{ "id": "c9e64512-0a90-44c0-af98-8ccab1203f39", "created_at": "2026-04-06T00:16:11.331976Z", "updated_at": "2026-04-10T03:20:57.297245Z", "deleted_at": null, "sha1_hash": "bd9356ffad4ac794aa09c494341773b756f15d8d", "title": "Malware Analysis - AsyncRat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1311480, "plain_text": "Malware Analysis - AsyncRat\r\nBy Bar Magnezi\r\nPublished: 2025-04-23 · Archived: 2026-04-05 14:39:19 UTC\r\nSample:\r\n17a59db354f270147d5da27aa7978a3c\r\nBackgroundPermalink\r\nAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a\r\nsecure encrypted connection. It provides functionality such as keylogger, remote desktop control, and many other\r\nfunctions. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising,\r\nexploit kit and other techniques.\r\nStatic AnalysisPermalink\r\nFigure 1: Malware Bazaar Entry\r\nThis sample was initially uploaded from the Netherlands and has since spread, with notable activity observed in\r\nIsrael and the United States.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 1 of 11\n\nFigure 2: First Stage Code\r\nThe first stage uses a relatively simple split and join technique to construct a new string. To disable the original\r\nfunctionality and observe variable values, I modified the code to use console.log, as shown in Figure 3.\r\nFigure 3: Disarmed JS Code\r\nIn addition, I used a neat trick: I opened the browser’s developer tools and ran the code directly there to observe\r\nthe output, as demonstrated in Figure 4.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 2 of 11\n\nFigure 4: Dev Tool Code\r\nThese results uncovered a Pastebin URL used to retrieve the second stage of the malware.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 3 of 11\n\nSecond StagePermalink\r\nThe Second stage features heavily obfuscated code, containing around 7,500 lines, intended to obstruct analysis\r\nand evade detection. As shown in Figure 5, this snippet represents a small segment of the heavily obfuscated code.\r\nFigure 5: Obfuscated Code\r\nThe majority of the obfuscation techniques involved injecting junk code to mask the malware’s original\r\nfunctionality. After removing the junk code, what remained was a simple function that modifies a string and a long\r\nstring. In the final step, the code is executed using WScript as shown in Figure 6.\r\nFigure 6: Clearing The Code\r\nUsing CyberChef, I was able to replicate the functionality of the previously observed string manipulation. This\r\nrevealed the type of manipulation applied to the long string: it replaces a specific word with the letter ‘A’ and then\r\ndecodes the result from Base64.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 4 of 11\n\nFigure 7: CyberChef Extraction\r\nNext, I took the long string and applied the manipulation uncovered earlier, which revealed what appears to be a\r\nreversed URL, as shown in Figure 8.\r\nFigure 8: CyberChef to decode the string\r\nDownloading the content hosted at that URL revealed a long, reversed Base64-encoded string. After decoding it, a\r\nnew executable file was uncovered, as shown in Figure 9.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 5 of 11\n\nFigure 9: Outputs New EXE\r\nThird StagePermalink\r\nThe third stage of the malware is written in .NET and is most likely the unpacked version of the final payload.\r\nFigure 10: Using Detect it Easy\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 6 of 11\n\nFigure 11 highlights the capabilities of the RAT, including C2 communication, code execution, debugging\r\nfeatures, and more.\r\nFigure 11: Capabilities Of The RAT\r\nGiven that the malware was written in .NET, I used dnSpy to decompile and analyze the code, which allowed me\r\nto extract the full configuration, as presented in Figure 12.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 7 of 11\n\nFigure 12: Settings Configuration Of AsyncRAT\r\nAs expected from a RAT, it also collects various environment details such as the hostname, user ID, and more.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 8 of 11\n\nFigure 13: System Information\r\nDynamic AnalysisPermalink\r\nOnce executed, the RAT attempts to establish a connection on port 5090 at regular intervals, as observed in\r\nTCPView and shown in Figure 14.\r\nFigure 14: TCPView Output\r\nThe network communication can also be observed using Wireshark, providing further insight into the RAT’s\r\nconnection attempts.\r\nFigure 15: Using WireShark\r\nIOCsPermalink\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 9 of 11\n\nHash:\r\n17a59db354f270147d5da27aa7978a3c\r\n40fb01ac9879cf7ea9e9a375bd525a66\r\nURL\r\nhxxps://paste[.]ee/d/1Juiw3uF/0\r\nhxxps://paste[.]ee/d/m6drh6pM/0\r\ndeadpoolstart2050[.]duckdns[.]org\r\nCurious about what AsyncRAT looks like from the attacker’s perspective? The following images provide a\r\nglimpse into the control panel of the AsyncRAT server, highlighting some of its core functionalities.\r\nFigure 16: RAT GUI\r\nFigure 17: RAT Options\r\nFigure 18: RAT Options\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 10 of 11\n\nFigure 19: RAT Options\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://0xmrmagnezi.github.io/malware%20analysis/AsyncRAT/" ], "report_names": [ "AsyncRAT" ], "threat_actors": [], "ts_created_at": 1775434571, "ts_updated_at": 1775791257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd9356ffad4ac794aa09c494341773b756f15d8d.pdf", "text": "https://archive.orkl.eu/bd9356ffad4ac794aa09c494341773b756f15d8d.txt", "img": "https://archive.orkl.eu/bd9356ffad4ac794aa09c494341773b756f15d8d.jpg" } }