to\r\nVmware, VirtualBox, or virtualized in general.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 4 of 24\n\nThe next thing is to check if a debugger exists in the context of AsyncRAT. To do this, it makes use of the\r\nisDebuggerPresent API.\r\nNext, the check is focused on seeing if the system where it was executed is the known sandboxie, to check it, tries\r\nto identify if the DLL SbieDll.dll is running.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 5 of 24\n\nThe next check it performs is on the system disk capacity. In this case, it checks if the disk is less than\r\n61000000000L (56.8 GB). If it is, it returns false.\r\nThe last thing it performs in this set of checks is to identify if the operating system is Windows XP with a simple\r\nmethod.\r\nIt also aims to generate persistence in the system. To do this, it checks if the context of the process was launched\r\nwith privileges, if so, it will make use of schtasks.exe to create a task. Otherwise, if the context is not found\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 6 of 24\n\nwith administrator permissions, it will try to modify the registry key\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run to execute a copy of itself create in the %appdata path.\r\nAfter this, the sample copies itself into the %appdata% directory and will create a .bat file to first launch a\r\ntimeout , run the sample from %appdata% and delete the .bat file.\r\nThe last interesting activity is to establish communications with the C2 through the ClientSocket.Reconnect();\r\nand ClientSocket.InitializeClient(); methods.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 7 of 24\n\nThe sample can perform many other actions once it is deployed in the environment. For example, the\r\nClient.Helper.IdSender class has a method called sendInfo which is responsible for sending information\r\nfrom the operating system to the C2.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 8 of 24\n\nGoing into detail of each class could take a long time, and in this case, the goal is to analyze the behavior once\r\nexecuted, so I leave a small image of a part of the classes and methods that incorporates the sample and we will\r\nperform an analysis of the behavior.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 9 of 24\n\nDynamic\r\nhigh level processes events\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 10 of 24\n\nNow it is time to detonate the malware in a controlled environment to verify the behavior of the malware. In this\r\ncase, I did different executions with and without administrator permissions to see how the sample behaved. I did\r\nthis because in the static part we have seen that the behavior could vary depending on whether it was executed in\r\nthe administrator context.\r\nprivileged execution - Genealogy\r\nnon-privileged execution - Genealogy\r\nAs can be seen, there are some differences when the sample was executed with privileges and when not. For\r\nexample, in the first image, which corresponds to the execution with privileges, there are 3 additional processes\r\nwhich are the following.\r\n|_ cmd.exe (7380)\r\n |_ Conhost.exe (8972)\r\n |_ schtasks.exe (4152)\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 11 of 24\n\nThis is because the execution of the process 7380 cmd.exe , is the behavior related to setting the scheduled task.\r\nHowever, if the sample is run without administrator permissions, the scheduled task cannot be generated.\r\nWe are going to go into detail about the processes to see the main actions they performed and that could be of\r\ninterest in order to generate some kind of detection or identification of patterns. To do this, we will focus on the\r\nexecution with administrator permissions and in case there is something different in the other execution, it will be\r\nnamed.\r\nStub.exe - 2740\r\nC:\\Users\\lab\\Desktop\\Stub.exe\r\nThis is the AsyncRAT sample. The execution was performed with administrator privileges.\r\nThis process, as we saw before, would be in charge of creating certain files in the system. First of all, what it does\r\nis to create in the %appdata% directory a copy of itself.\r\nThen, it creates the batch file also in %appdata% , which will be executed later to perform different actions in the\r\noperating system.\r\nAs for registry keys, there is no significant activity.\r\ninfo\r\nDifferent behavior in the sample run without privileges.\r\nHowever, in the case of unprivileged execution, there would be a modification in the registry keys for\r\npersistence, using the key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Runtime Broker .\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 12 of 24\n\ncmd.exe - 7380\r\n\"C:\\Windows\\System32\\cmd.exe\" /c schtasks /create /f /sc onlogon /rl highest /tn \"Runtime Broker\" /tr '\"C:\\User\r\nThis process is basically in charge of launching the schtasks.exe binary. It is important to mention, as we are\r\nseeing and will see throughout the analysis, that since this is a 32bit sample, the executions will be related to the\r\nC:\\Windows\\SysWOW64\\ directory.\r\nThis process will not exist when running AsyncRAT without administrator permissions.\r\nschtasks.exe - 4152\r\nschtasks /create /f /sc onlogon /rl highest /tn \"Runtime Broker\" /tr '\"C:\\Users\\lab\\AppData\\Roaming\\Runtime Br\r\nThe task is generated in the system to be executed at each login of any user with administrator permissions.\r\n/f -\u003e A value that forcefully creates the task and suppresses warnings if the specified task already exists.\r\n/sc onlogon -\u003e In each login\r\n/rl highest -\u003e Max privileges\r\n/tn \"Runtime Broker\" -\u003e Task name\r\n/tr \"C:\\Users\\lab\\AppData\\Roaming\\Runtime Broker.exe\" -\u003e Task run to execute\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 13 of 24\n\ncmd.exe - 8840\r\nC:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\lab\\AppData\\Local\\Temp\\tmp3959.tmp.bat\"\"\r\nThis process is in charge of executing the bat file that was created during the execution of the Stub.exe binary. It\r\nis important to mention that the name of the batch file varies according to the execution, however, the pattern\r\nis always the same. The following RegEx would work to detect this.\r\n.*tmp[a-zA-Z1-9]{4}.tmp.bat\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 14 of 24\n\ntimeout.exe - 6272\r\nThe malware uses a timeout of 3 seconds before it starts performing the rest of the actions.\r\nRuntime Broker.exe - 4080\r\n\"C:\\Users\\lab\\AppData\\Roaming\\Runtime Broker.exe\"\r\nAs can be seen from the name of the process, the malware tries to impersonate the legitimate Microsoft Windows\r\nbinary runtimebroker.exe . However, it can be noticed in this case that there is a space between the two words.\r\nHere the communication with the C2 server is established. The ports used in this case are 8808, 7707 and 6606.\r\nThe destination IP address is 217.195.197[.]70.\r\nOn the other hand, another indicator that could help us to identify the sample and the family during the analysis is\r\nthe Mutex used, which in this case is AsyncMutex_6SI8OkPnk .\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 15 of 24\n\nDuring the execution of Runtime Broker.exe , I proceeded to extract the .NET assembly from memory to verify\r\nif it was the same Stub.exe binary analyzed later or if it presented some difference when is launched. During\r\nthis extraction, the following assemblies were obtained from memory.\r\nFile name SHA1 Comments\r\naB.exe 76AF794B85E4A4BA75C5703DF1207B7A6798BF2E\r\nSame sample as\r\nStub.exe\r\nMessagePackLib.dll 16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143E\r\nAt the time of\r\nanalysis, 41/68\r\nengines in VT detect\r\nit as malicious.\r\nDifferent family\r\nnames.\r\nRecovery.dll 93E9469789A4ECD28E30006D1CE10DBFFBD36D7C\r\nAt the time of\r\nanalysis, 44/68\r\nengines in VT detect\r\nit as malicious. Code\r\nprotected by Reactor.\r\nSystem.Data.SQLite.dll B9D5AF76D8DF1C4EE4CCBA33B2AFA8300952D923\r\nMixed-mode\r\nassembly for\r\nSystem.Data.SQLite.\r\nMore information\r\nhere.\r\nNewtonsoft.Json.dll E68B369BC131A32D5233EE395F47B337C2469042 Json.NET is a\r\npopular high-https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 16 of 24\n\nFile name SHA1 Comments\r\nperformance JSON\r\nframework for .NET\r\naB.exe\r\nThe assembly aB.exe is the same Stub.exe file, which in turn is also Runtime Broker.exe .\r\nMessagePackLib.dll\r\nThis DLL does not contain any packers or code protectors. 41 out of 68 VT engines detect this DLL as malicious.\r\nTaking a look at the assembly, you can see that the class structure does not seem to be very complex, and with a\r\nlittle patience you could identify its functionality (if you are interested in the sample, ask me privately).\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 17 of 24\n\nRecovery.dll\r\nIn this case, it has been possible to verify the existence of Reactor, called by itself as a .NET code protection as\r\ncan be seen on its website.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 18 of 24\n\nAs for the assembly, it can be verified that there is a protection of the code, since many strings and classes are\r\nrandomized at the moment of observing their possible logic.\r\nIn a process of trying to remove the code protection, it is possible to see in a more readable way part of the code,\r\nidentifying messages of actions that the assembly could try, in this case as seen in the image, related to the\r\nobtaining of Firefox cookies.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 19 of 24\n\nHigh level graph\r\nIn order to have a graphical view of the most important events that take place during the execution of AsyncRAT,\r\na behavior graph has been elaborated where the events generated in the system during its execution can be seen.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 20 of 24\n\nDiamond model\r\nATT\u0026CK\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 21 of 24\n\nTechnique\r\nKill chain\r\nphase\r\nDiamond\r\nvertex\r\nComments\r\nT1566.001 - Phishing:\r\nSpearphishing Attachment\r\nDelivery Capability Email with ZIP file attached\r\nT1547.001 - Boot or Logon\r\nAutostart Execution: Registry Run\r\nKeys / Startup Folder\r\nInstallation Capability\r\nSet registry key if non-privileged\r\nuser executes the payload\r\nT1053.005 - Scheduled Task/Job:\r\nScheduled Task\r\nInstallation Capability\r\nCreates new scheduled task if\r\nprivileged user executes the\r\npayload\r\nT1036.005 - Masquerading: Match\r\nLegitimate Name or Location\r\nExecution Capability\r\nWrites itself as a file named\r\nRuntime Broker.exe saved in\r\n%APPDATA%\r\nT1571 - Non-Standard Port C2 Infrastructure\r\nUse the ports 8808, 7707 and\r\n6606 for communication\r\nT1059.003 - Command and\r\nScripting Interpreter: Windows\r\nCommand Shell\r\nExecution Capability\r\nExecutes batch file created\r\npreviously\r\nT1027 - Obfuscated Files or\r\nInformation\r\nExploitation Capability\r\n.NET Reactor is used for code\r\nprotection\r\nT1095 - Non-Application Layer\r\nProtocol\r\nC2 Infrastructure\r\nTCP is used for C2\r\ncommunications\r\nIOCs\r\n217.195.197[.]70 through 6606, 7707, 8808 ports\r\n76AF794B85E4A4BA75C5703DF1207B7A6798BF2E\r\n16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143E\r\n93E9469789A4ECD28E30006D1CE10DBFFBD36D7C\r\nMutex AsyncMutex_6SI8OkPnk\r\nSigma rules\r\nThe sigma rules created are specifics for this payload. There will be different payloads used by AsyncRAT with\r\nthe same name or different. Is important to mention that the original filename embbeded in this case is Stub.exe .\r\nThis is interesting because if the adversaries create new payloads, maybe the original filename will still being the\r\nsame.\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 22 of 24\n\ntitle: Detect AsyncRAT persistence with schtasks based on specific payload\r\nid: 4410f0ad-3a1c-4e21-9e3a-fa55336aa123\r\ndescription: Detect the execution of the AsyncRAT payload to launch schtask for persistence.\r\nstatus: experimental\r\ndate: 2022/06/01\r\nmodified: 2022/06/01\r\nauthor: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)\r\nreferences:\r\n - https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis\r\n - https://www.virustotal.com/gui/file/79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3\r\nlogsource:\r\n product: windows\r\n category: process_creation\r\ndetection:\r\n parent_selection:\r\n ParentImage|endswith: 'Stub.exe'\r\n selection1:\r\n Image|endswith: '\\cmd.exe'\r\n CommandLine|contains|all:\r\n - 'schtasks '\r\n - '\\AppData\\Roaming\\'\r\n - '.exe'\r\n condition: parent_selection and selection1\r\nfalsepositives:\r\n - Unknown\r\nlevel: medium\r\ntags:\r\n - attack.persistence\r\n - attack.T1053.005\r\ntitle: Detect AsyncRAT execution based on specific payload\r\nid: ac891380-958b-4c08-a77d-8e149d63d741\r\ndescription: Detect the execution of the AsyncRAT payload to establish registry key for persistence.\r\nstatus: experimental\r\ndate: 2022/06/01\r\nmodified: 2022/06/01\r\nauthor: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)\r\nreferences:\r\n - https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis\r\n - https://www.virustotal.com/gui/file/79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3\r\nlogsource:\r\n product: windows\r\n category: registry_set\r\ndetection:\r\n selection:\r\n EventType: SetValue\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 23 of 24\n\nImage|endswith: 'Stub.exe'\r\n TargetObject|endswith: '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\'\r\n Details|contains: '.exe'\r\n condition: selection\r\nfalsepositives:\r\n - Unknown\r\nlevel: medium\r\ntags:\r\n - attack.persistence\r\n - attack.t1547.001\r\nIn the original Sigma repository, there are a large number of generic rules that can help in the detection of this\r\nmalware.\r\nContact\r\nTwitter: https://twitter.com/Joseliyo_Jstnk\r\nLinkedIn: https://www.linkedin.com/in/joseluissm/\r\nSource: https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nhttps://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/\r\nPage 24 of 24\n\n https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/ \nThe sample can perform many other actions once it is deployed in the environment. For example, the\nClient.Helper.IdSender class has a method called sendInfo which is responsible for sending information\nfrom the operating system to the C2. \n Page 8 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/" ], "report_names": [ "AsyncRAT-Analysis" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434035, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/015c5fb594cad6ba83f2c1691aad72c1946a658a.pdf", "text": "https://archive.orkl.eu/015c5fb594cad6ba83f2c1691aad72c1946a658a.txt", "img": "https://archive.orkl.eu/015c5fb594cad6ba83f2c1691aad72c1946a658a.jpg" } }