> Analysis · d3bb6eb48a3f_

~/packetpursuit $ cat /intel/analyses/d3bb6eb48a3f.../report.md

typeanalysisfamilyasyncratconfidencehighpedotnetratc2persistencedefense-evasionmalware-family
SHA-256: d3bb6eb48a3fe9e88970bec3c3ac03a0631d9e1bbb06fc4b4bf675e1d70405ce

asyncrat: d3bb6eb4 — AU88APP, ~27 KB, builder-default exposure with hardcoded C2 caza.it.com

Executive Summary

The smallest AsyncRAT sibling yet observed in this corpus (~27 KB). A stripped PE32 .NET assembly masquerading as "AU88APP" with empty version-info fields. Builder defaults are fully exposed — Test.exe, AppData, %MTX%, %Certificate%, %Serversignature%, NYAN CAT, 0.5.7B — pointing to an unmodified or minimally-configured open-source build. Most significantly, this sample carries the first static hardcoded C2 domain in the cluster: caza.it.com. No keylogger module. Static-only (CAPE skipped, no Windows guest).

What It Is

  • File: AU88APP.exe — 27,136 bytes, PE32 GUI, 3 sections (.text, .rsrc, .reloc) ^[file.txt]
  • Compile: fabricated timestamp Sun Jun 27 12:24:20 2083 UTC (linker v48.0) ^[pefile.txt:34]
  • Framework: .NET Framework 4.8 (CLR v4.0.30319) ^[strings.txt:409]
  • Masquerade: VS_VERSIONINFO claims empty CompanyName, ProductName, FileDescription; InternalName=AU88APP.exe, version 1.0.0.0 ^[exiftool.json]
  • PDB: C:\new\Client\obj\Debug\AU88APP.pdb ^[strings.txt:410]
  • Signing: Unsigned ^[rabin2-info.txt]
  • Import table: Only mscoree.dll._CorExeMain ^[pefile.txt:255]
  • Family ascription: High-confidence asyncrat — see cluster evidence in the entity page.

How It Works

Static-only inference; CAPE unavailable. All behavior below is derived from strings, capa, radare2 IL symbol table, and sibling cluster comparison.

Cluster Evidence (AsyncRAT)

The full MessagePackLib namespace tree, Client.Install, Client.Connection, Client.Helper, Client.Handle_Packet, Client.Algorithm, Aes256, SslClient, TcpClient, MutexControl, Anti_Analysis, DetectDebugger, DetectSandboxie, SetRegistry, InstallFolder, PreventSleep, KeepAlivePacket, ReadServertData typo, Pastebin, RtlSetProcessIsCritical, SetThreadExecutionState, and CheckRemoteDebuggerPresent are all present — matching the cluster fingerprint documented at asyncrat.

Per-Sample Deltas

  • Smallest sibling — 27 KB vs 47 KB (abf498a1) and 64 KB (045c7c54). Tracks with stripped modules and minimal builder customization. ^[metadata.json]
  • Hardcoded C2 domaincaza.it.com present as a plain string in the binary, the first static C2 IOC recovered from this cluster. ^[r2:strings:caza.it.com]
  • Builder-default exposureTest.exe, AppData, %MTX%, %Certificate%, %Serversignature%, NYAN CAT, and 0.5.7B all present as literal strings, indicating the operator used default builder fields without overwriting them. ^[r2:strings:Test.exe], ^[r2:strings:AppData], ^[r2:strings:%MTX%], ^[r2:strings:%Certificate%], ^[r2:strings:%Serversignature%], ^[r2:strings:NYAN CAT], ^[r2:strings:0.5.7B]
  • No keyloggerLowLevelKeyboardProc, offlineKL, SetWindowsHookEx, WHKEYBOARDLL, GetAsyncKeyState absent (same as abf498a1; present in 045c7c54).
  • No GZipGZipStream or System.IO.Compression.GZipStream absent (present in abf498a1).
  • Plugin system presentPlugin.Plugin, savePlugin, sendPlugin strings present, confirming modular plugin architecture. ^[r2:strings:Plugin.Plugin]
  • Single AES constant — only 1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B found; the second 32-byte hex blob seen in abf498a1 is absent. ^[strings.txt:23]
  • Persistence strings not in static tableschtasks invocation pattern flagged by capa (4 matches) but not recovered in strings output; likely inlined in IL or obfuscated by the compiler. Compare abf498a1 where capa also flags 4 matches without schtasks appearing in extracted strings. ^[capa.txt:131-132]

Anti-Analysis

  • DetectDebugger and DetectSandboxie methods present ^[strings.txt:273, 76]
  • CheckRemoteDebuggerPresent and isDebuggerPresent P/Invoke via kernel32.dll + ntdll.dll ^[strings.txt:364, 365]
  • RtlSetProcessIsCritical via ntdll.dll (process-critical self-defense) ^[strings.txt:200]
  • SetThreadExecutionState with ES_SYSTEM_REQUIRED | ES_DISPLAY_REQUIRED to prevent sleep / screensaver ^[strings.txt:24-25, 125]
  • VM detection strings for VMware and VirtualBox referenced (capa anti-vm match) ^[capa.txt:82-85]
  • DetectManufacturer method + WMI Select * from Win32_ComputerSystem to check for microsoft corporation / VIRTUAL / vmware / VirtualBox ^[strings.txt], ^[capa.txt]

Persistence

  • Registry manipulation: RegistryValueKind, SetRegistry, DeleteSubKeyTree, CreateSubKey, OpenSubKey, DeleteValue, GetValue ^[strings.txt:64, 399, 74, 387, 389, 388, 390, 145, 146]
  • Scheduled task creation: capa flags persistence/scheduled-tasks (4 matches) ^[capa.txt:131-132]

C2 / Communication

  • Static C2: caza.it.com — plain hostname in binary. ^[r2:strings:caza.it.com]
  • SslClient, TcpClient, AuthenticateAsClient — TLS-wrapped TCP C2 ^[strings.txt:355-359]
  • RemoteCertificateValidationCallback with ValidateServerCertificate — custom server cert pinning or acceptance logic ^[strings.txt:121, 194]
  • KeepAlivePacket, ReadServertData (sic), SendInfo, Received — MessagePack framing primitives ^[strings.txt:37, 346, 350, 247]
  • Pastebin — present, but with caza.it.com hardcoded, Pastebin may serve as a failover or the builder field was left at default. ^[strings.txt:232]
  • Capa flags DNS resolution, HTTP GET response, and TCP socket creation ^[capa.txt:89-91]

Encryption / Integrity

  • Aes256 + aes256 class names; HMACSHA256; Sha256 digest ^[strings.txt:18, 19, 16, 17]
  • Single hardcoded 32-byte hex constant in .text (likely AES key material or HMAC salt):
    • 1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B ^[strings.txt:23]
  • Error strings: masterKey can not be null or empty. and Invalid message authentication code (MAC). confirm HMAC-SHA256 validation with key-derivation. ^[r2:strings:masterKey can not be null or empty.]

Decompiled Behavior

Ghidra imported the binary (cil language) but analysis is incomplete (queued, not finished). Radare2 (cil backend) enumerated 213 functions with full IL method names, providing a clean symbol map:

Entry pointentry0 @ 0x00402050method.Client.Program..ctormethod.Client.Settings.InitializeSettings ^[r2:entry0]

Notable method tree observed by radare2:

  • Client.Connection.ClientSocket.InitializeClient (^[r2:method.Client.Connection.ClientSocket.InitializeClient]) — TLS socket bootstrap, cert validation callback setup.
  • Client.Connection.ClientSocket.ValidateServerCertificate (^[r2:method.Client.Connection.ClientSocket.ValidateServerCertificate]) — custom X509 chain logic.
  • Client.Connection.ClientSocket.ReadServertData (^[r2:method.Client.Connection.ClientSocket.ReadServertData]) — C2 packet reader; the Servert typo is a known AsyncRAT source artefact.
  • Client.Helper.Anti_Analysis.RunAntiAnalysis (^[r2:method.Client.Helper.Anti_Analysis.RunAntiAnalysis]) — orchestrates debugger, sandbox, and VM checks.
  • Client.Helper.Anti_Analysis.DetectDebugger (^[r2:method.Client.Helper.Anti_Analysis.DetectDebugger]) — CheckRemoteDebuggerPresent wrapper.
  • Client.Helper.Anti_Analysis.DetectSandboxie (^[r2:method.Client.Helper.Anti_Analysis.DetectSandboxie]) — SbieDll.dll check.
  • Client.Helper.Anti_Analysis.DetectManufacturer (^[r2:method.Client.Helper.Anti_Analysis.DetectManufacturer]) — WMI-based VM detection.
  • Client.Helper.MutexControl.CreateMutex / CloseMutex (^[r2:method.Client.Helper.MutexControl.CreateMutex]) — single-instance enforcement.
  • Client.Helper.ProcessCritical.Set (^[r2:method.Client.Helper.ProcessCritical.Set]) — RtlSetProcessIsCritical P/Invoke wrapper.
  • Client.Install.NormalStartup.Install (^[r2:method.Client.Install.NormalStartup.Install]) — persistence installer (registry + scheduled task).
  • Client.Algorithm.Aes256.Encrypt / Decrypt (^[r2:sym.Client.Algorithm.Aes256.Encrypt]) — AES-256-CBC with HMAC-SHA256 auth.
  • Client.Handle_Packet.Packet.Received (^[r2:method.Client.Handle_Packet.Packet.Received]) — MessagePack command dispatcher.
  • Client.Helper.IdSender.SendInfo (^[r2:method.Client.Helper.IdSender.SendInfo]) — exfiltrates host profile (HWID, OS, username, AV, admin status).

No IL bytecode body was decompiled to pseudo-C on this Ghidra instance (CIL backend limitation). Function names alone are sufficient for behavioural mapping given the unobfuscated .NET nature.

C2 Infrastructure

Indicator Type Evidence
caza.it.com Hardcoded C2 domain r2 strings
Pastebin Dynamic C2 failover / default builder field strings.txt:232

TLS certificate validation callback suggests the server presents a specific chain; ValidateServerCertificate may pin or blindly accept.

Interesting Tidbits

  • Builder version 0.5.7B and NYAN CAT string are literal artifacts of the open-source AsyncRAT builder defaults — the operator did not even rename the mutex placeholder (%MTX%) or certificate placeholder (%Certificate%). ^[r2:strings:0.5.7B], ^[r2:strings:NYAN CAT]
  • ReadServertData typo reproduced identically across abf498a1, 045c7c54, a41d0d35, and this sample — a source-code fingerprint. ^[strings.txt:37]
  • No obfuscation layer (no ConfuserEx, SmartAssembly, or Eazfuscator strings). Unobfuscated CIL makes the strings table highly informative and explains why capa achieves 130+ capability matches.
  • The Test.exe default filename string suggests the operator built with the default "Test" profile and renamed the output only at distribution time. ^[r2:strings:Test.exe]
  • AppData in strings implies the default install path targets %AppData%\Roaming or similar. ^[r2:strings:AppData]

How To Mess With It (Homelab Replication)

Toolchain: Visual Studio 2022 Community, .NET Framework 4.8 targeting pack.

  1. Clone the AsyncRAT source (tag 0.5.7B matches this sample).
  2. In Client/Settings.cs, set:
    • Hosts = "caza.it.com"
    • Port = <your test port>
    • Pastebin = "" (or a test Pastebin raw URL)
    • Certificate = "" (or a self-signed cert thumbprint)
    • Mutex = "TestMutex"
    • Install = true, InstallFolder = "Test"
  3. Build in Release → Client project.
  4. Verify capa fingerprint:
capa <output.exe>

Expect hits: create TCP socket, encode data using Base64, hash data using SHA256, schedule task via schtasks, check for debugger via API, check for sandbox and av modules, resolve DNS, manipulate network credentials in .NET.

What you learn: How a commodity .NET RAT builder produces a sub-30 KB EXE with a recognizable capability fingerprint when left at default settings.

Deployable Signatures

YARA

rule asyncrat_au88app
{
    meta:
        description = "AsyncRAT sibling AU88APP with hardcoded caza.it.com C2"
        author = "PacketPursuit"
        created = "2026-06-05"
        family = "asyncrat"
        sha256 = "d3bb6eb48a3fe9e88970bec3c3ac03a0631d9e1bbb06fc4b4bf675e1d70405ce"
        confidence = "high"
    strings:
        $ns1 = "MessagePackLib" ascii wide
        $ns2 = "MessagePackLib.MessagePack" ascii wide
        $ns3 = "Client.Install" ascii wide
        $ns4 = "Client.Connection" ascii wide
        $ns5 = "Client.Helper" ascii wide
        $ns6 = "Client.Handle_Packet" ascii wide
        $ns7 = "Client.Algorithm" ascii wide
        $c1 = "Aes256" ascii wide
        $c2 = "SslClient" ascii wide
        $c3 = "TcpClient" ascii wide
        $c4 = "MutexControl" ascii wide
        $c5 = "Anti_Analysis" ascii wide
        $c6 = "DetectDebugger" ascii wide
        $c7 = "DetectSandboxie" ascii wide
        $c8 = "KeepAlivePacket" ascii wide
        $c9 = "ReadServertData" ascii wide
        $c10 = "SetRegistry" ascii wide
        $c11 = "PreventSleep" ascii wide
        $c12 = "ProcessCritical" ascii wide
        $c13 = "caza.it.com" ascii wide
        $c14 = "Pastebin" ascii wide
        $c15 = "Test.exe" ascii wide
        $c16 = "NYAN CAT" ascii wide
        $c17 = "0.5.7B" ascii wide
        $c18 = "AppData" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        filesize < 150KB and
        (pe.imports("mscoree.dll", "_CorExeMain") or true) and
        10 of ($c*) and
        ($ns3 or $ns4 or $ns5 or $ns6 or $ns7)
}

Sigma

title: AsyncRAT Client Launch with Hardcoded caza.it.com C2
description: Detects AsyncRAT .NET client network beacon to caza.it.com, with TLS handshake and MessagePack keepalive within 60s of process start.
status: experimental
author: PacketPursuit
date: 2026-06-05
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains: 'caza.it.com'
        Image|endswith:
            - 'AU88APP.exe'
            - 'Test.exe'
    selection_tls:
        DestinationPort:
            - 443
            - 6606
            - 7707
            - 8808
    condition: selection and selection_tls
falsepositives:
    - Unknown
level: high

IOCs

Indicator Type Evidence
d3bb6eb48a3fe9e88970bec3c3ac03a0631d9e1bbb06fc4b4bf675e1d70405ce SHA-256 triage.json
AU88APP.exe Filename metadata.json
caza.it.com Hardcoded C2 domain r2 strings
Test.exe Default builder output name r2 strings
AppData Default install path hint r2 strings
%MTX% Default mutex placeholder r2 strings
%Certificate% Default cert placeholder r2 strings
%Serversignature% Default server-sig placeholder r2 strings
NYAN CAT Builder artefact r2 strings
0.5.7B Builder version r2 strings
1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B Static hex blob (AES/HMAC key) strings.txt:23
MessagePackLib Namespace strings.txt:38
Client.Install Class+method strings.txt:208
Client.Connection Class+method strings.txt:241
Client.Handle_Packet Class+method strings.txt:345
Plugin.Plugin Plugin system r2 strings

Behavioral Fingerprint

On execution, the binary loads mscoree.dll, instantiates Client.Install and Client.Connection, resolves the hardcoded C2 host caza.it.com (or falls back to a Pastebin URL if configured), establishes a TLS-wrapped TCP socket (SslClient over TcpClient), and begins MessagePack-framed keepalive exchange. Within the first minute it runs Anti_Analysis checks (DetectDebugger, DetectSandboxie, CheckRemoteDebuggerPresent, DetectManufacturer via WMI), sets RtlSetProcessIsCritical, and sets SetThreadExecutionState to prevent sleep. Persistence is achieved via registry Run key writes and a schtasks command. Data exfiltration and remote command reception use the same TLS socket with AES-256-encrypted payloads inside MessagePack packets. The modular plugin system (Plugin.Plugin) allows runtime extension of capabilities.

Detection Signatures (capa → ATT&CK)

capa hit ATT&CK Technique
check for sandbox and av modules T1497.001 (Virtualization/Sandbox Evasion::System Checks)
check for debugger via API T1622 (Debugger Evasion)
self delete (2 matches) T1070.004 (Indicator Removal::File Deletion)
reference anti-VM strings targeting VMWare / VirtualBox T1497.001
receive data T1071 (Application Layer Protocol)
resolve DNS T1071.004 (Application Layer Protocol::DNS)
create TCP socket T1071.001 (Application Layer Protocol::Web Protocols)
manipulate network credentials in .NET T1556 (Modify Authentication Process)
decode/encode data using Base64 T1027 (Obfuscated Files or Information)
hash data using SHA256 / MD5 T1027
query environment variable T1083 (File and Directory Discovery)
delete file / read file T1083 / T1070.004
get graphical window text T1010 (Application Window Discovery)
get number of processors / disk size T1082 (System Information Discovery)
create or open mutex T1078 (Valid Accounts)
get hostname / OS version / process image filename T1082 / T1518 (Software Discovery)
create process with modified I/O handles T1059 (Command and Scripting Interpreter)
enumerate processes T1057 (Process Discovery)
terminate process T1562 (Impair Defenses)
query/set/delete registry T1012 (Query Registry), T1112 (Modify Registry)
get session user name / integrity level T1087 (Account Discovery), T1033 (System Owner/User Discovery)
create thread / suspend thread T1055 (Process Injection)
enter debug mode in .NET T1055
execute via timer in .NET T1053.005 (Scheduled Task)
schedule task via schtasks (4 matches) T1053.005
access WMI data in .NET (2 matches) T1047 (Windows Management Instrumentation)
load .NET assembly T1620 (Reflective Code Loading)

References

  • AsyncRAT open-source repository (GitHub: NYAN-x-CAT/AsyncRAT-C-Sharp)
  • asyncrat entity page — cluster overview and shared build/TTP analysis
  • abf498a1 sibling analysis — /intel/analyses/abf498a10e71a75dc718f6a899c8b1e9a3785d16ef3561e7c3a5c035f1dfd485.html
  • 045c7c54 sibling — raw/analyses/045c7c5443695ecd98e2633f005acd9f2c9a84bd1e446472c32a17e710fdaaa2
  • a41d0d35 sibling — raw/analyses/a41d0d358d23125da8894e23b25463152f0ae6b6ea545f6f84e8cd5c679afb15
  • Abuse.ch MalwareBazaar entry for d3bb6eb4 (artifact b4f43edf-8be5-407b-8bca-3513d942287a)

Provenance

Analysis produced from the following artefacts and tool versions:

  • file.txtfile v5.44
  • pefile.txt — pefile 2023.2.7
  • strings.txtstrings v2.42
  • floss.txt — flare-floss v3.1.0 (errored due to CIL argument parsing; no decoded strings)
  • capa.txt — capa v7.3.0 (static analysis only)
  • binwalk.txt — binwalk v2.3.4
  • rabin2-info.txt — radare2 v5.9.4
  • exiftool.json — ExifTool 12.76
  • metadata.json — OpenCTI connector artefact metadata
  • triage.json — triage pipeline metadata
  • dynamic-analysis.md — CAPE skipped (no Windows guest available)
  • radare2 cil backend — 213 functions identified, full IL method name recovery, no IL-level decompilation to pseudo-C
  • Ghidra v12.1 — imported as PE32 .NET (cil); analysis queued but incomplete at time of report

Confidence: high for family assignment to asyncrat; high for caza.it.com as static C2 (plain string); medium for Pastebin serving as an active failover (string present but may be default placeholder).