{
	"id": "e9c9b23e-e1ba-4973-8738-47ffb0561e40",
	"created_at": "2026-04-10T03:19:56.705537Z",
	"updated_at": "2026-04-10T13:12:13.913006Z",
	"deleted_at": null,
	"sha1_hash": "29f9188f1acfc48d1d3fe6eee4c2f8aa70a856cc",
	"title": "Playing with AsyncRAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1519846,
	"plain_text": "Playing with AsyncRAT\r\nBy Abdallah Elnoty\r\nPublished: 2022-02-16 · Archived: 2026-04-10 02:43:32 UTC\r\nAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a\r\nsecure encrypted connection. It is an open source remote administration tool, however, it could also be used\r\nmaliciously because it provides functionality such as keylogger, remote desktop control, and many other functions\r\nthat may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such\r\nas spear-phishing, malvertising, exploit kit and other techniques.\r\nWe will discuss .NET code with dnSpy to learn how it works.\r\nSample overviewPermalink\r\nsha256: 8021f8aa674ce3a2ccb2e8f917ebaf5b638607447f0df0e405e837dd2e7a7ccd\r\nThis sample is packed and I unpacked it automatically with unpac.me (online unpacker) and got this.\r\nThis is one sand box process flow\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 1 of 14\n\nInitializationPermalink\r\nFirst, Malware sleeps for 3 seconds. I don’t know why but it’s okay.\r\nSecond, tries to initialize all settings depending on hardcoded configurations.\r\n(/assets\\images\\malware-analysis\\asyncRAT\\init.jpg)\r\nSettings DetailsPermalink\r\nMalware decrypts all configurations from AES256 encryption algorithm here.\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 2 of 14\n\nThen verifies the integrity of these configurations and returns result. If false, exits from process. You can extract\r\nvalues with using debugger.\r\nThen malware checks if any of these configurations changed using Serversignature and ServerCertificate\r\nwith VerifyHash function and returns the result. It’s something like a water mark in coding :)\r\nConfig DecryptionPermalink\r\nI’m not an encryption nerd but I will try to explain as I can and we don’t need to understand how it works to\r\ncontinue our analysis but I would love to give some help to learn some useful things. If you don’t care just scroll\r\nthe whole topic and go to Mutex creation. Let’s start with Key =\r\nejFjc0p0QWtudENHVTdsakhjTExYbm1KM1RqbTVUMlA= .\r\nIt converts key from Base64 then encoding to UTF8 so now Key = z1csJtAkntCGU7ljHcLLXnmJ3Tjm5T2P .\r\nDeriving keysPermalink\r\nThis link gives you a complete definition about this encryption algorithm. The usage of it is to derive a new key in\r\nrun time from our previous key.\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 3 of 14\n\nTo solve it, we have to focus with its parameters dec_key = PBKDF2(key, Salt, iterations)\r\nAES256Permalink\r\nThen use this dec_key with aes256 algorithm to decrypt all configurations.\r\nThis method divides the given config, like ports into 3 sections:\r\nData[:32] -\u003e HMAC-SHA256 value\r\nData[32:48] -\u003e IV\r\nData[48:] -\u003e Encrypted bytes\r\nScriptPermalink\r\nThis python script automates all decoding components.\r\n# 1) use PBKDF2 to derive the decryption key and initialization key used for sha\r\n# 2) calculate sha256 of data[32:] and compare it to the embedded sha256 hash (data[:32]) (We don't care here)\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 4 of 14\n\n# 3) iv = data[32:48]\r\n# 4) aes_dec(key, iv, data[48:])\r\n# pip install backports.pbkdf2\r\n# pip install malduck\r\nfrom backports.pbkdf2 import pbkdf2_hmac\r\nfrom base64 import b64decode\r\nfrom malduck import aes, unpad\r\nsalt = b\"\\xbf\\xeb\\x1e\\x56\\xfb\\xcd\\x97\\x3b\\xb2\\x19\\x02\\x24\\x30\\xa5\\x78\\x43\\x00\\x3d\\x56\\x44\\xd2\\x1e\\x62\\xb9\\xd4\\xf\r\nkey = b\"ejFjc0p0QWtudENHVTdsakhjTExYbm1KM1RqbTVUMlA=\"\r\nconfig = {\r\n \"Ports\": \"UGCInR8TOWCBkQI6fVXrRZ4Yj+b4OvMqcvbx3n2pTLIpcwWtvmX+PX6uN7uIsx65cuUHbVopkDdPuRbLHd6jfg==\",\r\n \"Hosts\": \"k/33hCqQ1vnvaz3j8VvjdZRXF/poiYruJfX1WbFuFhwXYuNriBFrqyi0fQfk4xN0LS85PC6oOtCuLYarjJSnLsoDQGhIWf6+CT\r\n \"Version\": \"WG0EkFzynw3wCeMtt128RLUZgT6BSNw7pqLDg9XUMRmpx5WpQw1ZN64GLHYrP/h47iM2KImVVeY0wAT1RqMVVg==\",\r\n \"Install\": \"3/TL2kdA5ptdHUR1gfeiPmkurKrJsw3BjJ7njALFi+ouT64Tx5oE1P7U7NktNpWfBZVmmjxeR/xSyR14NdEPcw==\",\r\n \"MTX\": \"7vyshlirEg6SwhKPRttI85LoRXYLoFWLzaDM4h57MqKcy9iihijskYVbiDhhZu5qzqRxMBX5DpJ6dAfancdQ8cqHklNaopJNiz3/\r\n \"Anti\": \"fvHzWJyCKwkBHk/dOoyPPC5w+F3GyNg0t7NAj8VXjA2b0ntbSqH11xvQACf2jGX7VSLAd6BjykqqQIJAb98Veg==\",\r\n \"Pastebin\": \"B52OeJUAfsMHW3Ea2wBUni41OckwUyCtHz3yHsDSn9XjE4U+ncvS0Kmik61ZnDWTm+oNBPoQaDb5PHqfInPGXQ==\",\r\n \"BDOS\": \"++zHWqz0o5rkma5tjGrmNMSXzvLTZVOFmlOz4lhTPTPejjFLjqH/rhhciAYgm+Mq5bOazkPYeFGYC8q5I47wVA==\",\r\n \"Group\": \"fwbqIWwfsG6vrljdbLznhYHm5g+qylXiJVparVYZ5s61hXK84/sQMNn6fTH09rZ+MeWdbYV1AhcKtEpQzJ6I5g==\",\r\n}\r\nkey = b64decode(key)\r\ndec_key = pbkdf2_hmac(\"sha1\", key, salt, 50000, 32)\r\nfor k, v in config.items():\r\n data = b64decode(v)\r\n iv = data[32:48]\r\n decrypted = unpad(aes.cbc.decrypt(dec_key, iv, data[48:]))\r\n print(\"{}: {}\".format(k, decrypted.decode(\"utf-8\")))\r\nAfter running the script, we have a clean config.\r\nkey \u003c- \"z1csJtAkntCGU7ljHcLLXnmJ3Tjm5T2P\"\r\nports \u003c- \"6606,7707,8808\"\r\nHost \u003c- \"jeazerlog.duckdns.org\"\r\nversion \u003c- \"0.5.7B\"\r\nInstall \u003c- \"false\"\r\nMTX \u003c- \"AsyncMutex_6SI8OkPnk\"\r\nPastebin \u003c- \"null\"\r\nAnti \u003c- \"false\"\r\nBDOS \u003c- \"fasle\"\r\nGroup \u003c- \"gta\"\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 5 of 14\n\nI want to note that the malware is also extracted Hwid while execution, and I got its value using the debugger\r\nHwid = 1021C7B642607CE65116\r\nMutexPermalink\r\nThe bad boy tries to make Mutex handle with MTX value which extracted from Settings to prevent the duplication\r\nof the process MTX = \"AsyncMutex_6SI8OkPnk\" and tells windows “end the duplicated process”.\r\nAnti AnalysisPermalink\r\nWe are lucky because malware doesn’t use any anti-analysis technique according to Anti = fasle in Settings\r\nclass.\r\nbut I will explain what if a malware developer chooses a difficult path with analysis Anti = true . The malware\r\ndeveloper would have used five methods to make it difficult for the malware analyst to use.\r\n1. VM detection: malware searching in Manufacture Model for keywords like VIRTUAL or vmware or\r\nVirtualBox .\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 6 of 14\n\n2. Debugger detection: Check if the debugger is present to stop the process.\r\n3. SandBox detection: Tring to get a handle from SbieDll.dll that belongs to every sandbox.\r\n4. Small Disk detection: Most secure labs for malware analyzers such as virtual machines contain a small\r\ndisk.\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 7 of 14\n\n5. XP windows detection: You know, Nobody uses XP today except for malware analysis or something.\r\nLet’s move on to the next step in our main function.\r\nInstallPermalink\r\nOnce again, we are in luck, the malware author decided not to use any persistence mechanism according to\r\nInstall = fasle .\r\nBut I will explain the hard path again, What if Install = true in Settings? Let’s go…\r\nThe first thing is that the malware checks the path it is running on, and if it is not the same as the path in the\r\nsettings, the running process is erased.\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 8 of 14\n\nThe malware creates a .bat file in the %temp% to run a new process, created in the hard coded path\r\n%AppData% , then deletes itself.\r\nPersistencePermalink\r\nThe malware checks if a process has administrator privilege to perform a schedule task every time a user logs on\r\nto run or has a normal user privilege to modify the Software\\Microsoft\\Windows\\CurrentVersion\\Run subkey to\r\nbe added in the list of startup processes.\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 9 of 14\n\nBSODPermalink\r\nMalware passes this step in the main function because BDOS = false .\r\notherwise it would have verified that the user is an administrator and the operating system has been switched to\r\nthe critical state.\r\nTo learn more about RtlSetProcessIsCritical and what its risks are, this link explains in-depth.\r\nFinishing configurationsPermalink\r\nSo far, the configuration has been done and the malware will run almost forever.\r\nThe next step will stablish the connection with C2 server.\r\nConnection with C2Permalink\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 10 of 14\n\nI won’t explain the code too much at this level of analysis because it’s a development problem, I’m just explaining\r\nwhat’s going on.\r\nThe malware creates an infinite loop to connect to C2 and the first thing it does is check if it’s already connected\r\nor not, then sleeps for 5 seconds to free up resources so windows won’t crash.\r\nI’ll explain a little bit what happens when malware disconnect.\r\nFirst, It calls a Reconnect function to dispose any packets between each other.\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 11 of 14\n\nThen it initializes a new tcp client connection through the TLS protocol for secure connection. You can check the\r\ncode by yourself. -_^\r\nServer side operationsPermalink\r\nWhen the victim runs the malware in any way, whether by phishing mail or otherwise persuaded by another\r\nmethod, it appears to the hacker that he has run the program, and here the victim is completely controlled in a\r\nterrifying way, some of which are shown in below.\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 12 of 14\n\nConclusionPermalink\r\nMalware declares all settings AES256 then trying to connect victim machine to C2 server. From this point, all\r\ncommands come from the other end of the world through the C2 server which were not embedded in the code.\r\nFinally, I hope you had fun and learned something new. See you in another analysis report.\r\nIOCsPermalink\r\nHashesPermalink\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 13 of 14\n\nPacked: 8021f8aa674ce3a2ccb2e8f917ebaf5b638607447f0df0e405e837dd2e7a7ccd\r\nUnpacked: bc61724d50bff04833ef13ae13445cd43a660acf9d085a9418b6f48201524329\r\nC2sPermalink\r\njeazerlog.duckdns.org:6606\r\njeazerlog.duckdns.org:7707\r\njeazerlog.duckdns.org:8808\r\nMUTEXsPermalink\r\nAsyncMutex_6SI8OkPnk\r\nREGsPermalink\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nSource: https://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nhttps://eln0ty.github.io/malware%20analysis/asyncRAT/\r\nPage 14 of 14\n\nThis python # 1) use script automates PBKDF2 to derive all decoding components. the decryption key and initialization key used for sha  \n# 2) calculate sha256 of data[32:] and compare it to the embedded sha256 hash (data[:32]) (We don't care here)\n   Page 4 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://eln0ty.github.io/malware%20analysis/asyncRAT/"
	],
	"report_names": [
		"asyncRAT"
	],
	"threat_actors": [],
	"ts_created_at": 1775791196,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29f9188f1acfc48d1d3fe6eee4c2f8aa70a856cc.pdf",
		"text": "https://archive.orkl.eu/29f9188f1acfc48d1d3fe6eee4c2f8aa70a856cc.txt",
		"img": "https://archive.orkl.eu/29f9188f1acfc48d1d3fe6eee4c2f8aa70a856cc.jpg"
	}
}