{
	"id": "8293650a-8c89-439d-ada2-0e004f1fe452",
	"created_at": "2026-04-06T00:20:17.887386Z",
	"updated_at": "2026-04-10T03:21:28.542251Z",
	"deleted_at": null,
	"sha1_hash": "894f61e96573e609148db8f3687be5a8b3214bb3",
	"title": "AsyncRAT: Using Fully Undetected Downloader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 198963,
	"plain_text": "AsyncRAT: Using Fully Undetected Downloader\r\nBy Gustavo Palazolo\r\nPublished: 2022-08-29 · Archived: 2026-04-05 17:47:28 UTC\r\nSummary\r\nAsyncRAT is an open-source remote administration tool released on GitHub in January 2019. It’s designed to\r\nremotely control computers via encrypted connection, providing complete control via functionalities such as:\r\nView and record screen\r\nKeylogger\r\nUpload, download and execute files\r\nChat communication\r\nPersistence mechanisms\r\nDisable Windows Defender\r\nShutdown / Restart the machine\r\nDOS attack\r\nAlthough the official GitHub repository contains a legal disclaimer, AsyncRAT is popularly used by attackers and\r\neven some APT groups. Netskope Threat Labs recently came across a FUD (Fully Undetected) Batch script which\r\nis downloading AsyncRAT from an Amazon S3 Bucket. At the time of our analysis, the Batch script wasn’t being\r\ndetected by any of the antivirus engines on VirusTotal. The attacker used some simple techniques to make the\r\nscript fly under the radar, as we will describe later in this analysis.\r\nThe downloaded file (second stage) is a PowerShell script that creates and uses multiple files to execute\r\nAsyncRAT, which is injected into a legitimate process.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 1 of 25\n\nIn this blog post, we will analyze the complete infection flow of AsyncRAT, from the FUD BAT downloader\r\nspotted by the MalwareHunterTeam to the last payload.\r\nStage 01 – FUD Downloader\r\nThe first stage is a batch script that contains zero detections on VirusTotal.\r\nFUD AsyncRAT downloader.\r\nAlthough no AV vendor is detecting the file, it contains many detections via Sigma and IDS rules, as well as by\r\nsandboxes used by VirusTotal.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 2 of 25\n\nSigma rules detecting malicious behavior.\r\nThe file not being detected is likely due to a long string added in the file multiple times (more than 100) by the\r\nattacker.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 3 of 25\n\nCommented strings added to the file.\r\nThe string is always the same and is in Japanese. Doing a rough translation, this string seems to be nonsense\r\nwords added by the attacker.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 4 of 25\n\nRough translation from the string found multiple times in the file.\r\nThe malicious command is quite simple and it can be found within the nonsense strings. It’s slightly obfuscated,\r\nwhich probably contributes to the absence of detection.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 5 of 25\n\nCommand executed by the batch file.\r\nThe command downloads and executes the second stage via PowerShell from an Amazon S3 bucket.\r\nStage 02 – PowerShell\r\nThe file downloaded from the Amazon S3 bucket is a PowerShell script. As we demonstrated in the diagram in the\r\nsummary section, this script creates multiple files to execute the last stage.\r\nFirst, it creates a folder named “Not” in “C:\\ProgramData”.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 6 of 25\n\nSecond stage creating a directory.\r\nThen, it creates five files in this directory. The primary goal of this stage is to run another PowerShell script in a\r\nchained execution, described below:\r\n1. File “xx.vbs” is executed by the second stage;\r\n2. File “xx.vbs” executes file “xx.bat”;\r\n3. File “xx.bat” executes file “Bin.vbs” via scheduled task;\r\n4. File “Bin.vbs” executes file “Bin.bat”;\r\n5. And finally, “Bin.bat” executes “Bin.ps1” via PowerShell.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 7 of 25\n\nChained execution to run “Bin.ps1”.\r\nThere are two PE files within the last PowerShell script.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 8 of 25\n\nTwo PE files within the last PowerShell script.\r\nThe first file is known as “RunPE” and it’s used to inject AsyncRAT into a legitimate process, which is the second\r\nPE file in the script.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 9 of 25\n\nPowerShell running RunPE.\r\nThe PowerShell script loads RunPE directly into memory, so none of the PE files are written into disk.\r\nStage 03 – RunPE\r\nThis file is responsible for injecting AsyncRAT into another process using Process Hollowing. It’s developed in\r\n.NET and protected with Confuser.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 10 of 25\n\nRunPE details.\r\nThe PowerShell script in the second stage loads RunPE in memory and calls a method named “Execute” from\r\n“GIT.local”. The method receives the path of the targeted executable\r\n(“C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\aspnet_compiler.exe”) and the AsyncRAT bytes in the\r\narguments.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 11 of 25\n\nMethod executed by the PowerShell.\r\nAfter removing part of the obfuscation, we can confirm that AsyncRAT is being injected via Process Hollowing.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 12 of 25\n\nSome of the API calls used for Process Hollowing.\r\nStage 04 – AsyncRAT\r\nAs previously mentioned, AsyncRAT is an open-source remote administration tool developed in .NET, and it’s\r\noften abused by attackers. The specific sample analyzed in this blog post was likely compiled on July 22, 2022.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 13 of 25\n\nAsyncRAT sample delivered by the FUD Batch script.\r\nThis sample doesn’t contain any obfuscation or protection, so it’s not difficult to understand the code once\r\ndecompiled. \r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 14 of 25\n\nDecompiled AsyncRAT sample.\r\nWe can summarize AsyncRAT’s main execution flow in six-steps:\r\n1. Initialize its configuration (decrypts the strings);\r\n2. Verifies and creates a Mutex (to avoid running duplicated instances);\r\n3. If enabled in the settings, exits if a virtualized or analysis environment is detected;\r\n4. If enabled in the settings, establishes persistence;\r\n5. If enabled in the settings, sets its own process as critical;\r\n6. Starts the communication with the server.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 15 of 25\n\nAsyncRAT main method.\r\nAsyncRAT’s configuration is decrypted within the “InitializeSettings” method.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 16 of 25\n\nAsyncRAT method that initializes the configuration.\r\nAsyncRAT uses AES-256 in CBC mode to decrypt the strings.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 17 of 25\n\nAsyncRAT method that decrypts data using AES.\r\nThis function reads a base64 encoded string, where the first 32 bytes represents the HMAC, the following 16\r\nbytes the decryption IV, and the remaining bytes are the encrypted data.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 18 of 25\n\nAsyncRAT variables storing encrypted data.\r\nWe created a Python script that can be used to decrypt AsyncRAT strings using the same algorithm. \r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 19 of 25\n\nDecrypting AsyncRAT configuration.\r\nThe anti-analysis feature of this sample is disabled, but AsyncRAT provides the option to detect virtualized and\r\nanalysis environments via simple techniques, such as checking the disk size, checking the OS manufacturer and\r\nmodel, etc.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 20 of 25\n\nAsyncRAT anti-analysis method.\r\nIt’s also able to establish persistence via registry or a scheduled task.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 21 of 25\n\nAsyncRAT persistence mechanisms.\r\nFurthermore, AsyncRAT stores the C2 address and port within its configuration. However, it also provides the\r\noption to download this information from Pastebin.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 22 of 25\n\nMethod to download C2 address and port from Pastebin.\r\nAfter all the steps executed by the main function, which we summarized earlier, AsyncRAT starts an encrypted\r\ncommunication with the C2 server. Once connected, the attacker has full control over the device through GUI, as\r\nshown in the example below.\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 23 of 25\n\nExample of AsyncRAT controller.\r\nConclusions\r\nIn this blog post, we analyzed the complete attack flow of AsyncRAT, from the downloader to the last payload. In\r\nthis scenario, the attacker used simple techniques to make the downloader fly under the radar, being detected by\r\nnone of the engines on VirusTotal. Furthermore, since AsyncRAT is open-source, one could easily change its code\r\nto add or remove functionalities as needed.\r\nBatch scripts like this are commonly used by attackers as an initial foothold. We expect an increase in the use of\r\nthis file type and others (such as LNK and VBS) after Microsoft released a protection against malicious Microsoft\r\nOffice macros, which are also popularly abused to deliver malware. Netskope Threat Labs always recommends\r\nusers avoid opening files of unknown origin, especially those received by email. For organizations, we strongly\r\nrecommend security training for employees and to use a secure web gateway with advanced threat protection,\r\nbeing able to scan and detect malicious files in real-time.\r\nProtection\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 24 of 25\n\nNetskope Threat Labs is actively monitoring this campaign and has ensured coverage for all known threat\r\nindicators and payloads. \r\nNetskope Threat Protection\r\nGeneric.AsyncRAT.B.80EDEB92\r\nNetskope Advanced Threat Protection provides proactive coverage against this threat.\r\nGen.Malware.Detect.By.StHeur indicates a sample that was detected using static analysis\r\nGen.Malware.Detect.By.Sandbox indicates a sample that was detected by our cloud sandbox\r\nIOCs\r\nAll the IOCs related to this campaign and scripts can be found in our GitHub repository.\r\nSource: https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nhttps://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader\r\nPage 25 of 25\n\n https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader \nChained execution to run “Bin.ps1”. \nThere are two PE files within the last PowerShell script.\n  Page 8 of 25\n\n https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader  \nAsyncRAT method that initializes the configuration. \nAsyncRAT uses AES-256 in CBC mode to decrypt the strings.\n   Page 17 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.netskope.com/blog/asyncrat-using-fully-undetected-downloader"
	],
	"report_names": [
		"asyncrat-using-fully-undetected-downloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434817,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/894f61e96573e609148db8f3687be5a8b3214bb3.pdf",
		"text": "https://archive.orkl.eu/894f61e96573e609148db8f3687be5a8b3214bb3.txt",
		"img": "https://archive.orkl.eu/894f61e96573e609148db8f3687be5a8b3214bb3.jpg"
	}
}