{
	"id": "df1c7183-a895-449e-8e22-75ce3110a327",
	"created_at": "2026-04-06T00:10:52.707008Z",
	"updated_at": "2026-04-10T03:21:22.454789Z",
	"deleted_at": null,
	"sha1_hash": "0d33cc37ac9793ddc24b80bb8449ab4ad2e8f086",
	"title": "Malware source code investigation: AsyncRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4657231,
	"plain_text": "Malware source code investigation: AsyncRAT\r\nBy MSSP Research Lab\r\nPublished: 2023-05-19 · Archived: 2026-04-05 13:00:09 UTC\r\nAsyncRAT is a Remote Access Trojan (RAT) designed to remotely monitor and control infected systems. It is free,\r\nopen-source, and often used by cybercriminals for malicious purposes, such as stealing sensitive information,\r\ninstalling more malware, or performing DDoS attacks.\r\nAsyncRAT was published as an open source remote administration tool project on GitHub in January 2019.\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 1 of 19\n\nAsyncRAT is a regular malware product and set of tools utilized by attackers and APT organizations. Threat actors\r\nand adversaries utilized a variety of intriguing script injectors and spear phishing attachments to deliver\r\nAsyncRAT to targeted hosts or networks across multiple campaigns.\r\nIn this small research we are detailed investigate the source code of AsyncRAT and highlights the main features.\r\nAsyncRAT has been included in app.any.run’s weekly TOP 10 malware trends tracker for the past few months.\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 2 of 19\n\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 3 of 19\n\nClient-Server ArchitecturePermalink\r\nWhen executed, the AsyncRat GUI allows criminals to control the infected machine. The code is open-source and\r\ncan be modified to suit the purposes of criminals:\r\nAsyncRAT implements a client-server architecture. The client side is the infected machine, whereas the server side\r\nis the attacker-operated control interface. The client establishes a connection with the server using asynchronous\r\nTCP sockets, which permits multiple simultaneous connections without interference.\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 4 of 19\n\nCore FunctionalitiesPermalink\r\nAsyncRAT includes several functionalities that permit a high degree of control over infected systems:\r\nRemote Desktop - The client captures screenshots of the desktop and sends them to the server, allowing the\r\nattacker to see the victim’s activities in real time.\r\nAsyncRAT uses the .NET Framework ’s built-in libraries to capture screenshots from the victim’s machine. The\r\nfollowing is a more technical breakdown of how this feature works in the AsyncRAT client.\r\nIn the AsyncRAT’s source code, you would find a function responsible for capturing screenshots. This function is\r\ntypically invoked when the server sends a specific command to the client.\r\nTo capture the screenshot, AsyncRAT leverages the System.Drawing namespace in the .NET Framework , which\r\nprovides access to GDI+ basic graphics functionality. More specifically, it uses the Bitmap and Graphics\r\nclasses to capture and store the screenshot( /Plugin/Options/Options/Handler/HandleThumbnails.cs ):\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 5 of 19\n\nThis code does the following:\r\nCreates a new Bitmap object with the same size as the screen. The Screen.PrimaryScreen.Bounds\r\nproperty is used to determine the size of the screen.\r\nCreates a Graphics object from the bitmap. This object is used to perform the screenshot operation.\r\nUses the Graphics.CopyFromScreen method to take the screenshot. This method copies the pixels from\r\nthe screen and stores them in the bitmap.\r\nAfter the screenshot is captured and stored in the bitmap, AsyncRAT then usually converts the bitmap to a byte\r\narray and sends it to the server. The server can then reconstruct the bitmap from the byte array to view the\r\nscreenshot. It’s worth noting that the screenshot is usually compressed before being sent to reduce network usage.\r\nKeylogger - AsyncRAT logs keystrokes and periodically sends the data to the server. This feature can capture\r\nsensitive information like passwords and credit card numbers.\r\nAsyncRAT captures keystrokes by using the SetWindowsHookEx function, which is part of the Windows API. This\r\nfunction allows the application to install a “hook” that monitors the message traffic in the system and retrieves\r\nspecific types of messages, such as keypresses.\r\nThe following is a code of how AsyncRAT implement a keylogger in C# using the SetWindowsHookEx function\r\n( Plugin/LimeLogger/LimeLogger/Packet.cs ):\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 6 of 19\n\nThe SetHook function installs the keyboard hook by calling SetWindowsHookEx with the\r\nLowLevelKeyboardProc delegate. The hook is then uninstalled using UnsetHook :\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 7 of 19\n\nFile Explorer - The client can navigate the filesystem, upload files to the server, download files from the server,\r\nand execute files.\r\nTo accomplish these tasks, AsyncRAT uses standard .NET Framework libraries. Let’s break down each function\r\nseparately.\r\nNavigating the File System. The System.IO namespace in the .NET Framework contains classes for\r\nmanipulating files and directories. For example, AsyncRAT retrieve a list of files in a directory using the\r\nDirectory.GetFiles method ( Plugin/FileSearcher/FileSearcher/Packet.cs ):\r\nAnd get subdirectories with Directory.GetDirectories method\r\n( Plugin/FileManager/FileManager/Handler/FileManager.cs ):\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 8 of 19\n\nUploading Files To the Server. To read the contents of a file, AsyncRAT uses the File.ReadAllBytes method,\r\nwhich reads a file and returns its contents as a byte array (for example in\r\nPlugin/FileSearcher/FileSearcher/Packet.cs ):\r\nDownloading Files from the Server. When the server sends a file, it is usually in the form of a byte array. The\r\nclient can save this byte array to a file using the File.WriteAllBytes method (for example in:\r\nServer/HandlePacket/HandleFileSearcher.cs ):\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 9 of 19\n\nExecuting Files. To execute a file, AsyncRAT uses the Process.Start method from the System.Diagnostics\r\nnamespace ( Plugin/FileManager/FileManager/Handler/FileManager.cs ):\r\nProcess Manager - The client retrieves a list of running processes and can kill or start processes.\r\nAsyncRAT utilizes the System.Diagnostics namespace in the .NET Framework to interact with system\r\nprocesses. Retrieving a List of Running Processes. The Process class in the System.Diagnostics namespace\r\nhas a static method GetProcesses that returns an array of Process objects, which represent all the processes\r\ncurrently running on the system. Here is how it’s used ( Plugin/ProcessManager/ProcessManager/Packet.cs ):\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 10 of 19\n\nalso use SELECT ProcessId, Name, ExecutablePath FROM Win32_Process query:\r\nStarting a Process. To start a new process, AsyncRAT uses the Process.Start method, which starts a process\r\nresource by specifying the name of an application or document:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 11 of 19\n\nNote that all these operations require sufficient permissions. If the AsyncRAT client doesn’t have the necessary\r\npermissions, these operations will fail.\r\nRemote Shell - The client can execute shell commands from the server, enabling an even greater degree of\r\ncontrol.\r\nThe ability to execute shell commands remotely is a powerful feature of AsyncRAT. This feature allows the\r\nattacker to execute virtually any command, as if they were physically present at the victim’s machine.\r\nAsyncRAT executes shell commands by using the System.Diagnostics.Process class in the .NET Framework .\r\nThis class provides the Start method, which can start a new process. To execute a shell command, AsyncRAT\r\nstarts a new instance of cmd.exe with the shell command as a parameter\r\n( Plugin/Miscellaneous/Miscellaneous/Handler/HandleShell.cs ):\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 12 of 19\n\nStealth and PersistencePermalink\r\nTo evade detection, AsyncRAT uses several techniques:\r\nProcess Injection - AsyncRAT injects its core functionality into a separate process to hide its malicious activities.\r\nThe injector is used to load into the memory the AsyncRAT file by taking advantage of the Process Hollowing\r\ntechnique. As demonstrated, a new thread is created, put in a suspended state (pause), the target file mapped into\r\nthe memory, and then executed:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 13 of 19\n\nAnti-Analysis - The client employs various anti-analysis techniques, including the detection of virtual machines\r\nand sandbox environments.\r\nMalware often employs anti-analysis techniques to evade detection, avoid being analyzed in a controlled\r\nenvironment, and ultimately to make reverse-engineering more challenging. This includes checks for virtual\r\nmachines (VMs) and sandbox environments, which are commonly used tools for malware analysis.\r\nAnalyzing the source code of AsyncRAT, you may find various techniques that it employs to achieve this\r\n( Client/Helper/Anti_Analysis.cs ). While specific implementation details could vary depending on the version\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 14 of 19\n\nor variant of the RAT, here’s an example of what these anti-analysis checks might look like in practice.\r\nHere is how AsyncRAT check for a VM and a sandbox:\r\nAs you can see, just check if Sbiedll.dll is loaded, which is a module of sandboxie sandbox.\r\nAlso check disk size:\r\nThe logic is simple, determine if a compromised host is operating in a malware lab or sandbox by examining the\r\nsize of its hard drive.\r\nAnother method is IsXP : check if its process is running in XP Windows Operating System:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 15 of 19\n\nCheck if remote debugger exist:\r\nThe following image depicts the code that drops a .bat script in the %temp% folder to delete itself as part of a\r\ndefense evasion technique to clear its trace after execution and drop a copy of itself on the compromised host:\r\nPersistence - The client installs itself to the registry or startup folder to maintain persistence after system reboots.\r\nThe AsyncRAT client will verify that its code executes with administrative permissions. If so, it will add Windows\r\nScheduled Tasks using schtasks.exe with the highest runlevel permissions to execute a duplicate of itself, if\r\nAsyncRAT is not running with administrative privileges, it will use Registry Run Key\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for its persistence:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 16 of 19\n\nConnection and ControlPermalink\r\nOn execution, the client initiates a connection to the server. After a successful connection, the client sends detailed\r\nsystem information to the server, including the computer name, user name, operating system, processor, and\r\ninstalled antivirus software. The client also downloads a small .NET assembly DLL file from the server, which is\r\ninjected into a newly created process. This is where the AsyncRAT’s core functionality is executed.\r\nAsyncRAT will decrypt its AES encrypted configuration data including the port and C2 IP address that will be used\r\nfor C2 communication:\r\nThis is the code snippet for C2 server communication and C2 downloads:\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 17 of 19\n\nUpdating and UninstallingPermalink\r\nAsyncRAT allows for the updating and uninstalling of the client directly from the server.\r\nThe uninstall functionality would typically involve the server sending a command to the client, telling it to remove\r\nitself from the infected machine. This might involve deleting the client binary, as well as any other files created by\r\nthe client. The client might also remove any registry keys it has created, and undo any other changes it has made\r\nto the system.\r\nConclusionPermalink\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 18 of 19\n\nGiven its open-source nature and availability on GitHub since January 2019, AsyncRAT is accessible to a wide\r\nrange of threat actors, including both individual malicious actors and sophisticated APT groups. This availability,\r\ncombined with its powerful features, makes it a popular choice for cybercriminals.\r\nThe observed campaigns leveraging spear-phishing attacks and script loaders, such as the one using a Microsoft\r\nOneNote attachment to load a .HTA file, demonstrate that attackers can employ a variety of methods to deliver\r\nAsyncRAT to targeted hosts or networks. This underlines the importance of a comprehensive security posture,\r\nencompassing not just malware detection and removal, but also employee training and robust email security\r\nmeasures to combat spear-phishing attacks.\r\nBy Cyber Threat Hunters from MSSPLab:\r\n@cocomelonc\r\n@wqkasper\r\nReferencesPermalink\r\nhttps://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nhttps://twitter.com/anyrun_app/status/1617401778240102400\r\nhttps://any.run/malware-trends/\r\nMITRE ATT\u0026CK: Process Hollowing\r\nhttps://research.splunk.com/stories/asyncrat/\r\nThanks for your time happy hacking and good bye!\r\nAll drawings and screenshots are MSSPLab’s\r\nSource: https://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nhttps://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://mssplab.github.io/threat-hunting/2023/05/19/malware-src-asyncrat.html"
	],
	"report_names": [
		"malware-src-asyncrat.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434252,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d33cc37ac9793ddc24b80bb8449ab4ad2e8f086.pdf",
		"text": "https://archive.orkl.eu/0d33cc37ac9793ddc24b80bb8449ab4ad2e8f086.txt",
		"img": "https://archive.orkl.eu/0d33cc37ac9793ddc24b80bb8449ab4ad2e8f086.jpg"
	}
}