{ "id": "972ddd61-6070-4bbc-b3bd-dd5cf23105dd", "created_at": "2026-04-06T01:32:36.334302Z", "updated_at": "2026-04-10T03:34:54.822466Z", "deleted_at": null, "sha1_hash": "b96cb4a2a453e7b5220ef5ab36f9a7a74da35f94", "title": "AsyncRAT C2 Framework: Overview, Technical Analysis \u0026 Detection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4267477, "plain_text": "AsyncRAT C2 Framework: Overview, Technical Analysis \u0026\r\nDetection\r\nBy Pawan Kumar N\r\nPublished: 2022-08-16 · Archived: 2026-04-06 00:25:11 UTC\r\nIn this blog we describe the AsyncRAT C2 (command \u0026 control) Framework, which allows attackers to remotely\r\nmonitor and control other computers over a secure encrypted link. We provide an overview of this threat, a\r\ntechnical analysis, and a method of detecting the malware using Qualys Multi-Vector EDR.\r\nAsyncRAT C2 Framework is a Remote Access Trojan (RAT) designed to remotely monitor and control other\r\ncomputers through a secure encrypted connection. Features include keylogging, audio/video recording, info-stealing, remote desktop control, password recovery, launching remote shell, webcam, injecting payloads, among\r\nother functions.\r\nAsyncRAT has been used by various malware campaigns and threat actors in recent exploits. For example, as part\r\nof the Operation Layover campaign that targeted the Aviation industry, TA2541 used infected Word documents\r\nwith themes related to aviation, transportation, and travel to enable downloading the AsyncRAT payload. More\r\nrecently, a campaign using social engineering techniques targeted Thailand pass customers. Finally, the Follina\r\nOutbreak in Australia delivered AsyncRAT as a malicious payload.\r\nAsyncRAT can be detected and removed using Qualys Multi-Vector EDR, which is a service of the Qualys Cloud\r\nPlatform.\r\nThreat Overview of AsyncRAT C2 Framework\r\nAliases: Async RAT\r\nTarget Industry Verticals: Aviation, Travel, Hospitality, among others\r\nRegions: Asia, Latin America, North America, South America, Central America\r\nInfection Vectors: Spam/phishing email and spear-phishing\r\nObjective of Malware: Keylogging, data exfiltration, info-stealing, remote shell, remote code execution\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 1 of 17\n\nFigure 1: Timeline of major AsyncRAT incidents\r\nTechnical Analysis of AsyncRAT C2 Framework\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 2 of 17\n\nAsyncRAT’s main function enables modules, settings, and flow of code execution. The delay function defines the\r\nsleep duration before execution, which can be modified in each variant (e.g. 3 seconds, 5 seconds, 10 seconds,\r\netc.) while building the payload (see Figure 2).\r\nFigure 2: Main functions of AsyncRAT\r\nInitialize Settings Function\r\nThe Initialize Settings function enables all hardcoded configurations and settings that are predefined while\r\nbuilding the payload (Fig. 3).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 3 of 17\n\nFigure 3: Initialization of configuration settings\r\nFigure 4 shows the Initialize Settings function, which also enables decryption of all configuration settings from\r\nthe AES256 algorithm.\r\nFigure 4: Decryption of configuration settings\r\nConfiguration Settings\r\nPorts 8080\r\nHosts malware[.] com\r\nVersion 1.5\r\nInstall False\r\nMTX (Mutex) AsyncMutex_6SI8OkPnk\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 4 of 17\n\nPastebin null\r\nAnti False\r\nBDOS False\r\nVerify Hash Function\r\nThe Verify Hash function reveals if the configurations are valid or not using the server certificate and server\r\nsignature (Fig. 5).\r\nFigure 5: Verify hash function reveals validity of configurations\r\nClient Algorithm\r\nThe client algorithm is a decryption routine for all the hardcoded configurations \u0026 settings. The\r\nRfc2898DeriveBytes API uses the PBKDF2 algorithm. Figure 6 shows the execution of this algorithm.\r\nFigure 6: Client algorithm for decrypting hardcoded configurations and settings\r\nOnce all configuration settings are decrypted, AsyncRAT creates a mutex instance, which creates the mutex value\r\nof “AsyncMutex_6SI8OkPnk” by default. This value can be modified while building new payloads (Fig. 7).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 5 of 17\n\nFigure 7: Decryption routine\r\nClient Connection\r\nUsing the “WebClient.DownloadString” API, AsyncRAT can download additional resources and other payloads\r\nfrom pastebin or other domains. Figure 8 shows the code used for connecting to a domain via the specified port.\r\nFigure 8: Enabling a C2 connection\r\nClient Helper\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 6 of 17\n\nAnti-Analysis\r\nAsyncRAT’s Client Helper includes an anti-analysis tool with multiple subfunctions such as:\r\nDetect Manufacturer\r\nDetect Sandbox\r\nIsSmallDisk\r\nIsXP\r\nAnti-Virus Check\r\nFigure 9: Anti-analysis tool enabled in AsyncRAT\r\nDetect Debugger\r\nClient Helper provides a Detect Debugger tool that uses the “CheckRemoteDebuggerPresent” API to check if a\r\nprocess is being debugged (Fig. 10).\r\nFigure 10: Detect debugger tool in Client Helper\r\nDetect Manufacturer\r\nClient Helper’s Detect Manufacturer tool enables anti-virtual machine (VM) techniques by using WMI queries\r\nand checks for keywords like “Microsoft Corporation”, “VIRTUAL”, “VMware”, or “VirtualBox” to detect VM\r\nenvironments.\r\nFor example, Figure 11 shows a query: “Select * from Win32 ComputerSystem”:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 7 of 17\n\nFigure 11: Detect VM query in Client Helper\r\nDetect Sandbox\r\nThe Detect Sandbox feature in AsyncRAT’s Client Helper uses the “GetModuleHandle” API to load the\r\n“SbieDll.dll” module to detect a sandbox (Fig. 12).\r\nFigure 12: Detect sandbox feature in Client Helper\r\nIsSmallDisk\r\nAnother Client Helper tool called IsSmallDisk uses the “Path.GetPathRoot” API to check for disk size, since\r\nmost VMs would have a smaller disk size than that used in physical disk drives. Figure 13 shows how\r\nIsSmallDisk is enabled.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 8 of 17\n\nFigure 13: Detect disk size\r\nIsXP\r\nAnother tool, IsXP, checks whether the operating system used is Windows XP or not. Figure 14 shows how this\r\ntool is enabled.\r\nFigure 14: Detect Windows XP\r\nAntivirus Check\r\nThe Antivirus Check tool in Client Helper uses WMI checks for which antivirus product is installed in the system.\r\nFigure 15 shows this being done with the following command: “\\\\root\\SecurityCenter2” , “Select *\r\nAntiVirusProduct” .\r\nFigure 15: Anti-virus check\r\nOnce AsyncRAT performs all the checks and collects desired information, it sends the data to its C2 server (Fig.\r\n16).\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 9 of 17\n\nFigure 16: Data exfiltration to C2 server\r\nClient Install\r\nAsyncRAT’s Client Install feature maintains persistence checks as to whether the process has admin privileges.\r\nThis occurs by creating a scheduled persistence check every time a user logs on. For example:\r\nCommand: “/c schtasks /create /f /sc onlogon /rl highest /tn”\r\nIf the process reveals there are no admin privileges, a run registry entry is created in reverse order:\r\n“Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run”; it then copies itself into a “%temp%” folder with a\r\ndifferent name and executes from the temp folder via a bat script (Fig. 17).\r\nFigure 17: Enabling persistence checks for admin privileges\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 10 of 17\n\nFigure 18 shows the bat script being dropped into “%temp%” folder. It self-deletes after execution.\r\nFigure 18: Bat script\r\nThe Client Install tool then creates a run registry entry with the binary name and its full path (Fig. 19):\r\nFigure 19: Run key entry by Client Install tool\r\nKeylogger\r\nAsyncRAT’s Keylogger feature uses the code of opensource project LimeLogger, which uses API’s like\r\n“GetKeyState” and “GetKeyboardLayout” to capture the keystrokes on the victim machine (Fig. 20).\r\nFigure 20: LimeLogger enabling keylogger feature\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 11 of 17\n\nThe keylogger takes a snapshot of the keystrokes captured on victim machine, which can be saved to text file.\r\nFigure 21 shows a few examples.\r\nFigure 21: Captured keystrokes on victim machine\r\nNative API Methods\r\nRtlSetProcessIsCritical: Used to prevent the termination of a malware process; if it is terminated, the\r\nsystem will crash with a blue screen error\r\nGet Active Window: It uses the “GetForegroundWindow” API to identify the window in which the user is\r\ncurrently working\r\nPrevent Sleep: Use of the “SetThreadExecutionState” API prevents the system from entering sleep mode\r\nServer-Side Features\r\nAsyncRAT’s server interface provides a client tab with details about the victim machine. Figure 22 shows this\r\ndisplay.\r\n1. IP Address of the victim machine\r\n2. HWID: hardware ID of victim machine\r\n3. Username\r\n4. Operating system\r\n5. Privileges: user / admin\r\n6. AV software installed on the system\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 12 of 17\n\n7. Active Window: window that a user is currently using\r\nFigure 22: Victim machine information\r\nThe AsyncRAT server interface also provides the logs tab, which shows a list of all commands executed and\r\nactions performed on victim machine (Fig. 23).\r\nFigure 23: Logs of executed commands\r\nOnce the connection is established, AsyncRAT provides the option of dropping additional payload files into the\r\nmemory or disk of the victim machine (Fig. 24).\r\nMemory: Uses reflective code loading and the RunPE method to load a file into memory\r\nDisk: Just drops an existing file into a particular folder path; if any file is dropped on a victim’s machine,\r\nor if any other commands are sent from the server, those actions are captured under the Tasks tab\r\nFig 24: Drop files in Memory / Disk\r\nMonitoring Features\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 13 of 17\n\nRemote Desktop\r\nKeylogger\r\nFile manager\r\nProcess manager\r\nWebcam\r\nMiscellaneous Features \u0026 Plugins\r\nDOS attack\r\n.NET code execution\r\nBot-killer\r\nRemote shell\r\nUSB Spread\r\nMiner\r\nFile Search\r\nChat\r\nSend Message Box\r\nVisit website\r\nGet admin privileges\r\nBlank screen\r\nDisable defender\r\nSet wallpaper\r\nDetection of AsyncRAT using Qualys Multi-Vector EDR\r\nQualys Multi-Vector Endpoint Detection and Response (EDR) is a dynamic detection and response service\r\npowered by the Qualys Cloud Platform. Qualys Multi-Vector EDR detects malware like AsyncRAT C2\r\nFramework by unifying multiple context vectors to spot its insertion into a network endpoint. Qualys Cloud\r\nPlatform provides asset management, vulnerability detection, policy compliance, patch management, and file\r\nintegrity monitoring capabilities – all delivered with a single agent and cloud-based delivery for a lower total cost\r\nof ownership.\r\nQualys Multi-Vector EDR provides real-time insights as an attacker attempts to breach an organization’s\r\ncybersecurity controls. For example, Figure 25 shows a process tree for how AsyncRAT is creating a copy of itself\r\ninto a “%temp%” folder.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 14 of 17\n\nFigure 25: Qualys EDR process tree for AsyncRAT attack\r\nFigure 26 shows the command line arguments of cmd.exe executing a bat script dropped into the “%temp%”\r\nfolder.\r\nFigure 26: Command line arguments of cmd.exe\r\nFigures 27 and 28 show other insights from Qualys Multi-Vector EDR as it detects the AsyncRAT with a threat\r\nscore of 9/10.\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 15 of 17\n\nFigure 27: Process creation with Qualys Multi-Vector EDR\r\nFigure 28: Detection of run registry entry with Qualys Multi-Vector EDR\r\nMITRE ATT\u0026CK® Mapping\r\nFor security organizations who have adopted the MITRE ATT\u0026CK® framework, Qualys Multi-Vector EDR maps\r\ndirectly to its knowledge base of adversary tactics and techniques based on real-world observations. The MITRE\r\nATT\u0026CK knowledge base is used as a foundation for the development of specific threat models and\r\nmethodologies in the private sector, government, and Cybersecurity vendor community.\r\nHere is a list of MITRE ATT\u0026CK TTPS that an unmodified version of AsyncRAT implements:\r\nScheduled Task/Job: Scheduled Task, Sub-technique T1053.005 – Enterprise | MITRE ATT\u0026CK®\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 –\r\nEnterprise | MITRE ATT\u0026CK\r\nVirtualization/Sandbox Evasion, Technique T1497 – Enterprise | MITRE ATT\u0026CK®\r\nDefense Evasion, Tactic TA0005 – Enterprise | MITRE ATT\u0026CK®\r\nExfiltration Over C2 Channel, Technique T1041 – Enterprise | MITRE ATT\u0026CK®\r\nAcquire Infrastructure: Web Services, Sub-technique T1583.006 – Enterprise | MITRE ATT\u0026CK®\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 16 of 17\n\nPersistence, Tactic TA0003 – Enterprise | MITRE ATT\u0026CK®\r\nInput Capture: Keylogging, Sub-technique T1056.001 – Enterprise | MITRE ATT\u0026CK®\r\nNative API, Technique T1106 – Enterprise | MITRE ATT\u0026CK®\r\nRemote Services: Remote Desktop Protocol, Sub-technique T1021.001 – Enterprise | MITRE ATT\u0026CK®\r\nVideo Capture, Technique T1125 – Enterprise | MITRE ATT\u0026CK®\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.qualys.com/vulnerabilities-threat-research/2022/08/16/asyncrat-c2-framework-overview-technical-analysis-and-detection" ], "report_names": [ "asyncrat-c2-framework-overview-technical-analysis-and-detection" ], "threat_actors": [ { "id": "4f5da0b4-5d47-4ae4-87cb-dfcb3c3524ae", "created_at": "2022-10-25T16:07:23.96921Z", "updated_at": "2026-04-10T02:00:04.812941Z", "deleted_at": null, "main_name": "Operation Layover", "aliases": [], "source_name": "ETDA:Operation Layover", "tools": [ "AsyncRAT", "Bladabindi", "CyberGate", "CyberGate RAT", "Jorik", "Rebhip", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439156, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b96cb4a2a453e7b5220ef5ab36f9a7a74da35f94.pdf", "text": "https://archive.orkl.eu/b96cb4a2a453e7b5220ef5ab36f9a7a74da35f94.txt", "img": "https://archive.orkl.eu/b96cb4a2a453e7b5220ef5ab36f9a7a74da35f94.jpg" } }