abf498a10e71a75dc718f6a899c8b1e9a3785d16ef3561e7c3a5c035f1dfd485asyncrat: abf498a1 — Kiro-masquerade .NET 4 Client build, stripped keylogger
Executive Summary
A 47 KB PE32 .NET assembly masquerading as "Kiro Setup" from "Amazon Web Services." It is a stripped-down asyncrat client: same MessagePackLib wire format, AES-256 + HMAC-SHA256 crypto, SSL/TLS C2, and anti-analysis checks as the sibling cluster, but the keylogger module (LowLevelKeyboardProc, offlineKL) and clipboard hooks seen in 045c7c54 are absent. Compilation timestamp 2023-10-16. No CAPE detonation available (static-only inference).
What It Is
- File:
KIRO-AI.exe— 47,104 bytes, PE32 GUI, 3 sections (.text,.rsrc,.reloc) ^[file.txt] - Compile: Mon Oct 16 21:40:53 2023 UTC (linker v8.0) ^[pefile.txt:34]
- Framework:
.NET Framework 4 Client Profile(CLR v4.0.30319) ^[strings.txt:495-497] - Masquerade: VS_VERSIONINFO claims
CompanyName="Amazon Web Services",ProductName="Kiro",FileDescription="Kiro Setup", version0.12.200.0^[exiftool.json] - Signing: Unsigned ^[rabin2-info.txt]
- Import table: Only
mscoree.dll._CorExeMain^[pefile.txt:255] - Family ascription: High-confidence asyncrat — see cluster comparison below.
How It Works
This is a static-only sample; CAPE was unavailable. All behavior below is inferred from strings, capa, and sibling cluster analysis.
Cluster Evidence (AsyncRAT)
The MessagePackLib namespace, method names (Client.Install, Client.Connection, Client.Helper, Client.Handle_Packet, Client.Algorithm), Aes256, SslClient, TcpClient, MutexControl, Anti_Analysis, DetectDebugger, DetectSandboxie, SetRegistry, InstallFolder, PreventSleep, and KeepAlivePacket are all present in at least three independently-sourced samples (abf498a1, 045c7c54, a41d0d35, d3bb6eb4) ^[strings.txt], sample 045c7c54/strings.txt, sample a41d0d35/strings.txt, sample d3bb6eb4/strings.txt. The shared class names and wire-protocol vocabulary are consistent with the open-source AsyncRAT C# project.
Per-Sample Deltas
- Missing keylogger —
LowLevelKeyboardProc,offlineKL,SetWindowsHookEx,WHKEYBOARDLL,GetAsyncKeyStateabsent (present in045c7c54). ^[strings.txt] vs sample 045c7c54/strings.txt - Smaller — 47 KB vs 64 KB (
045c7c54) and 27 KB (d3bb6eb4). The size delta tracks with stripped modules. - Masquerade — "Kiro / AWS" here;
045c7c54has no masquerade;d3bb6eb4claims "AU88APP." This suggests per-campaign builder customization rather than code divergence.
Anti-Analysis
DetectDebuggerandDetectSandboxiemethods present ^[strings.txt:332, 380]CheckRemoteDebuggerPresentandIsDebuggerPresentP/Invoke viakernel32.dll+ntdll.dll^[strings.txt:446-447, 251-253]RtlSetProcessIsCriticalviantdll.dll(process-critical self-defense) ^[strings.txt:242]SetThreadExecutionStateto prevent sleep / screensaver ^[strings.txt:154]- VM detection strings for VMware and VirtualBox referenced (capa anti-vm match) ^[capa.txt:82-85]
Persistence
- Registry manipulation:
RegistryValueKind,SetRegistry,DeleteSubKeyTree,CreateSubKey,OpenSubKey^[strings.txt:78-92, 473-476, 487] - Scheduled task creation: capa flags
persistence/scheduled-tasks(4 matches,schtasksinvocation) ^[capa.txt:131-132]
C2 / Communication
SslClient,TcpClient,AuthenticateAsClient— TLS-wrapped TCP C2 ^[strings.txt:74-75, 435-440]RemoteCertificateValidationCallbackwithValidateServerCertificate— custom server cert pinning or acceptance logic ^[strings.txt:151-153, 234-235]KeepAlivePacket,ReadServertData(sic),SendInfo,Received— MessagePack framing primitives ^[strings.txt:49, 300-301, 424-425]Pastebin— likely used for dynamic C2 host retrieval (common AsyncRAT builder option) ^[strings.txt:283]- Capa flags DNS resolution, HTTP GET response, and TCP socket creation ^[capa.txt:89-91]
Encryption / Integrity
Aes256+aes256class names;HMACSHA256;Sha256digest ^[strings.txt:28-29, 57]- Two hardcoded 32-byte hex constants in
.text(likely AES key material or HMAC salts):1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B^[strings.txt:35]87639126EA77B358F26532367DBA67C5310EF50A8D9888ED070CD40E1F605A8F^[strings.txt:41]
Decompiled Behavior
Ghidra was loaded (cli compiler, 152 functions, zero instructions decompiled due to CIL limitation on this Ghidra instance). Radare2 (cil backend) enumerated 342 functions but produced no decompiled CIL body. Static analysis therefore relies on capa + strings + sibling cluster. No recovered IL bytecode.
C2 Infrastructure
- No hardcoded IP or domain in strings.
- C2 host likely retrieved at runtime via Pastebin or baked into the builder config (common AsyncRAT pattern).
- TLS certificate validation callback suggests the server presents a specific cert chain.
Interesting Tidbits
ReadServertDatatypo (ServertvsServer) is a known AsyncRAT source-code artefact; reproduced identically in045c7c54anda41d0d35. ^[strings.txt], sample 045c7c54/strings.txt- Binwalk reports LZMA-like structure at file offset
0xB601(in the.relocpadding region), but entropy is low (0.08) — likely false positive. ^[binwalk.txt] - No obfuscation layer (no ConfuserEx, SmartAssembly, or Eazfuscator strings). Code is unobfuscated C# compiled to CIL, making the strings table highly informative. This is consistent with open-source AsyncRAT builder output when the user disables obfuscation.
How To Mess With It (Homelab Replication)
Toolchain: Visual Studio 2022 Community, .NET Framework 4.x targeting pack.
- Clone the AsyncRAT source (v0.5.7b or current).
- In
Client/Program.cs, set builder fields:Hosts,Port,Pastebin,Certificate,Mutex,Install. - Build in Release →
Clientproject. - Verify capa fingerprint:
capa <output.exe>
Expect hits: create TCP socket, encode data using Base64, hash data using SHA256, compress data using GZip, schedule task via schtasks, check for debugger via API, check for sandbox and av modules, resolve DNS.
What you learn: How a commodity .NET RAT builder produces an EXE with a recognizable capability fingerprint without packing.
Deployable Signatures
YARA
rule asyncrat_messagepacklib
{
meta:
description = "AsyncRAT / open-source .NET RAT with MessagePackLib namespace"
author = "PacketPursuit"
created = "2026-06-03"
family = "asyncrat"
confidence = "medium"
strings:
$ns1 = "MessagePackLib" ascii wide
$ns2 = "MessagePackLib.MessagePack" ascii wide
$ns3 = "Client.Install" ascii wide
$ns4 = "Client.Connection" ascii wide
$ns5 = "Client.Helper" ascii wide
$ns6 = "Client.Handle_Packet" ascii wide
$ns7 = "Client.Algorithm" ascii wide
$c1 = "Aes256" ascii wide
$c2 = "SslClient" ascii wide
$c3 = "TcpClient" ascii wide
$c4 = "MutexControl" ascii wide
$c5 = "Anti_Analysis" ascii wide
$c6 = "DetectDebugger" ascii wide
$c7 = "DetectSandboxie" ascii wide
$c8 = "KeepAlivePacket" ascii wide
$c9 = "ReadServertData" ascii wide
$c10 = "SetRegistry" ascii wide
$c11 = "PreventSleep" ascii wide
$c12 = "ProcessCritical" ascii wide
condition:
uint16(0) == 0x5A4D and
filesize < 150KB and
(dotnet.is_dotnet or pe.imports("mscoree.dll", "_CorExeMain")) and
8 of ($c*) and
($ns3 or $ns4 or $ns5 or $ns6 or $ns7)
}
Note: dotnet module requires YARA 4.2+ compiled with dotnet support; fallback is pe.imports("mscoree.dll","_CorExeMain").
Sigma
title: AsyncRAT Client Launch and Scheduled Task Persistence
status: experimental
description: Detects an AsyncRAT .NET client creating a scheduled task and modifying registry within minutes of launch, with outbound network connections.
author: PacketPursuit
date: 2026-06-03
logsource:
product: windows
category: process_creation
detection:
selection_img:
Image|contains: 'KIRO-AI.exe'
selection_tasks:
CommandLine|contains: 'schtasks'
selection_reg:
CommandLine|contains:
- 'reg add'
- 'reg delete'
selection_net:
Initiated: true
DestinationPort:
- 443
- 8080
- 6606
- 7707
- 8808
condition: selection_img and (selection_tasks or selection_reg) and selection_net
falsepositives:
- Unknown
level: high
IOCs
| Indicator | Type | Evidence |
|---|---|---|
abf498a10e71a75dc718f6a899c8b1e9a3785d16ef3561e7c3a5c035f1dfd485 |
SHA-256 | triage.json |
KIRO-AI.exe |
Filename | metadata.json |
Kiro / Amazon Web Services |
Masquerade product/company | exiftool.json |
1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B |
Static hex blob | strings.txt:35 |
87639126EA77B358F26532367DBA67C5310EF50A8D9888ED070CD40E1F605A8F |
Static hex blob | strings.txt:41 |
MessagePackLib |
Namespace | strings.txt |
Client.Install |
Class+method | strings.txt |
Client.Connection |
Class+method | strings.txt |
Client.Handle_Packet |
Class+method | strings.txt |
Behavioral Fingerprint
On execution, the binary loads mscoree.dll, instantiates Client.Install and Client.Connection, resolves Pastebin or builder-embedded C2 host, establishes a TLS-wrapped TCP socket (SslClient over TcpClient), and begins MessagePack-framed keepalive exchange. Within the first minute it runs Anti_Analysis checks (DetectDebugger, DetectSandboxie, CheckRemoteDebuggerPresent), sets RtlSetProcessIsCritical, and sets SetThreadExecutionState to prevent sleep. Persistence is achieved via registry Run key writes and a schtasks command. Data exfiltration and remote command reception use the same TLS socket with AES-256-encrypted payloads inside GZip-compressed MessagePack packets.
Detection Signatures (capa → ATT&CK)
| capa hit | ATT&CK Technique |
|---|---|
| check for sandbox and av modules | T1497.001 (Virtualization/Sandbox Evasion::System Checks) |
| check for debugger via API | T1622 (Debugger Evasion) |
| self delete (2 matches) | T1070.004 (Indicator Removal::File Deletion) |
| reference anti-VM strings targeting VMWare / VirtualBox | T1497.001 |
| receive data | T1071 (Application Layer Protocol) |
| resolve DNS | T1071.004 (Application Layer Protocol::DNS) |
| create TCP socket | T1071.001 (Application Layer Protocol::Web Protocols) |
| manipulate network credentials in .NET | T1556 (Modify Authentication Process) |
| decode/encode data using Base64 | T1027 (Obfuscated Files or Information) |
| hash data using SHA256 / MD5 | T1027 |
| compress data using GZip | T1560.002 (Archive via Library) |
| query environment variable | T1083 (File and Directory Discovery) |
| delete file / read file | T1083 / T1070.004 |
| get graphical window text | T1010 (Application Window Discovery) |
| get number of processors / disk size | T1082 (System Information Discovery) |
| create or open mutex | T1078 (Valid Accounts) |
| get hostname / OS version / process image filename | T1082 / T1518 (Software Discovery) |
| create process with modified I/O handles | T1059 (Command and Scripting Interpreter) |
| enumerate processes | T1057 (Process Discovery) |
| terminate process | T1562 (Impair Defenses) |
| query/set/delete registry | T1012 (Query Registry), T1112 (Modify Registry) |
| get session user name / integrity level | T1087 (Account Discovery), T1033 (System Owner/User Discovery) |
| create thread / suspend thread | T1055 (Process Injection) |
| enter debug mode in .NET | T1055 |
| execute via timer in .NET | T1053.005 (Scheduled Task) |
| schedule task via schtasks (4 matches) | T1053.005 |
| access WMI data in .NET | T1047 (Windows Management Instrumentation) |
| load .NET assembly | T1620 (Reflective Code Loading) |
References
- AsyncRAT open-source repository (GitHub: NYAN-x-CAT/AsyncRAT-C-Sharp)
045c7c54sibling analysis (OpenCTI label:asyncrat) — raw/analyses/045c7c5443695ecd98e2633f005acd9f2c9a84bd1e446472c32a17e710fdaaa2a41d0d35sibling — raw/analyses/a41d0d358d23125da8894e23b25463152f0ae6b6ea545f6f84e8cd5c679afb15d3bb6eb4sibling — raw/analyses/d3bb6eb48a3fe9e88970bec3c3ac03a0631d9e1bbb06fc4b4bf675e1d70405ce- Abuse.ch MalwareBazaar entry for
abf498a1(artifactc0923cfc-341a-4fd6-bef7-8c2a7e425074)
Provenance
Analysis produced from the following artefacts and tool versions:
file.txt—filev5.44pefile.txt— pefile 2023.2.7strings.txt—stringsv2.42floss.txt— flare-floss v3.1.0 (errored due to CIL; no decoded strings)capa.txt— capa v7.3.0 (static analysis only)binwalk.txt— binwalk v2.3.4rabin2-info.txt— radare2 v5.9.4exiftool.json— ExifTool 12.76metadata.json— OpenCTI connector artefact metadata- radare2
cilbackend — 342 functions identified, no IL-level decompilation - Ghidra v12.1 — imported as PE32 .NET; 152 functions, 0 instructions (CIL limitation)
Confidence: high for family assignment to asyncrat; medium for runtime C2 host resolution mechanism (Pastebin vs hardcoded vs dynamic-DNS).