{ "id": "445de267-ee11-40c2-81a9-efe881ca8008", "created_at": "2026-04-06T00:10:37.145374Z", "updated_at": "2026-04-10T03:35:20.33021Z", "deleted_at": null, "sha1_hash": "a2f7a228be6b80c13c29b9663a599d734cf75efc", "title": "A Bag of RATs: VenomRAT vs. AsyncRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159109, "plain_text": "A Bag of RATs: VenomRAT vs. AsyncRAT\r\nBy Anna Širokova\r\nPublished: 2024-11-21 · Archived: 2026-04-05 21:44:27 UTC\r\nIntroduction\r\nRemote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control\r\nover compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the\r\nwell-known RATs are VenomRAT and AsyncRAT. These are open-source RATs and have been making headlines\r\nfor their frequent use by different threat actors, including Blind Eagle/APT-C-36, Coral Rider, NullBulge, and\r\nOPERA1ER. Both RATs have their roots in QuasarRAT, another open-source project, which explains their\r\nsimilarities. However, as both have evolved over time, they have diverged in terms of functionalities and behavior,\r\nwhich affects how attackers use them and how they are detected.\r\nInterestingly, as these RATs evolved, some security vendors have started to blur the line between them, often\r\ngrouping detections under a single label, such as AsyncRAT or AsyncRAT/VenomRAT. This indicates how closely\r\nrelated the two are, but also suggests that their similarities may cause challenges for detection systems. We took a\r\ncloser look at recent samples of each RAT to examine how they differ, if at all.\r\nThis comparison explores the core technical differences between VenomRAT and AsyncRAT by analyzing their\r\narchitecture, capabilities, and tactics.\r\nHere's a comparison table between VenomRAT and AsyncRAT based on the findings\r\nCapability VenomRAT AsyncRAT\r\nAMSI Bypass\r\n✔ Patches AmsiScanBuffer in amsi.dll (In-memory patching) T1562.001\r\n✘ Not implemented\r\nETW Bypass\r\n✔ Patches EtwEventWrite in ntdll.dll (In-memory patching) T1562.006\r\n✘ Not implemented\r\nKeylogging\r\n✔ Advanced keylogger with filtering and\r\nprocess tracking T1056.001\r\n✔ Basic keylogger with clipboard\r\nlogging T1056.001\r\nAnti-analysis\r\nTechniques\r\n✔ Uses WMI for OS detection, VM check\r\nT1497.001\r\n✔ VM, sandbox, and debugger\r\ndetection T1497\r\nHardware\r\nInteraction\r\n✔ Collects CPU, RAM, GPU, and software\r\ndata using WMI T1082\r\n✔ Collects system data via\r\nWin32_ComputerSystem T1082\r\nProcess discovery\r\n✔ This the capability to obtain a listing of\r\nrunning processes T1057\r\n✘ Not implemented\r\nhttps://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nPage 1 of 7\n\nCapability VenomRAT AsyncRAT\r\nAnti-process\r\nMonitoring\r\n✔ Terminates system monitoring and\r\nsecurity processes T1562.009\r\n✘ Not implemented\r\nWebcam Access ✔ Camera detection and access T1125 ✘ Not implemented\r\nDynamic API\r\nResolution\r\n✔ DInvokeCore class for dynamic API\r\nresolution T1027.007\r\n✘ Not implemented\r\nEncrypts the\r\nconfiguration\r\n✔ 16-byte salt (\"VenomRATByVenom\")\r\nT1027.013\r\n✔ 32-byte binary salt T1027.013\r\nError Handling ✔ Silent failures with basic try-catch\r\n✔ Sends detailed error reports to C2\r\nT1071\r\nTechnical analysis\r\nIn this technical analysis, we compare two specific RAT samples:\r\nVenomRAT: 1574d418de3976fc9a2ba0be7bf734b919927d49bd5e74b57553dfc6eee67371\r\nAsyncRAT: caf9e2eac1bac6c5e09376c0f01fed66eea96acc000e564c907e8a1fbd594426\r\nBoth AsyncRAT and VenomRAT are open-source remote access tools developed in C# and built on the .NET\r\nFramework (v4.0.30319). A preliminary analysis based on CAPA results revealed several shared characteristics\r\nbetween the two. For example, both RATs use standard libraries like System.IO,\r\nSystem.Security.Cryptography, and System.Net for file handling, encryption, and networking. They also have\r\ncommon cryptographic components such as HMACSHA256, AES, and SHA256Managed, indicating similar\r\nencryption routines. Indeed, upon closer code examination, we found that their encryption classes were identical,\r\nwith only one minor difference: AsyncRAT uses a 32-byte binary salt, while VenomRAT uses a 16-byte salt\r\nderived from the string \"VenomRATByVenom.\" Additionally, both RATs share similarities in configuration\r\nhandling, mutex creation, and parts of their anti-analysis class.\r\nHowever, the CAPA analysis also highlighted distinct differences between the two. Certain features present in one\r\nRAT were notably absent in the other. To verify, we manually reviewed code in both samples and described the\r\ndifferences below.\r\nKeylogging and System Hooking\r\nIn the samples we analyzed the keylogger was present only in VenomRAT. However, the open-source version of\r\nAsyncRAT has a keylogger plugin. We therefore decided to investigate whether the VenomRAT keylogger\r\nimplementation is the same as AsyncRAT’s implementation. Our findings suggest that the keylogging\r\nfunctionality is different. We summarized a comparative analysis of their keylogging implementations in the table\r\nbelow. Additionally, the VenomRAT keylogger configuration file DataLogs.conf and log files are saved in the\r\nuser’s %AppData%\\MyData folder.\r\nhttps://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nPage 2 of 7\n\nFeature VenomRAT AsyncRAT\r\nLow-level keyboard hook\r\n(WH_KEYBOARD_LL)\r\n✔ ✔\r\nKeystroke Processing ✔ ✔\r\nWindow/Process Tracking\r\nTracks both process and\r\nwindow title\r\nTracks window title only\r\nClipboard Logging ✘ ✔\r\nLog Transmission Periodic log sending to C2 Continuous log sending to C2\r\nFiltering Mechanism ✔ ✘\r\nError Handling\r\nSilent failures with basic try-catchSends detailed error reports to\r\nC2\r\nAdditional Features Focused on keystrokes\r\nHandles both keystrokes and\r\nclipboard\r\nThread Management ✘ ✔\r\nAnti-Analysis\r\nBoth AsyncRAT and Venom RAT have similar implementations of the anti-analysis classes. However, we can see\r\nnotable differences. AsyncRAT focuses on a broad spectrum of detection techniques, including:\r\nVirtual Machine Detection: It checks for known system manufacturer names such as\r\nVMware,VirtualBox, or Hyper-V.\r\nSandbox Detection: It looks for sandbox-related DLLs, such as SbieDll.dll from Sandboxie.\r\nDebugger Detection: AsyncRAT uses CheckRemoteDebuggerPresent to detect if it's being monitored by\r\na debugger.\r\nDisk Size Check: It avoids execution on machines with less than 60GB disk size.\r\nOn the other hand, VenomRAT uses a more targeted approach. The virtual machine detection method in\r\nVenomRAT relies on querying system memory through WMI (Windows Management Instrumentation) to query\r\nsystem memory via Win32_CacheMemory. The method relies on counting cache memory entries, and if the\r\nnumber is less than 2 cache memories, it assumes the system is a virtual machine (VM). However, modern VMs\r\nare more sophisticated, and simply relying on counting cache memories may not be effective.\r\nThe other difference is, instead of targeting debuggers or sandboxes, VenomRAT attempts to avoid running on\r\nserver operating systems by querying the Win32_OperatingSystem WMI class and checking the ProductType,\r\nwhich differentiates between desktop and server environments. We summarized class differences in the table\r\nbelow.\r\nhttps://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nPage 3 of 7\n\nFeature AsyncRAT AntiAnalysis Class Venom RAT Anti_Analysis Class\r\nVM Detection ✔ ✔\r\nSandbox Detection ✔ ✘\r\nDebugger Detection ✔ ✘\r\nOperating System Detection ✔ ✔\r\nProcess Discovery ✘ ✔\r\nHardware Interaction\r\nVenomRAT has hardware interaction capabilities, allowing it to gather detailed system information through WMI\r\nqueries with ManagementObjectSearcher objects. These features are encapsulated in the CGRInfo class, which\r\nenables the collection of CPU, RAM, GPU, and software data:\r\nGetCPUName(): Retrieves the CPU name and the number of cores\r\nGetRAM(): Fetches the total installed physical memory (RAM)\r\nGetGPU(): Obtains the GPU name and driver version\r\nGetInstalledApplications(): Scans the Windows Registry to compile a list of installed applications\r\nGetUserProcessList(): Collects information on all running processes with visible windows\r\nThe collected data is sent back to the command-and-control (C2) server. This class is absent in both the version of\r\nAsyncRAT we analyzed and the open-source version.\r\nDcRAT joined the party with AntiProcess and Camera classes\r\nVenomRAT includes two notable classes absent in AsyncRAT: the AntiProcess and Camera classes.\r\nThe AntiProcess class is an anti-monitoring and anti-detection component of VenomRAT. Malware uses the\r\nWindows API function CreateToolhelp32Snapshot to get a snapshot of all running processes and search for\r\nspecific processes. We categorized the processes the malware is looking for below.\r\nSystem Monitoring Tools that can prevent users from identifying or stopping VenomRAT.\r\nhttps://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nPage 4 of 7\n\nTaskmgr.exe\r\nProcessHacker.exe\r\nprocexp.exe\r\nSecurity \u0026 Antivirus Processes: Terminating them reduces the risk of VenomRAT being detected or removed by\r\nsecurity software.\r\nMSASCui.exe\r\nMsMpEng.exe\r\nMpUXSrv.exe\r\nMpCmdRun.exe\r\nNisSrv.exe\r\nSystem Configuration Utilities: By targeting these, VenomRAT prevents users from adjusting security settings,\r\ninspecting registry changes, or manually removing the malware.\r\nConfigSecurityPolicy.exe\r\nMSConfig.exe\r\nRegedit.exe\r\nUserAccountControlSettings.exe\r\nTaskkill.exe\r\nIf a matching process is found, it terminates it by its process ID (PID).\r\nThe Camera class is designed to detect webcams on a Windows system by querying the available system devices\r\nusing COM interfaces. It retrieves a list of devices by category, specifically looking for video input devices. The\r\nclass uses the ICreateDevEnum and IPropertyBag interfaces to enumerate and extract the device names.\r\nHowever, both these classes, although absent in AasyncRAT, are not exclusive to VenomRAT only. Apparently\r\nthey are exact copycats of yet another open-source RAT, DcRAT.\r\nAMSI and ETW Bypass\r\nThis class was found only in the VenomRAT sample and is designed to bypass key Windows security mechanisms\r\nthrough in-memory patching. It specifically disables two critical Windows security features: AMSI (Antimalware\r\nScan Interface) and ETW (Event Tracing for Windows), which are often used by antivirus software and\r\nmonitoring tools to detect malware.\r\nKey Functions:\r\nAMSI Bypass: The class patches the AmsiScanBuffer function within amsi.dll to prevent AMSI from\r\nscanning for malicious content.\r\nETW Bypass: The class patches the EtwEventWrite function in ntdll.dll, which stops ETW from logging\r\nevents related to the malware’s activity.\r\nhttps://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nPage 5 of 7\n\nThe patching process is performed in-memory. The class dynamically checks the system's architecture (32-bit or\r\n64-bit) and loads the appropriate DLLs (amsi.dll and ntdll.dll) to apply the patches based on the platform. The\r\ntechniques used by VenomRAT closely mirror those found in the SharpSploit project, an open-source tool often\r\nused by penetration testers and red teams to test and bypass security features in a controlled environment.\r\nSharpSploit contains classes for bypassing both AMSI and ETW using similar in-memory patching methods,\r\nwhich likely served as inspiration for VenomRAT's implementation.\r\nThis security bypass functionality makes VenomRAT more capable of evading modern security defenses.\r\nDynamic API resolution\r\nVenomRAT has yet another class which is absent in AsyncRAT. The DInvokeCore class is implemented to\r\ndynamically resolve and call Windows API functions at runtime; this method bypasses traditional static imports,\r\nmaking it harder for antivirus and endpoint detection and response (EDR) systems to detect malicious activity.\r\nInstead of statically importing Windows APIs, the class resolves function addresses at runtime (e.g., from ntdll.dll\r\nor kernel32.dll) using methods like GetLibraryAddress and GetExportAddress. This approach makes it\r\ndifficult for static analysis tools to flag malicious behavior.\r\nIt uses the NtProtectVirtualMemory method to alter memory protection settings, allowing execution of code in\r\nmemory regions that are normally non-executable—an effective method for in-memory execution of malicious\r\npayloads.\r\nImplementation of DInvokeCore closely mirrors the open-source SharpSploit Generic class from the D/Invoke\r\nproject by TheWover. The DInvokeCore class from VenomRAT appears to be a simplified version, which lacks\r\nsome features but has core techniques for dynamic API invocation.\r\nConclusion\r\nOur analysis was sparked by detection vendors grouping VenomRAT and AsyncRAT under the same label,\r\nblurring the lines between the two. While they indeed belong to the QuasarRAT family, they are still different\r\nRATs.\r\nAsyncRAT appears to closely match the latest open-source release (v0.5.8). However, the VenomRAT seems to\r\nhave evolved and added other capabilities, although a lot of them seem to be a copy-paste from another open-source RAT (DcRAT) and the SharpSploit project. Despite this, VenomRAT presents more advanced evasion\r\ntechniques, making it a more sophisticated threat.\r\nTherefore, it’s important for security vendors to treat them as distinct threats, recognizing that VenomRAT brings\r\nmore advanced evasion capabilities, even if much of it isn’t truly unique. To help to resolve this confusion, we are\r\nsharing an updated VenomRAT YARA rule with the community, helping improve detection and response efforts.\r\nRapid7 customers\r\nInsightIDR and Managed Detection and Response (MDR) customers have existing detection coverage through\r\nRapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable\r\nhttps://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nPage 6 of 7\n\nhosts to ensure visibility into suspicious processes and proper detection coverage. The following rule will alert on\r\na wide range of malicious hashes tied to behavior in this blog:  Suspicious Process - Malicious Hash On Asset\r\nYARA rule\r\nThe VenomRAT YARA rule can be found on the Rapid7 Labs GitHub here.\r\nSource: https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nhttps://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/" ], "report_names": [ "a-bag-of-rats-venomrat-vs-asyncrat" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d997a1d5-b410-42c4-a490-90f287ad3034", "created_at": "2024-07-21T02:00:04.751362Z", "updated_at": "2026-04-10T02:00:03.675263Z", "deleted_at": null, "main_name": "Nullbulge", "aliases": [], "source_name": "MISPGALAXY:Nullbulge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "11c69e3d-a740-4a70-abd3-158ac0375452", "created_at": "2023-01-06T13:46:39.29608Z", "updated_at": "2026-04-10T02:00:03.27813Z", "deleted_at": null, "main_name": "Common Raven", "aliases": [ "NXSMS", "DESKTOP-GROUP", "OPERA1ER" ], "source_name": "MISPGALAXY:Common Raven", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0", "created_at": "2023-02-18T02:04:24.365926Z", "updated_at": "2026-04-10T02:00:04.792271Z", "deleted_at": null, "main_name": "OPERA1ER", "aliases": [ "Common Raven", "DESKTOP-GROUP", "NXSMS", "Operation Nervone" ], "source_name": "ETDA:OPERA1ER", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Agentemis", "BitRAT", "BlackNET RAT", "Cobalt Strike", "CobaltStrike", "Kasidet", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neutrino Bot", "Neutrino Exploit Kit", "Ngrok", "Origin Logger", "PsExec", "RDPWrap", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revealer Keylogger", "Socmer", "VenomRAT", "ZPAQ", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434237, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2f7a228be6b80c13c29b9663a599d734cf75efc.pdf", "text": "https://archive.orkl.eu/a2f7a228be6b80c13c29b9663a599d734cf75efc.txt", "img": "https://archive.orkl.eu/a2f7a228be6b80c13c29b9663a599d734cf75efc.jpg" } }