AsyncRAT

Overview

AsyncRAT is an open-source remote-access trojan (RAT) written in C# targeting .NET Framework. The project surfaced on GitHub (NYAN-x-CAT/AsyncRAT-C-Sharp) and was subsequently forked by multiple actors. The builder generates small (< 100 KB) PE32 .NET clients that use TLS-wrapped TCP C2, AES-256-HMAC encryption, and MessagePack framing. The family is frequently observed un-obfuscated (builder default) or lightly obfuscated with open-source tools.

Build-Stack Typically Observed

• Language: C# (Visual Studio / MSBuild) ^[sample abf498a1/strings.txt:495-497]
• Framework: .NET Framework 4.x Client Profile (CLR v4.0.30319) ^[sample abf498a1/strings.txt]
• Obfuscation: Often none (default builder output). When obfuscation is used, it is typically ConfuserEx or Eazfuscator, not SmartAssembly.
• Import table: Minimal — only mscoree.dll._CorExeMain ^[sample abf498a1/pefile.txt:255]
• Sections: .text, .rsrc, .reloc (3 sections, classic .NET assembly layout) ^[sample abf498a1/pefile.txt:76-137]
• Signing: Unsigned in all observed samples.
• Masquerade: Per-campaign version-info forgery (e.g., "Amazon Web Services / Kiro Setup", "AU88APP"). ^[sample abf498a1/exiftool.json]

Deploy / TTPs Typically Observed

• C2 Protocol: TLS-wrapped TCP socket (SslClient / TcpClient), MessagePack-framed commands, keepalive packets (KeepAlivePacket, Ping, ActivatePong). Server certificate validated via RemoteCertificateValidationCallback. C2 host may be hardcoded (caza.it.com in d3bb6eb4) or retrieved via Pastebin (builder option). ^[sample abf498a1/strings.txt], ^[/intel/analyses/d3bb6eb48a3fe9e88970bec3c3ac03a0631d9e1bbb06fc4b4bf675e1d70405ce.html]
• Cryptography: AES-256-CBC with HMAC-SHA256 auth (Aes256, HMACSHA256 classes). One or two hardcoded 32-byte hex constants typically found in .text as key material or salt. ^[sample abf498a1/strings.txt:35,41], ^[sample d3bb6eb4/strings.txt:23]
• Persistence: Registry Run key (SetRegistry, RegistryValueKind) and schtasks scheduled task creation (4 matches in capa). ^[sample abf498a1/capa.txt:131-132], ^[sample d3bb6eb4/capa.txt:131-132]
• Anti-Analysis: DetectDebugger, DetectSandboxie, CheckRemoteDebuggerPresent, IsDebuggerPresent, RtlSetProcessIsCritical, SetThreadExecutionState. ^[sample abf498a1/capa.txt:79-85], ^[sample d3bb6eb4/capa.txt:79-85]
• System Discovery: Hostname, OS version, processor count, disk size, username, integrity level, file/directory enumeration, installed AV (via WMI). ^[sample abf498a1/capa.txt:15-31], ^[sample d3bb6eb4/capa.txt:15-31]
• Process Manipulation: Create process (with redirected I/O), terminate process, enumerate processes, create/suspend thread, enter debug mode. ^[sample abf498a1/capa.txt:71-76, 83-84], ^[sample d3bb6eb4/capa.txt:71-76, 83-84]
• Data Compression: GZip compression of C2 traffic / payloads (present in some siblings, absent in d3bb6eb4). ^[sample abf498a1/capa.txt:91-92]
• Dynamic C2 Hosts: Pastebin string present in multiple siblings; hardcoded domain caza.it.com observed in d3bb6eb4. ^[sample abf498a1/strings.txt:283], ^[/intel/analyses/d3bb6eb48a3fe9e88970bec3c3ac03a0631d9e1bbb06fc4b4bf675e1d70405ce.html]
• Plugin System: Plugin.Plugin, savePlugin, sendPlugin — modular runtime extension observed in d3bb6eb4. ^[/intel/analyses/d3bb6eb48a3fe9e88970bec3c3ac03a0631d9e1bbb06fc4b4bf675e1d70405ce.html]
• Optional Modules: Some siblings include keylogger (LowLevelKeyboardProc, offlineKL, SetWindowsHookEx, WHKEYBOARDLL). Stripped builds (abf498a1, d3bb6eb4) lack this module. ^[sample 045c7c54/strings.txt]

Variants / Aliases

• AsyncRAT C# (open-source builder)
• AsyncRAT v0.5.x — observed string sets match open-source v0.5.7b tag.
• Forks with minor namespace changes exist in the wild but retain MessagePackLib and Client.Install.

Notable Analyses

• abf498a1 — Kiro-masquerade stripped build (static deep-dive, no CAPE). ^[/intel/analyses/abf498a10e71a75dc718f6a899c8b1e9a3785d16ef3561e7c3a5c035f1dfd485.html]
• 045c7c54 — sibling with keylogger (LowLevelKeyboardProc, offlineKL).
• a41d0d35 — sibling, zui.exe, ~46 KB.
• d3bb6eb4 — sibling, AU88APP.exe, ~27 KB (smallest observed).

Capabilities

• aes256-hmac-sha256-encrypted-c2
• tls-tcp-messagepack-framing
• pastebin-dynamic-c2-resolution
• hardcoded-domain-c2
• registry-run-persistence
• scheduled-task-persistence
• anti-debug-checkremotedebuggerpresent
• anti-sandbox-vmware-virtualbox-strings
• rtlcriticalprocess-self-defense
• preventsleep-threadexecutionstate
• gzip-compressed-c2-traffic
• base64-encode-decode
• wmi-system-discovery
• process-enumeration-termination
• optional-keylogger-setwindowshookex
• reflective-dotnet-assembly-loading
• mutex-single-instance
• plugin-system-modular-extension
• builder-default-exposure

Related Entities / Techniques

• messagepack-asynchronous-rat-protocol — the wire-format and framing pattern used by AsyncRAT.
• confuserex-obfuscation — sometimes applied to AsyncRAT builds.
• dotnet-manifest-resource-decryption — not observed in this cluster, but relevant to .NET malware generally.