typeconceptconfidencehighcreated2026-06-03updated2026-06-03c2-protocolmalware-familydiscoveryobfuscationdotnetc2

MessagePackLib Asynchronous RAT Protocol

Definition

A .NET C2 wire-format pattern in which the client and server exchange commands and replies as MessagePack-serialized objects wrapped in an AES-256-HMAC envelope, transported over a TLS-encrypted TCP socket. "MessagePackLib" is the namespace string found in the open-source AsyncRAT project (and its forks), serving as a convenient static fingerprint even when the binary itself is not obfuscated.

Wire-Format Description

Layer 0 — Transport: Plain TCP socket upgraded to SslStream via AuthenticateAsClient (TLS 1.2/1.3, depending on .NET version). The server certificate is validated via a RemoteCertificateValidationCallback delegate, allowing self-signed or pinned certificates.
Layer 1 — Keepalive / Framing: KeepAlivePacket, Ping, and ActivatePong messages maintain the connection. A fixed HeaderSize prefix defines frame boundaries. SendSync boolean controls whether the client blocks awaiting reply.
Layer 2 — Integrity: HMAC-SHA256 (HMACSHA256) over the plaintext before encryption. Serversignature string present in the client suggests the server presents a signature blob.
Layer 3 — Encryption: AES-256-CBC (Aes256 class, CipherMode.CBC, PaddingMode.PKCS7). Keys are typically two 32-byte hex constants embedded in .text (1DB2A1F9... and 87639126... observed across siblings). ^[sample abf498a1/strings.txt:35,41]
Layer 4 — Serialization: MessagePack binary encoding (MessagePackLib.MessagePack.MsgPack). Each packet carries a type identifier (MsgPackType) and a MsgPackArray of key-value pairs for command arguments.
Layer 5 — Compression: Optional GZip (GZipStream) applied to the serialized payload before encryption. Capa flags this consistently. ^[sample abf498a1/capa.txt:91-92]

Detecting in Static Analysis

Namespace MessagePackLib or MessagePackLib.MessagePack.
Class names: Aes256, HMACSHA256, SslClient, TcpClient, KeepAlivePacket, SendSync, HeaderSize, ReadServertData (typo).
Two 32-byte hex constants adjacent in .text.
Capa hits: create TCP socket, receive data, hash data using SHA256, compress data using GZip in .NET, decode data using Base64 in .NET.

Defensive Countermeasures

Network: Inspect outbound TLS for JA3/JA3S fingerprints typical of .NET SslStream (no SNI, or SNI matching the server cert CN if pinned). The absence of HTTP/HTTPS layer means standard web-proxy inspection may miss the C2 unless TLS decryption is in place.
Host: The Client.Install class sets autorun registry keys and scheduled tasks. Sigma rules targeting schtasks + reg add within 60 seconds of a small .NET EXE launching are effective.
Memory: The MutexControl class creates a named mutex; volatile memory scans for this string in managed heaps are straightforward.

Cross-References

Observed in: asyncrat family.
Related technique: dotnet-manifest-resource-decryption (not used in this cluster).