SYMBOLCOMMON_NAMEaka. SYNONYMS
win.asyncrat (Back to overview)

AsyncRAT

VTCollection    

AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.

References
2024-10-16ThreatMonAziz Kaplan, ThreatMon, ThreatMon Malware Research Team
X-ZIGZAG Technical Malware Analysis Report
AsyncRAT X-ZIGZAG
2024-07-17Huntress LabsAlden Schmidt, Greg Linares, Matt Anderson
Fake Browser Updates Lead to BOINC Volunteer Computing Software
FAKEUPDATES MintsLoader AsyncRAT
2024-07-16Sentinel LABSJim Walter
NullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI
AsyncRAT LockBit XWorm Nullbulge
2024-07-09SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2024
Coper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT QakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver
2024-05-14Check Point ResearchAntonis Terefos, Tera0017
Foxit PDF “Flawed Design” Exploitation
Rafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm
2024-04-20Axel's IT Security ResearchAxel Mahr
New Robust Technique for Reliably Identifying AsyncRAT/DcRAT/VenomRAT Servers
AsyncRAT DCRat Venom RAT
2024-04-13cyber5wcyber5w, M4lcode
Analysis of malicious Microsoft office macros
AsyncRAT Ave Maria
2024-04-11Github (jeFF0Falltrades)Jeff Archer
Rat King Configuration Parser
AsyncRAT DCRat Quasar RAT Venom RAT
2024-02-09CensysCensys, Embee_research
A Beginners Guide to Tracking Malware Infrastructure
AsyncRAT BianLian Cobalt Strike QakBot
2024-01-25JSAC 2024Masafumi Takeda, Tomoya Furukawa
Threat Intelligence of Abused Public Post-Exploitation Frameworks
AsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver
2024-01-15DFIR.chStephan Berger
Hunting AsyncRAT & QuasarRAT
AsyncRAT Quasar RAT
2024-01-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q4 2023
FluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer Meterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver
2024-01-09Recorded FutureInsikt Group
2023 Adversary Infrastructure Report
AsyncRAT Cobalt Strike Emotet PlugX ShadowPad
2024-01-05AlienLabsFernando Martinez
AsyncRAT loader: Obfuscation, DGAs, decoys and Govno
MintsLoader AsyncRAT
2023-12-13cocomelonccocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer
2023-12-12Check Point ResearchCheck Point
November 2023’s Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus
FAKEUPDATES AsyncRAT
2023-12-02openhunting.ioopenhunting.io
Threat Hunting Malware Infrastructure
VBREVSHELL AsyncRAT
2023-11-01Twitter (@embee_research)Embee_research
Malware Unpacking With Memory Dumps - Intermediate Methods (Pe-Sieve, Process Hacker, Hxd and Pe-bear)
AsyncRAT
2023-10-30Twitter (@embee_research)Embee_research
Unpacking .NET Malware With Process Hacker and Dnspy
AsyncRAT
2023-10-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2023
FluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar
2023-09-08Gi7w0rm
Uncovering DDGroup — A long-time threat actor
AsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm
2023-07-20GatewatcherGatewatcher
zip-files-make-it-bigger-to-avoid-edr-detection
AsyncRAT
2023-07-11SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2023
Hydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee
2023-06-08Twitter (@embee_research)Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2023-05-19cocomelonccocomelonc
Malware source code investigation: AsyncRAT
AsyncRAT
2023-05-09Huntress LabsMatthew Brennan
Advanced Cyberchef Tips - AsyncRAT Loader
AsyncRAT
2023-04-12SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar
2023-04-08kienmanowar Blogm4n0w4r, Tran Trung Kien
[QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam
AsyncRAT DCRat WorldWind
2023-03-30loginsoftSaharsh Agrawal
From Innocence to Malice: The OneNote Malware Campaign Uncovered
Agent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine Stealer XWorm
2023-03-27splunkSplunk Threat Research Team
AsyncRAT Crusade: Detections and Defense
AsyncRAT
2023-03-15Lab52Lab52
APT-C-36: from NjRAT to LimeRAT
AsyncRAT NjRAT
2023-03-01ZscalerMeghraj Nandanwar, Shatak Jain
OneNote: A Growing Threat for Malware Distribution
AsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer
2023-02-27BlackberryBlackBerry Research & Intelligence Team
Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities
AsyncRAT APT-C-36
2023-02-11@0xToxin
AsyncRAT OneNote Dropper
AsyncRAT
2023-02-08Huntress LabsMichael Elford
AsyncRAT: Analysing the Three Stages of Execution
AsyncRAT
2023-01-04cocomelonc
Malware development tricks: part 26. Mutex. C++ example.
AsyncRAT Conti HelloKitty
2022-12-06360 Threat Intelligence Center360 Beacon Lab
Analysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism
AhMyth Meterpreter SpyNote AsyncRAT
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-06Check PointCheck Point Research
DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa
AsyncRAT Meterpreter PoshC2 DangerousSavanna
2022-08-29360 netlabwanghao
PureCrypter Loader continues to be active and has spread to more than 10 other families
404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer
2022-08-29NetskopeGustavo Palazolo
AsyncRAT: Using Fully Undetected Downloader
AsyncRAT
2022-08-18ProofpointJoe Wise, Proofpoint Threat Research Team, Selena Larson
Reservations Requested: TA558 Targets Hospitality and Travel
AsyncRAT Loda NjRAT Ozone RAT Revenge RAT Vjw0rm
2022-08-17SecureworksCounter Threat Unit ResearchTeam
DarkTortilla Malware Analysis
Agent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer
2022-08-16QualysPawan Kumar N
AsyncRAT C2 Framework: Overview, Technical Analysis & Detection
AsyncRAT
2022-07-17ResecurityResecurity
Shortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise
AsyncRAT BumbleBee Emotet IcedID QakBot
2022-07-15HPPatrick Schläpfer
Stealthy OpenDocument Malware Deployed Against Latin American Hotels
AsyncRAT
2022-07-13TrellixMohsin Dalla, Sushant Kumar Arya
Targeted Attack on Government Agencies
AsyncRAT LimeRAT
2022-06-08SymantecKarthikeyan C Kasiviswanathan, Yuvaraj Megavarnadu
Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer
AsyncRAT
2022-06-03AvastThreat Intelligence Team
Outbreak of Follina in Australia
AsyncRAT
2022-06-03Avast DecodedThreat Intelligence Team
Outbreak of Follina in Australia
AsyncRAT APT40
2022-06-02FortiGuard LabsFred Gutierrez, Gergely Revay, James Slaughter, Shunichi Imano
Threat Actors Prey on Eager Travelers
AsyncRAT NetWire RC Quasar RAT
2022-06-01Github (jstnk9)Jose Luis Sánchez Martínez
Analyzing AsyncRAT distributed in Colombia
AsyncRAT
2022-05-19BlackberryThe BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate
2022-05-12MorphisecHido Cohen
New SYK Crypter Distributed Via Discord
AsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer
2022-05-11HPHP Wolf Security
Threat Insights Report Q1 - 2022
AsyncRAT Emotet Mekotio Vjw0rm
2022-05-06Mitchell's MusingsAiden Mitchell
Attempted AsyncRAT via .vbs
AsyncRAT
2022-05-02eSentireeSentire Threat Response Unit (TRU)
AsyncRAT Activity
AsyncRAT
2022-04-28vx-undergroundTwitter (@vxunderground)
Tweet on leaked Prynt Stealer source code and similarity to AyncRAT
AsyncRAT Prynt Stealer
2022-04-27ZscalerBrett Stone-Gross, Dennis Schwarz
Targeted attack on Thailand Pass customers delivers AsyncRAT
AsyncRAT
2022-04-27TrendmicroDaniel Lunghi, Jaromír Hořejší
Operation Gambling Puppet
reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka
2022-04-27TrendmicroTrendmicro
IOCs for Earth Berberoka - Windows
AsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka
2022-04-27Trend MicroDaniel Lunghi, Jaromír Hořejší
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware
HelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka
2022-04-26Trend MicroLord Alfred Remorin, Ryan Flores, Stephen Hilt
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-04-19RiskIQJennifer Grob
RiskIQ: Legitimate WordPress Site Hosts Malicious Content
AsyncRAT
2022-04-05Cisco TalosAlex Karkins, Edmund Brumaghin
Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter
AsyncRAT LimeRAT
2022-03-31eSentireeSentire Threat Response Unit (TRU)
Suspected AsyncRAT Delivered via ISO Files Using HTML Smuggling Technique
AsyncRAT
2022-03-12Brian Stadnicki
AsyncRAT RCE vulnerability
AsyncRAT
2022-03-01VirusTotalVirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-22NCSC SwitzerlandNCSC Switzerland
Week 7: Supposed order confirmation delivers malware and new variants in fake extortion emails
AsyncRAT
2022-02-16Abdallah Elnoty
Playing with AsyncRAT
AsyncRAT
2022-02-15ProofpointJoe Wise, Selena Larson
Charting TA2541's Flight
AsyncRAT TA2541
2022-02-15Threat PostElizabeth Montalbano
TA2541: APT Has Been Shooting RATs at Aviation for Years
AsyncRAT Houdini NetWire RC Parallax RAT
2022-02-15BleepingComputerIonut Ilascu
Unskilled hacker linked to years of attacks on aviation, transport sectors
AsyncRAT Houdini NetWire RC Parallax RAT
2022-02-14MorphisecArnold Osipov, Hido Cohen
Journey of a Crypto Scammer - NFT-001
AsyncRAT BitRAT Remcos
2022-02-07RiskIQRiskIQ
RiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates
AsyncRAT BitRAT Nanocore RAT
2022-01-26The Hacker NewsRavie Lakshmanan
Hackers Using New Evasive Technique to Deliver AsyncRAT Malware
AsyncRAT
2022-01-25MorphisecMichael Dereviashkin
New Threat Campaign Identified: AsyncRAT Introduces a New Delivery Technique
AsyncRAT
2022-01-12CiscoChetan Raghuprasad, Vanja Svajcer
Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure
AsyncRAT Nanocore RAT NetWire RC
2021-12-29Github (jeFF0Falltrades)Jeff Archer
AsyncRAT Configuration Parser
AsyncRAT
2021-12-13RiskIQJordan Herman
RiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure
AsyncRAT Nanocore RAT NetWire RC Vjw0rm
2021-11-29Trend MicroJaromír Hořejší
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
AsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos
2021-11-11MicrosoftMicrosoft 365 Defender Threat Intelligence Team
HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks
AsyncRAT Mekotio NjRAT
2021-10-26KasperskyKaspersky Lab ICS CERT
APT attacks on industrial organizations in H1 2021
8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad Zebrocy
2021-10-15ESET ResearchESET Research
Tweet on a malicious campaign targeting governmental and education entities in Colombia using multiple stages to drop AsyncRAT or njRAT Keylogger on their victims
AsyncRAT NjRAT
2021-09-16CiscoTiago Pereira, Vitor Ventura
Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
AsyncRAT Houdini NjRAT
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroDaniel Lunghi, Jaromír Hořejší
APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-19TalosAsheer Malhotra, Vanja Svajcer, Vitor Ventura
Malicious Campaign Targets Latin America: The seller, The operator and a curious link
AsyncRAT NjRAT
2021-07-30Menlo SecurityMENLO Security
ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
AsyncRAT NjRAT
2021-07-19BitdefenderBitdefender
Debugging MosaicLoader, One Step at a Time
AsyncRAT Glupteba
2021-07-12IBMClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsClaire Zaboeva, Dan Dash, Melissa Frydrych
RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-06-27FortinetGayathri Thirugnanasambandam
Spear Phishing Campaign with New Techniques Aimed at Aviation Companies
AsyncRAT
2021-05-14MorphisecArnold Osipov
AHK RAT Loader Used in Unique Delivery Campaigns
AsyncRAT Houdini Revenge RAT
2021-05-11Twitter (@MsftSecIntel)Microsoft Security Intelligence
Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla
Agent Tesla AsyncRAT
2021-05-07MorphisecNadav Lorber
Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
Agent Tesla AsyncRAT NetWire RC Revenge RAT
2021-05-05ZscalerAniruddha Dolas, Manohar Ghule, Mohd Sadique
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-03-16MorphisecNadav Lorber
Tracking HCrypt: An Active Crypter as a Service
AsyncRAT LimeRAT Remcos
2021-02-25IntezerIntezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-02-19K7 SecurityPartheeban J
GitHub – Home to AsyncRAT Backdoor
AsyncRAT
2021-01-11ESET ResearchMatías Porolli
Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos
2020-12-10Intel 471Intel 471
No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10JPCERT/CCKota Kino
Attack Activities by Quasar Family
AsyncRAT Quasar RAT Venom RAT XPCTRA
2020-11-03Kaspersky LabsGReAT
APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-19Red Sky AllianceYury Polozov
Possible Identity of a Kuwaiti Hacker NYANxCAT
AsyncRAT
2020-09-21QianxinRedDrip Team
Operation Tibo: A retaliatory targeted attack from the South Asian APT organization "Mo Luo Suo"
AsyncRAT Darktrack RAT
2020-08-26ProofpointProofpoint Threat Research Team
Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages
AsyncRAT Nanocore RAT TA2719
2020-07-30SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2019-11-19VMWare Carbon BlackVMWare
Threat Analysis Unit (TAU) Threat Intelligence Notification: AsyncRAT
AsyncRAT
2019-01-19Github (NYAN-x-CAT)NYAN-x-CAT
AsyncRAT: Open-Source Remote Administration Tool For Windows C# (RAT)
AsyncRAT
Yara Rules
[TLP:WHITE] win_asyncrat_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_asyncrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03c0 01ff 03b701ff03cb 01ff 03cc 01ff 03cb }
            // n = 7, score = 100
            //   03c0                 | add                 eax, eax
            //   01ff                 | add                 edi, edi
            //   03b701ff03cb         | add                 esi, dword ptr [edi - 0x34fc00ff]
            //   01ff                 | add                 edi, edi
            //   03cc                 | add                 ecx, esp
            //   01ff                 | add                 edi, edi
            //   03cb                 | add                 ecx, ebx

        $sequence_1 = { 03bd01ff03cc 01ff 03e7 01ff 01e5 02e6 01ff }
            // n = 7, score = 100
            //   03bd01ff03cc         | add                 edi, dword ptr [ebp - 0x33fc00ff]
            //   01ff                 | add                 edi, edi
            //   03e7                 | add                 esp, edi
            //   01ff                 | add                 edi, edi
            //   01e5                 | add                 ebp, esp
            //   02e6                 | add                 ah, dh
            //   01ff                 | add                 edi, edi

        $sequence_2 = { 01ff 03e3 01ff 03e1 01ff }
            // n = 5, score = 100
            //   01ff                 | add                 edi, edi
            //   03e3                 | add                 esp, ebx
            //   01ff                 | add                 edi, edi
            //   03e1                 | add                 esp, ecx
            //   01ff                 | add                 edi, edi

        $sequence_3 = { 019c016e018201 8601 f1 019301e001fd }
            // n = 4, score = 100
            //   019c016e018201       | add                 dword ptr [ecx + eax + 0x182016e], ebx
            //   8601                 | xchg                byte ptr [ecx], al
            //   f1                   | int1                
            //   019301e001fd         | add                 dword ptr [ebx - 0x2fe1fff], edx

        $sequence_4 = { f8 01ff 018501d601f9 01ff }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   01ff                 | add                 edi, edi
            //   018501d601f9         | add                 dword ptr [ebp - 0x6fe29ff], eax
            //   01ff                 | add                 edi, edi

        $sequence_5 = { 018101cf01f0 01ff 018801d101f1 01ff }
            // n = 4, score = 100
            //   018101cf01f0         | add                 dword ptr [ecx - 0xffe30ff], eax
            //   01ff                 | add                 edi, edi
            //   018801d101f1         | add                 dword ptr [eax - 0xefe2eff], ecx
            //   01ff                 | add                 edi, edi

        $sequence_6 = { 01ff 018501d301f3 01ff 018c01d601f501 }
            // n = 4, score = 100
            //   01ff                 | add                 edi, edi
            //   018501d301f3         | add                 dword ptr [ebp - 0xcfe2cff], eax
            //   01ff                 | add                 edi, edi
            //   018c01d601f501       | add                 dword ptr [ecx + eax + 0x1f501d6], ecx

        $sequence_7 = { 018e01d801f8 01ff 018b01d601f7 01ff }
            // n = 4, score = 100
            //   018e01d801f8         | add                 dword ptr [esi - 0x7fe27ff], ecx
            //   01ff                 | add                 edi, edi
            //   018b01d601f7         | add                 dword ptr [ebx - 0x8fe29ff], ecx
            //   01ff                 | add                 edi, edi

        $sequence_8 = { 03e3 01ff 03e3 01ff 03e2 01ff 03e2 }
            // n = 7, score = 100
            //   03e3                 | add                 esp, ebx
            //   01ff                 | add                 edi, edi
            //   03e3                 | add                 esp, ebx
            //   01ff                 | add                 edi, edi
            //   03e2                 | add                 esp, edx
            //   01ff                 | add                 edi, edi
            //   03e2                 | add                 esp, edx

        $sequence_9 = { db01 ff03 da01 ff03 }
            // n = 4, score = 100
            //   db01                 | fild                dword ptr [ecx]
            //   ff03                 | inc                 dword ptr [ebx]
            //   da01                 | fiadd               dword ptr [ecx]
            //   ff03                 | inc                 dword ptr [ebx]

    condition:
        7 of them and filesize < 2605056
}
[TLP:WHITE] win_asyncrat_w0   (20201006 | detect AsyncRat in memory)
rule win_asyncrat_w0 { 
    meta: 
        description = "detect AsyncRat in memory"
        author = "JPCERT/CC Incident Response Group"
        rule_usage = "memory scan"
        reference = "internal research"
        hash = "1167207bfa1fed44e120dc2c298bd25b7137563fdc9853e8403027b645e52c19"
        hash = "588c77a3907163c3c6de0e59f4805df41001098a428c226f102ed3b74b14b3cc"
        source = "https://github.com/JPCERTCC/MalConfScan/blob/master/yara/rule.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"
        malpedia_rule_date = "20201006"
        malpedia_hash = ""
        malpedia_version = "20201006"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $salt = {BF EB 1E 56 FB CD 97 3B B2 19 02 24 30 A5 78 43 00 3D 56 44 D2 1E 62 B9 D4 F1 80 E7 E6 C3 39 41}
        $b1 = {00 00 00 0D 53 00 48 00 41 00 32 00 35 00 36 00 00} $b2 = {09 50 00 6F 00 6E 00 67 00 00}
        $s1 = "pastebin" ascii wide nocase
        $s2 = "pong" wide $s3 = "Stub.exe" ascii wide
        
    condition: 
        ($salt and (2 of ($s*) or 1 of ($b*))) or (all of ($b*) and 2 of ($s*))
}
Download all Yara Rules