AsyncRAT
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 4,311 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 307 |
| First Seen: | February 6, 2019 |
| Last Seen: | May 14, 2026 |
| OS(es) Affected: | Windows |
The AsyncRAT is a project that seems to have been developed with educational purposes, or at least that is what its creator is claiming on their GitHub page. The AsyncRAT’s code is available on the previously mentioned GitHub page publicly. Once malware experts reviewed the code, it quickly became clear that the AsyncRAT can serve as a very threatening tool if it falls in the hands of ill-willing individuals.
Table of Contents
Capabilities
The AsyncRAT is not too different from most RATs out there, but this does not make it any less threatening. This threat is able to record your keystrokes as it possesses a keylogging module. This is usually used to collect login credentials and other sensitive data. The AsyncRAT can also record video via the webcam on the compromised system, as well as record audio using the microphone. This RAT also sports an info stealer feature, which allows the AsyncRAT to gather information from messaging services, Web browsers and FTP clients. Furthermore, the AsyncRAT can view, download, and upload files on the infected PC, which means that it can not only collect copies of your files, but it also can plant additional malware.
The real danger in the AsyncRAT hides not its capabilities, however, but in the fact that its creator has made this threat available publicly. This means that any shady individual, even the ones with zero technical skills, can weaponize this threat and use it to cause great harm to unsuspecting users. An even scarier scenario is when we imagine that highly-skilled cybercriminals can take the code of the AsyncRAT and further weaponize this threat to make it even more threatening. It is time to users realize that they need to take their cybersecurity very seriously as threats like the AsyncRAT are lurking all around the Web. Download and install a genuine anti-spyware tool, which will keep threats like the AsyncRAT at bay and give you peace of mind.
Analysis Report
General information
| Family Name: | Trojan.AsyncRAT |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
5a6d4e07856b64b15a5640c15315a601
SHA1:
4314859fa3713e2a74627b4ffa1b543847c0b918
SHA256:
5BA402708E936DB5C17F165C94EBB11EF459F472CBF32AAB8E5B6704860E5F9B
File Size:
1.42 MB, 1421253 bytes
|
|
MD5:
6b0ad984a7622e1fae72db821b65fe8c
SHA1:
a40696bc65d1967fd4fa359f2873eaf18ca8162f
SHA256:
AA643736F8D14995E3D175AEA01C10DD5CA69355BCFF218000A281344A834E45
File Size:
3.33 MB, 3333120 bytes
|
|
MD5:
6891ad64be276d61bbc2f903b99c0360
SHA1:
43b139bb7972cbf5101ebd0c397b157e438230f4
SHA256:
8A7BC99E972221F1AFA4024789EC0F3F23875AFC250BD1D41DA26D7DF75AF17C
File Size:
3.27 MB, 3265536 bytes
|
|
MD5:
3dd5c4df8024954b7cf424e170baf7af
SHA1:
11c6d66bcd54a3fb8a3dd93f001492e88de25187
SHA256:
8CDB00E3E157F21A13E73DD32F04C1A110C4A54BFB2B705DC9878EDC3490E525
File Size:
3.27 MB, 3265536 bytes
|
|
MD5:
bfa17b3b8e38cc507437d11ec57accc6
SHA1:
b6d2c955271cd6ba957feea0d77927aa5ed78a22
SHA256:
FE2CBBF49BF89602CA6E306CF3B0289A4A50A3BC6B66424B5669DD2C52DFB376
File Size:
3.27 MB, 3265536 bytes
|
Show More
|
MD5:
b0046381ba701f479d20f1893ed153bb
SHA1:
0b831e11ae3020431a6b6c5abf8c559fe7984e30
SHA256:
3A01E6F5AB9E9F0CC3DD1589D573816EBCE6D01178777F1B6339D1E25BECD047
File Size:
3.32 MB, 3320832 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have security information
- File has exports table
- File is .NET application
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Assembly Version |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name |
|
| Legal Copyright |
|
| Legal Trademarks |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
File Traits
- .NET
- HighEntropy
- Run
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 14,560 |
|---|---|
| Potentially Malicious Blocks: | 308 |
| Whitelisted Blocks: | 14,252 |
| Unknown Blocks: | 0 |
Visual Map
x
x
x
x
0
0
x
x
x
x
x
x
x
0
0
0
x
0
x
x
0
x
x
x
0
x
x
0
x
x
x
x
0
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
0
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
0
x
x
x
0
x
0
0
0
0
0
x
x
0
0
0
0
0
0
x
x
0
0
0
0
0
0
x
x
x
x
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
x
0
x
x
x
x
0
0
0
0
0
x
x
x
x
x
0
x
x
x
x
x
x
x
x
x
0
x
0
x
0
0
0
0
x
0
0
x
x
0
0
x
x
x
x
x
x
x
x
x
x
x
0
x
x
x
x
x
0
0
0
x
0
0
x
0
0
0
0
x
0
x
x
0
0
x
0
x
x
x
x
0
x
0
0
x
x
x
0
x
x
x
x
x
x
0
x
0
x
x
x
x
0
0
x
x
0
0
x
0
0
x
x
x
x
x
0
x
0
0
0
0
x
x
x
x
x
x
x
x
x
x
x
x
0
0
0
0
x
x
x
x
x
x
x
x
0
x
x
x
x
x
x
x
x
0
x
x
x
x
0
x
x
x
0
x
x
x
x
x
x
x
x
x
x
0
x
x
x
0
x
x
x
0
x
0
x
x
0
x
x
x
x
0
x
x
x
x
x
0
x
x
0
0
0
x
0
0
0
0
x
0
0
x
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
x
0
0
0
0
x
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
x
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
x
0
0
x
x
x
x
x
0
0
x
x
x
x
0
x
x
x
x
0
x
0
0
x
0
x
0
0
0
x
x
0
x
0
x
0
0
0
0
x
x
x
x
0
0
0
x
x
x
x
0
0
0
0
x
0
0
x
x
0
x
x
0
x
x
x
x
0
x
x
x
x
0
x
x
0
x
x
x
x
0
x
0
x
0
x
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- MSIL.Mardom.SF
- MSIL.Quasar.B
- MSIL.Quasar.CA
- MSIL.Quasar.CB
- MSIL.Spy.RC
Show More
- MSIL.Spy.RCB
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\appdata\local\temp\rarsfx0\0c3ec305-c0b2-settingsmanager.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\0c3ec305-c0b2-settingsmanager.exe | Synchronize,Write Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\__tmp_rar_sfx_access_check_2926078 | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\rarsfx0\minecraftmodsphoto.jpg | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\rarsfx0\minecraftmodsphoto.jpg | Synchronize,Write Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
| Keyboard Access |
|
| Syscall Use |
Show More
|
| Other Suspicious |
|
| Encryption Used |
|
