{ "id": "a887fccc-b909-4590-ab15-b1ed6c8447e7", "created_at": "2026-04-06T00:11:38.559347Z", "updated_at": "2026-04-10T03:21:22.674508Z", "deleted_at": null, "sha1_hash": "3f1ba50263fa0ac346e8b0a15bff9aaed802ca05", "title": "AsyncRAT Crusade: Detections and Defense | Splunk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8135956, "plain_text": "AsyncRAT Crusade: Detections and Defense | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2023-03-27 · Archived: 2026-04-05 15:14:44 UTC\r\nSplunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we\r\nno longer use. For more information on our updated terminology and our stance on biased language, please visit\r\nour blog post. We appreciate your understanding as we work towards making our community more inclusive for\r\neveryone.\r\nIn January 2019 AsyncRAT was released as an open source remote administration tool project on GitHub.\r\nAsyncRAT is a popular malware commodity and tools used by attackers and APT groups. Threat actors and\r\nadversaries used several interesting script loaders and spear phishing attachments to deliver AsyncRAT to targeted\r\nhosts or networks in different campaigns.\r\nOne prevalent campaign in the wild with this remote access trojan is the use of a Microsoft OneNote spear\r\nphishing attachment to load a .HTA file that downloads and runs an obfuscated batch script to execute the actual\r\nAsyncRAT code.\r\nOf the many features of AsyncRAT, it encrypts C2 communication protocol and contains several features via\r\nplugin including:\r\nChat Communication\r\nFile Search\r\nKeylogger\r\nProcess Manager (Process list)\r\nExtract Browser Credentials\r\nView and Record Desktop Screen\r\nRun Miner\r\nSend Files\r\nRemote Camera\r\nFile Manager\r\nGet drivers list\r\nUpload files\r\nDelete folders and files\r\nCopy files\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 1 of 15\n\nRename files and folders\r\n7z archiving files\r\nWatch the video below to learn more about AsyncRAT OneNote campaign.\r\nFigure 1 shows a short summary infection chain of OneNote campaigns that are discussed further in this article,\r\nincluding other interesting phishing campaigns that load different scripts to execute AsyncRAT.\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 2 of 15\n\nFigure 1\r\n(For a larger resolution of this diagram visit this link)\r\nAsyncRAT has also been in the weekly TOP 10 malware trends tracker on app.any.run for the past few months.\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 3 of 15\n\nReference (tweet)\r\nIn the following sections, we explore a recent OneNote campaign, how to extract the AsyncRAT configuration,\r\ndive into common behaviors and review additional AsyncRAT script loaders.\r\nTechnical Analysis\r\nOneNote Campaign\r\nT1566.004 - Phishing: Spear Phishing Attachment\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 4 of 15\n\nMalicious OneNote Attachment\r\nThe Splunk Threat Research Team (STRT) found several phishing email campaigns that contain malicious .one\r\n(OneNote) attachments. The malicious OneNote document will lure the targeted user to click through the warning\r\nto view the document as seen in Figure 2.\r\nAs soon as the user clicks, it will automatically load a malicious .HTA file to download the second stage of this\r\ninfection chain.\r\nFigure 2\r\nT1218.005 - System Binary Proxy Execution: Mshta\r\n.HTA Downloader\r\nThe .HTA file embedded to the .one file is responsible for downloading a .bat script that will decode the actual\r\nAsyncRAT malware. Simultaneously, another .one file will act as a decoy document to hide the execution of the\r\nmalicious .bat script from the compromised user. Figure 3 is the code snippet of the .HTA file using a PowerShell\r\ncmdlet Invoke-Webrequest to download both the decoy .one file (%temp%\\\\invoice.one) and the .bat script stager\r\n(%temp%\\\\system32.bat)\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 5 of 15\n\nFigure 3\r\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\r\n.BAT Script Stager\r\nThe .bat script dropped in the%temp% folder is obfuscated to evade antivirus or other security products. The .bat\r\nscript initializes a series of environment variables containing a string that will be concatenated at the end of its\r\ncode to generate the PowerShell script that will decode, decrypt and load the actual payload. Figure 4 shows the\r\nlast part of the .bat script code where it concatenates and executes the string initialized in several environment\r\nvariables to generate the PowerShell script loader.\r\nFigure 4\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nPowerShell Loader\r\nFigure 5.2 shows a screenshot of the commented portion of the .bat script, which is the encoded and encrypted\r\npayload. The PowerShell script generated and executed by the .bat script mentioned earlier performs the following\r\nsteps to extract and execute the actual malware payload.\r\n1. It decodes the BASE64 encoded comment string shown in Figure 5.2\r\n2. It uses AES cryptography namespace as well as the BASE64 encoded AES key and AES IV to decrypt the\r\ndecoded chunk data.\r\n3. Finally after decryption, it decompresses it using the GZIP algorithm to extract the malware executable and\r\nload it using the .NET Reflection library.\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 6 of 15\n\nFigure 5.1 is a simple flow diagram of how the PowerShell script executed by .bat script will decrypt AsyncRAT\r\nmalware\r\nFigure 5.1\r\nFigure 5.2\r\nFigure 5.3\r\nThe .batch script shown earlier is not only designed for AsyncRAT malware to load its code, but other malware\r\ngroups such as QuasarRAT, DCRAT, Redline, Qakbot and more use this batch script, which can be found in\r\nMalware Bazaar. In order to decrypt multiple malicious batch scripts and extract the actual payload automatically,\r\nthe Splunk Threat Research Team created a simple Python script “asyncrat_bat_extractor.py” that will accept a file\r\nor folder containing several batch files that need to be extracted as a parameter. Figure 6 shows a simple execution\r\nexample of this tool and how it decrypts several batch files in the “test” folder and places all the extracted\r\npayloads in the “extracted_payload” folder.\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 7 of 15\n\nFigure 6\r\nNow let's look at the AsyncRAT TTP’s to recognize its behavior and for analytics development.\r\nAsyncRAT Common Checks\r\nAsyncRAT is a .NET RAT that is being used by several threat actors to compromise organizations. During our\r\nresearch, the STRT found common behaviors that assist with detecting AsyncRAT on the endpoint.\r\nPersistence\r\nAsyncRAT client will check if its code runs with administrative privileges. If yes, it will add Windows Scheduled\r\nTasks using SchTasks.exe with highest runlevel privileges to execute the copy of itself in %appdata%. Figure 7.1\r\nshows one of the STRT analytics to detect AsyncRAT Scheduled Tasks.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=\r\n where Processes.process_name = \"schtasks.exe\" Processes.process = \"*/rl *\" Processes.process = \"* highest *\"\r\n by Processes.process_name Processes.parent_process_name Processes.parent_process Processes.process Processes.p\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 8 of 15\n\nFigure 7.1\r\nIf AsyncRAT is not running with administrative privileges, it will use Registry Run Key\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nfor its persistence. Figure 7.2 shows the code snippet of AsyncRAT function that creates its persistence on a\r\ncompromised host.\r\nFigure 7.2\r\nPrivilege Escalation\r\nIt will also adjust its process token privileges with the “SeDebugPrivilege” token to gain more privileges and\r\ncontrol over other processes. Figure 8 shows the code adjusting its current process token to gain debug privilege\r\nescalation.\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 9 of 15\n\nFigure 8\r\nDefense Evasion\r\nAsyncRAT has several defensive features to evade sandbox analysis or remote debugging of its code. The\r\nfollowing features can be seen in Figure 9 with short descriptions below:\r\nFigure 9\r\nFigure 10 is the code that drops a .bat script in the %temp% folder to delete itself as part of its defense evasion\r\ntechnique to clear its track after the execution and drop a copy of itself in the compromised host.\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 10 of 15\n\nFigure 10\r\nCommand and Control\r\nThe last part is how communication is set up to the command and control server to download plugins or other\r\npayloads to the compromised host. AsyncRAT will decrypt its AES encrypted configuration data including the\r\nport (6606) and c2 ip-address (43.138[.]160.55) that will be used for C2 communication. Figure 11.1 is a\r\nscreenshot of the decrypted config data of the AsyncRAT we analyzed, while Figure 11.2 is the code snippet for\r\nC2 server communication and C2 downloads.\r\nFigure 11.1\r\nFigure 11.2\r\nOther AsyncRAT Script Loader\r\nAside from the ongoing OneNote campaign, the STRT has also noticed another way threat actors deliver\r\nAsyncRAT malware using a phishing link campaign, ISO or via another malware downloader.\r\nAbusing .rels xml - Template Injection\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 11 of 15\n\nIn February 2022, Microsoft pushed an update to disable macros by default in Office products. Because of this,\r\nmany threat actors and adversaries worked to find another way to weaponize Microsoft Office documents. One of\r\nthose techniques is abusing .rels file containing properties that define how the document is constructed. These\r\nproperties can be used to reference remote resources via URLs. Figure 12.1 shows a screenshot of what this\r\ndocument looks like and how it abuses the footer2.xml rels properties of this Office document to connect to a\r\nmalicious link to download another .xll, which then downloads AsyncRAT.\r\nFigure 12.1\r\nFigure 12.2 shows one of our AsyncRAT hunting analytics that detect this malicious Office document connecting\r\nto non-Microsoft Office domains.\r\n`sysmon` EventCode=22 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\"\r\n \"*\\\\OneNotem.exe\",\"*\\\\OneNoteviewer.exe\",\"*\\\\OneNoteim.exe\")\r\n AND NOT(QueryName IN (\"*.office.com\", \"*.office.net\"))\r\n | stats count min(_time) as firstTime max(_time) as lastTime by Image QueryName QueryResults QueryStatus Compu\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 12 of 15\n\nFigure 12.2\r\n.VBS DynamicWrapperX Loader\r\nWe also found a .vbs script loader that writes dynwrapx.dll to disk to be able to use DynamicWrapperX Object to\r\ninject or execute the actual payload. This .vbs script was also analyzed in detail by the STRT in our previous blog\r\n“Detecting Malware Script Loaders using Remcos”. Figure 13 shows a short code snippet of the .vbs script that\r\nuses dynwrapx.dll to load a shellcode that executes the actual AsyncRAT.\r\nFigure 13\r\nMore PowerShell Script Loader\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 13 of 15\n\nAnother instance we found was an obfuscated PowerShell script being used by AsyncRAT to load its actual code.\r\nThe PowerShell script will convert a large hex string to binary bytes which is the .NET compiled AsyncRAT that\r\nwill be executed through .NET reflection Load Assembly Library.\r\nFigure 14 shows the code snippet of this PowerShell script highlighting the part of the hex string that will be\r\nconverted to binary bytes of AsyncRAT.\r\nFigure 14\r\nThis article shows the infection chain of a malicious OneNote Microsoft Office document. campaign that is\r\nrampant and widely used by different threat actors or APT’s to deliver a malicious payload or to gain initial access\r\nto the targeted host. This blog may help the SOC and security analysts to see how this OneNote Microsoft Office\r\ndocument. is being abused and how to add defensive measures against it.\r\nIOCs\r\nHashes of samples we’ve analyzed in this article.\r\nDetections\r\nThe Splunk Threat Research Team has curated relevant detections and tagged them to the AsyncRAT Analytic\r\nStory to help security analysts detect adversaries leveraging the AsyncRAT malware. This analytic story\r\nintroduces 23 detections across MITRE ATT\u0026CK techniques.\r\nFor this release, we used and considered the relevant data endpoint telemetry sources such as:\r\nProcess Execution \u0026 Command Line Logging\r\nWindows Security Event Id 4688, Sysmon, or any Common Information Model compliant EDR\r\ntechnology\r\nWindows Security Event Log\r\nWindows System Event Log\r\nWindows PowerShell Script Block Logging\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 14 of 15\n\nAutomating with SOAR Playbooks\r\nAll of the detections associated with this analytic story create entries in the Splunk Enterprise Security risk index\r\nby default and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The following\r\ncommunity Splunk SOAR playbooks can also be used in conjunction with some of the previously described\r\nanalytics:\r\nWhy Should You Care?\r\nWith this article, the Splunk Threat Research Team (STRT) enables security analysts, blue teamers and Splunk\r\ncustomers to identify AsyncRAT malware. This article helps the community discover AsyncRAT tactics,\r\ntechniques and procedures that are being used by several threat actors and adversaries (APT). By understanding its\r\nbehaviors, we were able to generate telemetry and datasets to develop and test Splunk detections designed to\r\ndefend and respond against this threat.\r\nLearn More\r\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team\r\nfor their contributions: Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and\r\nPatrick Bareiss.\r\nSource: https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nhttps://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.splunk.com/en_us/blog/security/asyncrat-crusade-detections-and-defense.html" ], "report_names": [ "asyncrat-crusade-detections-and-defense.html" ], "threat_actors": [], "ts_created_at": 1775434298, "ts_updated_at": 1775791282, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3f1ba50263fa0ac346e8b0a15bff9aaed802ca05.pdf", "text": "https://archive.orkl.eu/3f1ba50263fa0ac346e8b0a15bff9aaed802ca05.txt", "img": "https://archive.orkl.eu/3f1ba50263fa0ac346e8b0a15bff9aaed802ca05.jpg" } }