Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family AsyncRAT
This threat is a concrete detection of AsyncRAT, a highly dangerous Remote Access Trojan (RAT) built on the MSIL platform. It utilizes obfuscation (ConfuserEx), attempts to detect sandbox environments, establishes communication with a command-and-control server (188.227.57.46), and includes self-deletion capabilities, enabling full remote control over the compromised system.
Relevant strings associated with this threat: - SbieDll.dll (PEHSTR_EXT) - \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT) - Plugin.Plugin (PEHSTR_EXT) - nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT) - cmd.exe /c ping 0 -n 2 & del (PEHSTR_EXT) - CompressionMode (PEHSTR_EXT) - HttpDownloadFile (PEHSTR_EXT) - get_ExecutablePath (PEHSTR_EXT) - 188.227.57.46/folder/core_Hvovthzn.jpg (PEHSTR_EXT) - Hadgbbpi.Tynwpfgdqqzvie (PEHSTR_EXT) - uu.exe (PEHSTR_EXT) - Execute (PEHSTR_EXT) - Xub.Form1.resources (PEHSTR_EXT) - ConfuserEx v1.0.0 (PEHSTR_EXT) - dPqLCOBUxlULbXCvCT.BampERXWdA9jWLsito (PEHSTR_EXT) - nVF9ahaPwEAA3Eecev.PwSxkyla6Vn3H8imOI (PEHSTR_EXT) - cizbckj.Resources (PEHSTR_EXT) - RayCry5.2 (PEHSTR_EXT) - v4.My.Resources (PEHSTR_EXT) - cuckoomon.dll (PEHSTR_EXT) - SxIn.dll (PEHSTR_EXT) - cmdvrt32.dll (PEHSTR_EXT) - nolane.Resources.resources (PEHSTR_EXT) - AsyncRAT-Client.exe (PEHSTR_EXT) - WindowsApp1.g.resources (PEHSTR_EXT) - 007Stub.g.resources (PEHSTR_EXT) - 007Stub.Properties.Resources (PEHSTR_EXT) - Kanhal.Properties (PEHSTR_EXT) - AsyncRAT (PEHSTR_EXT) - dbxqlcuy.Resources (PEHSTR_EXT) - duukukfdcyeffdtm.Resources (PEHSTR_EXT) - B0B0B0B0/ (PEHSTR_EXT) - jpeeQ0IwxWktqBxo7a.m0isIZ1u0duW28n3D5 (PEHSTR_EXT) - kSmnWlJPHFVQDBjd1A.TvcOJ1GnlFaOE2lTvU (PEHSTR_EXT) - SelenaGomez.Program (PEHSTR_EXT) - Windo.Resources (PEHSTR_EXT) - ReD_Security.resources (PEHSTR_EXT) - <t.me/GhostHackersNetwork> (PEHSTR_EXT) - ://172.86.96.111:8080/Script.ps1 (PEHSTR_EXT) - powershell -ExecutionPolicy Bypass -File $localPath (PEHSTR_EXT) - /c schtasks /create /f /sc onlogon /rl highest /tn (PEHSTR_EXT) - masterKey can not be null or empty. (PEHSTR_EXT) - erp_proje.pdb (PEHSTR_EXT) - KoiVM.Runtime (PEHSTR_EXT) - BBbH.g.resources (PEHSTR_EXT) - server.Resources.resources (PEHSTR_EXT) - Tiffy.Td9ny.resources (PEHSTR_EXT) - Patrick_Crypter_Stub.Form1.resou (PEHSTR_EXT) - TripleDESCryptoServiceProvider (PEHSTR_EXT) - Client.Modules.Keylogger (PEHSTR) - Client.Modules.Clipper (PEHSTR) - .Targets.Browsers (PEHSTR) - Passwords.Targets.System (PEHSTR) - Advanced_Calculator.Properties.Resources.resources (PEHSTR_EXT) - kbakc.exe (PEHSTR_EXT) - cmd.exe /c curl -o %temp%\ (PEHSTR_EXT) - powershell start -WindowStyle hidden %temp%\ (PEHSTR_EXT) - Mains.My.Resources (PEHSTR_EXT) - C:\Users\Public\main (PEHSTR_EXT) - .exe (PEHSTR_EXT) - /main (PEHSTR_EXT) - hxca.exe (PEHSTR_EXT) - Net.exe (PEHSTR_EXT) - vtkntsybummgbuek.Resources (PEHSTR_EXT) - rkxkkflfzhejxsp.Resources (PEHSTR_EXT) - Services.exe (PEHSTR_EXT) - ProcessHacker.exe (PEHSTR_EXT) - exe.rekcaHssecorP (PEHSTR_EXT) - injector.exe (PEHSTR_EXT) - AsyncRAT 0.4 (PEHSTR_EXT) - dqqitdai.b0p (PEHSTR_EXT) - /C choice /C Y /N /D Y /T 1 & Del (PEHSTR_EXT) - ^l'y/ (SNID) - C:\windows\temp\Client1.bin (PEHSTR_EXT) - Apollo Justice Script Editor (PEHSTR_EXT) - AsyncClient.exe (PEHSTR_EXT) - nnn.exe (PEHSTR_EXT) - schtasks /Create /SC MINUTE /MO 15 /TN (PEHSTR_EXT) - MyLoader.bat (PEHSTR_EXT) - CollapseCheck_protectedv.exe (PEHSTR_EXT) - C:\Path\To\YourApp.exe (PEHSTR_EXT) - cw.rowlqig.cn (PEHSTR_EXT) - Users\Public\Downloads\%s (PEHSTR_EXT) - Microsoft.VisualBasic.Devices (PEHSTR_EXT) - ClientAny.exe (PEHSTR_EXT) - /c schtasks /create /f /sc onlogon /ru system /rl highest /tn (PEHSTR_EXT) - EmptyClean.exe (PEHSTR) - AsyncRAT | Disbale Defender (PEHSTR_EXT) - Plugins\Wallets.dll (PEHSTR_EXT) - Cmd / Powershell (PEHSTR_EXT) - HKEY_CURRENT_USER\SOFTWARE\AsyncRAT (PEHSTR_EXT) - //127.0.0.1/payload.exe (PEHSTR_EXT) - KDF62DFJFJFF26J.bat (PEHSTR_EXT) - taskkill /F /im svchost.exe (PEHSTR_EXT) - \DiscordNukeBot\x64\Release\1.pdb (PEHSTR_EXT) - \sharescreen\x64\Release\sharescreen.pdb (PEHSTR_EXT) - /hatthgola.vmp.dll (PEHSTR_EXT) - 7>\+D7r4(qHc@3w95'Dd)gutJ$.resources (PEHSTR_EXT) - GetExecutingAssembly (PEHSTR_EXT) - ttp://139.162.22.35/1.bat (MACROHSTR_EXT) - .resources (PEHSTR_EXT) - TournamentTrackerUI.DashBoard.resources (PEHSTR_EXT) - RatDownload\x64\Release\RatLoader.pdb (PEHSTR_EXT) - download/Realease (PEHSTR_EXT) - xspymain.github.io (PEHSTR_EXT) - AsyncClient.g.resources (PEHSTR_EXT) - Stub.exe (PEHSTR_EXT) - coposProject.forgotpasswordForm.resources (PEHSTR_EXT) - coposProject.statisticsForm.resources (PEHSTR_EXT) - coposProject.historyForm.resources (PEHSTR_EXT) - coposProject.startFormTwo.resources (PEHSTR_EXT) - coposProject.startFormThree.resources (PEHSTR_EXT) - coposProject.ucInventoryEmployee.resources (PEHSTR_EXT) - coposProject.ucSalesEmployee.resources (PEHSTR_EXT) - coposProject.ucSalesReceiptEmployee.resources (PEHSTR_EXT) - coposProject.ucReceiptPo.resources (PEHSTR_EXT) - coposProject.ucInventory.resourcesd (PEHSTR_EXT) - coposProject.userControl.purchaseOrderUc.resources (PEHSTR_EXT) - Bookings_056_07.exe (PEHSTR_EXT) - Gyazo: Screen Uploader (PEHSTR_EXT) - http://144.172.116.121/uiu/Awuolavee.mp3 (PEHSTR_EXT) - \NjRat (PEHSTR_EXT) - CCCCCCCCCCCCCCCCCCCCCCCCCCCC.Resources.resources (PEHSTR_EXT) - WindowsApp3jj.Resources.resource (PEHSTR_EXT) - D$v:\wiH (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
c74570ce6c2404601a18bdc38b0a8dfd85a08e425bdf4821cd1c05a3f926c938e5aa89a4fb9f95459baae23bed0ea522ec251b18a1e2c5650b845b26d7bda9ef079e99c669428e7b65656f2cb0eefc9a31e22dd720cad20c1d1490fc9c1a9d22771ffd8cb7ae3f948e51745ba8ba1e4192fab63342bac75c465ac91b146c78c7Immediately isolate the infected system from the network. Perform a full system scan with updated endpoint protection, removing all detected malware files and persistence mechanisms. Reset all user credentials associated with the device and conduct a thorough investigation for lateral movement or data exfiltration. Consider re-imaging the system for complete remediation.