Skip to main content

Analyzing AsyncRAT distributed in Colombia by Blind Eagle

· 12 min read
Jose Luis Sánchez Martínez


During 2019-2021 I was focused on analyzing campaigns orchestrated by the APT-C-36 group and RATs used by this same group and other cybercriminal groups such as RemcosRAT, AsyncRAT, Imminent Monitor RAT, etc. In the last few months I have seen some modifications of TTPs in many of these families that have caught my attention and I wanted to analyze them to see what is new.

Therefore, during this entry we will go through the analysis of a sample of AsyncRAT distributed in Colombia during the last month.


The objective of the analysis is to provide information on the execution of the binary, genealogy and other stuff, not to go into the details of the static part.



The basic static information of the sample to be analyzed is shown in the table below.

File nameStub.exe
TypePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
File size45.00 KB (46080 bytes)


After verifying that the binary was C#, I decided to perform a small analysis of the code to check some of the actions that the malware should do once executed, before executing it on my systems.


If we go to the Main function, which is the one defined in the entry point, we see that it contains the structure shown in the following image.


The binary will check a series of conditions to verify if it is being executed among other things in a virtual environment or not, and depending on the results, it will continue its normal flow or kill the process.

The first check is to verify if a series of settings established in the code, among which are the key, pastebin URL, version, etc.


Secondly, it tries to create a mutex and stop similar processes of the same sample that may be running.


It then performs several checks to identify the context where it is running (mainly to see if it is a virtual machine or a sandbox). Different anti-analysis techniques are put in place.

The first of all is related to the DetectManufacturer method which aims to see if the system is related to Vmware, VirtualBox, or virtualized in general.


The next thing is to check if a debugger exists in the context of AsyncRAT. To do this, it makes use of the isDebuggerPresent API.


Next, the check is focused on seeing if the system where it was executed is the known sandboxie, to check it, tries to identify if the DLL SbieDll.dll is running.


The next check it performs is on the system disk capacity. In this case, it checks if the disk is less than 61000000000L (56.8 GB). If it is, it returns false.


The last thing it performs in this set of checks is to identify if the operating system is Windows XP with a simple method.


It also aims to generate persistence in the system. To do this, it checks if the context of the process was launched with privileges, if so, it will make use of schtasks.exe to create a task. Otherwise, if the context is not found with administrator permissions, it will try to modify the registry key Software\Microsoft\Windows\CurrentVersion\Run to execute a copy of itself create in the %appdata path.


After this, the sample copies itself into the %appdata% directory and will create a .bat file to first launch a timeout, run the sample from %appdata% and delete the .bat file.


The last interesting activity is to establish communications with the C2 through the ClientSocket.Reconnect(); and ClientSocket.InitializeClient(); methods.


The sample can perform many other actions once it is deployed in the environment. For example, the Client.Helper.IdSender class has a method called sendInfo which is responsible for sending information from the operating system to the C2.


Going into detail of each class could take a long time, and in this case, the goal is to analyze the behavior once executed, so I leave a small image of a part of the classes and methods that incorporates the sample and we will perform an analysis of the behavior.



high level processes events


Now it is time to detonate the malware in a controlled environment to verify the behavior of the malware. In this case, I did different executions with and without administrator permissions to see how the sample behaved. I did this because in the static part we have seen that the behavior could vary depending on whether it was executed in the administrator context.

privileged execution - Genealogy


non-privileged execution - Genealogy


As can be seen, there are some differences when the sample was executed with privileges and when not. For example, in the first image, which corresponds to the execution with privileges, there are 3 additional processes which are the following.

|_ cmd.exe (7380)
|_ Conhost.exe (8972)
|_ schtasks.exe (4152)

This is because the execution of the process 7380 cmd.exe, is the behavior related to setting the scheduled task. However, if the sample is run without administrator permissions, the scheduled task cannot be generated.

We are going to go into detail about the processes to see the main actions they performed and that could be of interest in order to generate some kind of detection or identification of patterns. To do this, we will focus on the execution with administrator permissions and in case there is something different in the other execution, it will be named.

Stub.exe - 2740


This is the AsyncRAT sample. The execution was performed with administrator privileges.

This process, as we saw before, would be in charge of creating certain files in the system. First of all, what it does is to create in the %appdata% directory a copy of itself.


Then, it creates the batch file also in %appdata%, which will be executed later to perform different actions in the operating system.


As for registry keys, there is no significant activity.


Different behavior in the sample run without privileges.

However, in the case of unprivileged execution, there would be a modification in the registry keys for persistence, using the key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker.


cmd.exe - 7380

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\lab\AppData\Roaming\Runtime Broker.exe"' & exit

This process is basically in charge of launching the schtasks.exe binary. It is important to mention, as we are seeing and will see throughout the analysis, that since this is a 32bit sample, the executions will be related to the C:\Windows\SysWOW64\ directory.


This process will not exist when running AsyncRAT without administrator permissions.

schtasks.exe - 4152

schtasks  /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\lab\AppData\Roaming\Runtime Broker.exe"' 

The task is generated in the system to be executed at each login of any user with administrator permissions.

/f -> A value that forcefully creates the task and suppresses warnings if the specified task already exists.
/sc onlogon -> In each login
/rl highest -> Max privileges
/tn "Runtime Broker" -> Task name
/tr "C:\Users\lab\AppData\Roaming\Runtime Broker.exe" -> Task run to execute


cmd.exe - 8840

C:\Windows\system32\cmd.exe /c ""C:\Users\lab\AppData\Local\Temp\tmp3959.tmp.bat""

This process is in charge of executing the bat file that was created during the execution of the Stub.exe binary. It is important to mention that the name of the batch file varies according to the execution, however, the pattern is always the same. The following RegEx would work to detect this.



timeout.exe - 6272

timeout  3 

The malware uses a timeout of 3 seconds before it starts performing the rest of the actions.

Runtime Broker.exe - 4080

"C:\Users\lab\AppData\Roaming\Runtime Broker.exe" 

As can be seen from the name of the process, the malware tries to impersonate the legitimate Microsoft Windows binary runtimebroker.exe. However, it can be noticed in this case that there is a space between the two words.

Here the communication with the C2 server is established. The ports used in this case are 8808, 7707 and 6606. The destination IP address is 217.195.197[.]70.


On the other hand, another indicator that could help us to identify the sample and the family during the analysis is the Mutex used, which in this case is AsyncMutex_6SI8OkPnk.


During the execution of Runtime Broker.exe, I proceeded to extract the .NET assembly from memory to verify if it was the same Stub.exe binary analyzed later or if it presented some difference when is launched. During this extraction, the following assemblies were obtained from memory.

File nameSHA1Comments
aB.exe76AF794B85E4A4BA75C5703DF1207B7A6798BF2ESame sample as Stub.exe
MessagePackLib.dll16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143EAt the time of analysis, 41/68 engines in VT detect it as malicious. Different family names.
Recovery.dll93E9469789A4ECD28E30006D1CE10DBFFBD36D7CAt the time of analysis, 44/68 engines in VT detect it as malicious. Code protected by Reactor.
System.Data.SQLite.dllB9D5AF76D8DF1C4EE4CCBA33B2AFA8300952D923Mixed-mode assembly for System.Data.SQLite. More information here.
Newtonsoft.Json.dllE68B369BC131A32D5233EE395F47B337C2469042Json.NET is a popular high-performance JSON framework for .NET


The assembly aB.exe is the same Stub.exe file, which in turn is also Runtime Broker.exe.


This DLL does not contain any packers or code protectors. 41 out of 68 VT engines detect this DLL as malicious.


Taking a look at the assembly, you can see that the class structure does not seem to be very complex, and with a little patience you could identify its functionality (if you are interested in the sample, ask me privately).



In this case, it has been possible to verify the existence of Reactor, called by itself as a .NET code protection as can be seen on its website.


As for the assembly, it can be verified that there is a protection of the code, since many strings and classes are randomized at the moment of observing their possible logic.


In a process of trying to remove the code protection, it is possible to see in a more readable way part of the code, identifying messages of actions that the assembly could try, in this case as seen in the image, related to the obtaining of Firefox cookies.


High level graph

In order to have a graphical view of the most important events that take place during the execution of AsyncRAT, a behavior graph has been elaborated where the events generated in the system during its execution can be seen.


Diamond model



TechniqueKill chain phaseDiamond vertexComments
T1566.001 - Phishing: Spearphishing AttachmentDeliveryCapabilityEmail with ZIP file attached
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderInstallationCapabilitySet registry key if non-privileged user executes the payload
T1053.005 - Scheduled Task/Job: Scheduled TaskInstallationCapabilityCreates new scheduled task if privileged user executes the payload
T1036.005 - Masquerading: Match Legitimate Name or LocationExecutionCapabilityWrites itself as a file named Runtime Broker.exe saved in %APPDATA%
T1571 - Non-Standard PortC2InfrastructureUse the ports 8808, 7707 and 6606 for communication
T1059.003 - Command and Scripting Interpreter: Windows Command ShellExecutionCapabilityExecutes batch file created previously
T1027 - Obfuscated Files or InformationExploitationCapability.NET Reactor is used for code protection
T1095 - Non-Application Layer ProtocolC2InfrastructureTCP is used for C2 communications


  • 217.195.197[.]70 through 6606, 7707, 8808 ports
  • 76AF794B85E4A4BA75C5703DF1207B7A6798BF2E
  • 16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143E
  • 93E9469789A4ECD28E30006D1CE10DBFFBD36D7C
  • Mutex AsyncMutex_6SI8OkPnk

Sigma rules

The sigma rules created are specifics for this payload. There will be different payloads used by AsyncRAT with the same name or different. Is important to mention that the original filename embbeded in this case is Stub.exe. This is interesting because if the adversaries create new payloads, maybe the original filename will still being the same.

title: Detect AsyncRAT persistence with schtasks based on specific payload
id: 4410f0ad-3a1c-4e21-9e3a-fa55336aa123
description: Detect the execution of the AsyncRAT payload to launch schtask for persistence.
status: experimental
date: 2022/06/01
modified: 2022/06/01
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
product: windows
category: process_creation
ParentImage|endswith: 'Stub.exe'
Image|endswith: '\cmd.exe'
- 'schtasks '
- '\AppData\Roaming\'
- '.exe'
condition: parent_selection and selection1
- Unknown
level: medium
- attack.persistence
- attack.T1053.005
title: Detect AsyncRAT execution based on specific payload
id: ac891380-958b-4c08-a77d-8e149d63d741
description: Detect the execution of the AsyncRAT payload to establish registry key for persistence.
status: experimental
date: 2022/06/01
modified: 2022/06/01
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
product: windows
category: registry_set
EventType: SetValue
Image|endswith: 'Stub.exe'
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\'
Details|contains: '.exe'
condition: selection
- Unknown
level: medium
- attack.persistence
- attack.t1547.001

In the original Sigma repository, there are a large number of generic rules that can help in the detection of this malware.