SYMBOLCOMMON_NAMEaka. SYNONYMS
win.asyncrat (Back to overview)

AsyncRAT


There is no description at this point.

References
2021-09-16CiscoTiago Pereira, Vitor Ventura
@online{pereira:20210916:operation:133992d, author = {Tiago Pereira and Vitor Ventura}, title = {{Operation Layover: How we tracked an attack on the aviation industry to five years of compromise}}, date = {2021-09-16}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html}, language = {English}, urldate = {2021-09-19} } Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
AsyncRAT Houdini NjRAT
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-19TalosAsheer Malhotra, Vitor Ventura, Vanja Svajcer
@online{malhotra:20210819:malicious:e04d4c9, author = {Asheer Malhotra and Vitor Ventura and Vanja Svajcer}, title = {{Malicious Campaign Targets Latin America: The seller, The operator and a curious link}}, date = {2021-08-19}, organization = {Talos}, url = {https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html}, language = {English}, urldate = {2021-08-30} } Malicious Campaign Targets Latin America: The seller, The operator and a curious link
AsyncRAT NjRAT
2021-07-30Menlo SecurityMENLO Security
@online{security:20210730:isomorph:83956a0, author = {MENLO Security}, title = {{ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign}}, date = {2021-07-30}, organization = {Menlo Security}, url = {https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/}, language = {English}, urldate = {2021-08-02} } ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign
AsyncRAT NjRAT
2021-07-19BitdefenderBitdefender
@techreport{bitdefender:20210719:debugging:48353a0, author = {Bitdefender}, title = {{Debugging MosaicLoader, One Step at a Time}}, date = {2021-07-19}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf}, language = {English}, urldate = {2021-07-20} } Debugging MosaicLoader, One Step at a Time
AsyncRAT Glupteba
2021-07-12IBMMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:1f66418, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {IBM}, url = {https://securityintelligence.com/posts/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-07-12Cipher Tech SolutionsMelissa Frydrych, Claire Zaboeva, Dan Dash
@online{frydrych:20210712:roboski:a3c66bf, author = {Melissa Frydrych and Claire Zaboeva and Dan Dash}, title = {{RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation}}, date = {2021-07-12}, organization = {Cipher Tech Solutions}, url = {https://www.ciphertechsolutions.com/roboski-global-recovery-automation/}, language = {English}, urldate = {2021-07-20} } RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation
404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos
2021-06-27FortinetGayathri Thirugnanasambandam
@online{thirugnanasambandam:20210627:spear:86cdf6a, author = {Gayathri Thirugnanasambandam}, title = {{Spear Phishing Campaign with New Techniques Aimed at Aviation Companies}}, date = {2021-06-27}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies}, language = {English}, urldate = {2021-06-29} } Spear Phishing Campaign with New Techniques Aimed at Aviation Companies
AsyncRAT
2021-05-14MorphisecArnold Osipov
@online{osipov:20210514:ahk:2da8d24, author = {Arnold Osipov}, title = {{AHK RAT Loader Used in Unique Delivery Campaigns}}, date = {2021-05-14}, organization = {Morphisec}, url = {https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns}, language = {English}, urldate = {2021-05-17} } AHK RAT Loader Used in Unique Delivery Campaigns
AsyncRAT Houdini Revenge RAT
2021-05-11Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20210511:snip3:69a4650, author = {Microsoft Security Intelligence}, title = {{Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla}}, date = {2021-05-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1392219299696152578}, language = {English}, urldate = {2021-05-13} } Tweet on Snip3 crypter delivering AsyncRAT or AgentTesla
Agent Tesla AsyncRAT
2021-05-07MorphisecNadav Lorber
@online{lorber:20210507:revealing:add3b8a, author = {Nadav Lorber}, title = {{Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader}}, date = {2021-05-07}, organization = {Morphisec}, url = {https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader}, language = {English}, urldate = {2021-05-13} } Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
Agent Tesla AsyncRAT NetWire RC Revenge RAT
2021-05-05ZscalerAniruddha Dolas, Mohd Sadique, Manohar Ghule
@online{dolas:20210505:catching:ace83fc, author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule}, title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}}, date = {2021-05-05}, organization = {Zscaler}, url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols}, language = {English}, urldate = {2021-05-08} } Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats
Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos
2021-03-16MorphisecNadav Lorber
@online{lorber:20210316:tracking:2d8ef0b, author = {Nadav Lorber}, title = {{Tracking HCrypt: An Active Crypter as a Service}}, date = {2021-03-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service}, language = {English}, urldate = {2021-05-13} } Tracking HCrypt: An Active Crypter as a Service
AsyncRAT LimeRAT Remcos
2021-02-25IntezerIntezer
@techreport{intezer:20210225:year:eb47cd1, author = {Intezer}, title = {{Year of the Gopher A 2020 Go Malware Round-Up}}, date = {2021-02-25}, institution = {Intezer}, url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf}, language = {English}, urldate = {2021-06-30} } Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy
2021-02-19K7 SecurityPartheeban J
@online{j:20210219:github:4fa7b0e, author = {Partheeban J}, title = {{GitHub – Home to AsyncRAT Backdoor}}, date = {2021-02-19}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21759}, language = {English}, urldate = {2021-03-31} } GitHub – Home to AsyncRAT Backdoor
AsyncRAT
2021-01-11ESET ResearchMatías Porolli
@online{porolli:20210111:operation:409662d, author = {Matías Porolli}, title = {{Operation Spalax: Targeted malware attacks in Colombia}}, date = {2021-01-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/}, language = {English}, urldate = {2021-01-18} } Operation Spalax: Targeted malware attacks in Colombia
Agent Tesla AsyncRAT NjRAT Remcos
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-12-10JPCERT/CCKota Kino
@online{kino:20201210:attack:cd8c552, author = {Kota Kino}, title = {{Attack Activities by Quasar Family}}, date = {2020-12-10}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html}, language = {English}, urldate = {2020-12-10} } Attack Activities by Quasar Family
AsyncRAT Quasar RAT Venom RAT XPCTRA
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-09-21QianxinRedDrip Team
@techreport{team:20200921:operation:730163c, author = {RedDrip Team}, title = {{Operation Tibo: A retaliatory targeted attack from the South Asian APT organization "Mo Luo Suo"}}, date = {2020-09-21}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf}, language = {Chinese}, urldate = {2021-03-12} } Operation Tibo: A retaliatory targeted attack from the South Asian APT organization "Mo Luo Suo"
AsyncRAT Darktrack RAT
2020-08-26ProofpointProofpoint Threat Research Team
@online{team:20200826:threat:e6d1646, author = {Proofpoint Threat Research Team}, title = {{Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages}}, date = {2020-08-26}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages}, language = {English}, urldate = {2020-09-01} } Threat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages
AsyncRAT Nanocore RAT
2020-07-30SpamhausSpamhaus Malware Labs
@techreport{labs:20200730:spamhaus:038546d, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q2 2020}}, date = {2020-07-30}, institution = {Spamhaus}, url = {https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf}, language = {English}, urldate = {2020-07-30} } Spamhaus Botnet Threat Update Q2 2020
AdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos Zloader
2019-01-19Github (NYAN-x-CAT)NYAN-x-CAT
@online{nyanxcat:20190119:asyncrat:8df5e7e, author = {NYAN-x-CAT}, title = {{AsyncRAT: Open-Source Remote Administration Tool For Windows C# (RAT)}}, date = {2019-01-19}, organization = {Github (NYAN-x-CAT)}, url = {https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/}, language = {English}, urldate = {2020-01-08} } AsyncRAT: Open-Source Remote Administration Tool For Windows C# (RAT)
AsyncRAT
Yara Rules
[TLP:WHITE] win_asyncrat_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_asyncrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 03c0 01ff 03b701ff03cb 01ff 03cc 01ff 03cb }
            // n = 7, score = 100
            //   03c0                 | add                 eax, eax
            //   01ff                 | add                 edi, edi
            //   03b701ff03cb         | add                 esi, dword ptr [edi - 0x34fc00ff]
            //   01ff                 | add                 edi, edi
            //   03cc                 | add                 ecx, esp
            //   01ff                 | add                 edi, edi
            //   03cb                 | add                 ecx, ebx

        $sequence_1 = { 03bd01ff03cc 01ff 03e7 01ff 01e5 02e6 01ff }
            // n = 7, score = 100
            //   03bd01ff03cc         | add                 edi, dword ptr [ebp - 0x33fc00ff]
            //   01ff                 | add                 edi, edi
            //   03e7                 | add                 esp, edi
            //   01ff                 | add                 edi, edi
            //   01e5                 | add                 ebp, esp
            //   02e6                 | add                 ah, dh
            //   01ff                 | add                 edi, edi

        $sequence_2 = { 01ff 03e3 01ff 03e1 01ff }
            // n = 5, score = 100
            //   01ff                 | add                 edi, edi
            //   03e3                 | add                 esp, ebx
            //   01ff                 | add                 edi, edi
            //   03e1                 | add                 esp, ecx
            //   01ff                 | add                 edi, edi

        $sequence_3 = { 019c016e018201 8601 f1 019301e001fd }
            // n = 4, score = 100
            //   019c016e018201       | add                 dword ptr [ecx + eax + 0x182016e], ebx
            //   8601                 | xchg                byte ptr [ecx], al
            //   f1                   | int1                
            //   019301e001fd         | add                 dword ptr [ebx - 0x2fe1fff], edx

        $sequence_4 = { f8 01ff 018501d601f9 01ff }
            // n = 4, score = 100
            //   f8                   | clc                 
            //   01ff                 | add                 edi, edi
            //   018501d601f9         | add                 dword ptr [ebp - 0x6fe29ff], eax
            //   01ff                 | add                 edi, edi

        $sequence_5 = { 018101cf01f0 01ff 018801d101f1 01ff }
            // n = 4, score = 100
            //   018101cf01f0         | add                 dword ptr [ecx - 0xffe30ff], eax
            //   01ff                 | add                 edi, edi
            //   018801d101f1         | add                 dword ptr [eax - 0xefe2eff], ecx
            //   01ff                 | add                 edi, edi

        $sequence_6 = { 01ff 018501d301f3 01ff 018c01d601f501 }
            // n = 4, score = 100
            //   01ff                 | add                 edi, edi
            //   018501d301f3         | add                 dword ptr [ebp - 0xcfe2cff], eax
            //   01ff                 | add                 edi, edi
            //   018c01d601f501       | add                 dword ptr [ecx + eax + 0x1f501d6], ecx

        $sequence_7 = { 018e01d801f8 01ff 018b01d601f7 01ff }
            // n = 4, score = 100
            //   018e01d801f8         | add                 dword ptr [esi - 0x7fe27ff], ecx
            //   01ff                 | add                 edi, edi
            //   018b01d601f7         | add                 dword ptr [ebx - 0x8fe29ff], ecx
            //   01ff                 | add                 edi, edi

        $sequence_8 = { 03e3 01ff 03e3 01ff 03e2 01ff 03e2 }
            // n = 7, score = 100
            //   03e3                 | add                 esp, ebx
            //   01ff                 | add                 edi, edi
            //   03e3                 | add                 esp, ebx
            //   01ff                 | add                 edi, edi
            //   03e2                 | add                 esp, edx
            //   01ff                 | add                 edi, edi
            //   03e2                 | add                 esp, edx

        $sequence_9 = { db01 ff03 da01 ff03 }
            // n = 4, score = 100
            //   db01                 | fild                dword ptr [ecx]
            //   ff03                 | inc                 dword ptr [ebx]
            //   da01                 | fiadd               dword ptr [ecx]
            //   ff03                 | inc                 dword ptr [ebx]

    condition:
        7 of them and filesize < 2605056
}
[TLP:WHITE] win_asyncrat_w0   (20201006 | detect AsyncRat in memory)
rule win_asyncrat_w0 { 
    meta: 
        description = "detect AsyncRat in memory"
        author = "JPCERT/CC Incident Response Group"
        rule_usage = "memory scan"
        reference = "internal research"
        hash = "1167207bfa1fed44e120dc2c298bd25b7137563fdc9853e8403027b645e52c19"
        hash = "588c77a3907163c3c6de0e59f4805df41001098a428c226f102ed3b74b14b3cc"
        source = "https://github.com/JPCERTCC/MalConfScan/blob/master/yara/rule.yara"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat"
        malpedia_rule_date = "20201006"
        malpedia_hash = ""
        malpedia_version = "20201006"
        malpedia_license = "CC NC-BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $salt = {BF EB 1E 56 FB CD 97 3B B2 19 02 24 30 A5 78 43 00 3D 56 44 D2 1E 62 B9 D4 F1 80 E7 E6 C3 39 41}
        $b1 = {00 00 00 0D 53 00 48 00 41 00 32 00 35 00 36 00 00} $b2 = {09 50 00 6F 00 6E 00 67 00 00}
        $s1 = "pastebin" ascii wide nocase
        $s2 = "pong" wide $s3 = "Stub.exe" ascii wide
        
    condition: 
        ($salt and (2 of ($s*) or 1 of ($b*))) or (all of ($b*) and 2 of ($s*))
}
Download all Yara Rules