Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family AsyncRat
This is a concrete detection of AsyncRAT, a known Remote Access Trojan that establishes persistence via registry Run keys, executes commands through MSBuild.exe, and communicates with remote C2 servers for unauthorized access.
Relevant strings associated with this threat:
- Set ZpXcmsCQ = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
- ZpXcmsCQ.Run rdeAjnshv + lqfadUMW + AKrDsxioC, RValue (MACROHSTR_EXT)
- Set fso = CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
- & "\ (PEHSTR_EXT)
- .xml" (PEHSTR_EXT)
- Set object_Shell = CreateObject("Shell.Application") (PEHSTR_EXT)
- object_Shell.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", (PEHSTR_EXT)
- COM Surrogate (PEHSTR_EXT)
- trevnoC.metsyS (PEHSTR_EXT)
- CompressionMode (PEHSTR_EXT)
- TripleDESCryptoServiceProvider (PEHSTR_EXT)
- https://ufile.io/rftaeqtc (PEHSTR_EXT)
- Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- http://serverupdates48.ga/test (PEHSTR_EXT)
- HttpWebRequest (PEHSTR_EXT)
- CarRentalSystem\obj\Debug\Dash.pdb (PEHSTR_EXT)
- crypted.exe (PEHSTR_EXT)
- sqkpikos.pdb (PEHSTR_EXT)
- HCS Computers & Laptops (PEHSTR_EXT)
- Client.Install (PEHSTR_EXT)
- GetExecutingAssembly (PEHSTR_EXT)
- System.Windows.Forms (PEHSTR_EXT)
- System.Reflection (PEHSTR_EXT)
- B.text (PEHSTR_EXT)
- setUTCMinutesTU Jurassic.Library.JSFunctionFlags (PEHSTR_EXT)
- calc_pro.Form1.resources (PEHSTR_EXT)
- payload.exe (PEHSTR_EXT)
- get_Computer (PEHSTR_EXT)
- Dotfuscated\windwos.pdb (PEHSTR_EXT)
- windwos.My (PEHSTR_EXT)
- 134.122.133.49 (PEHSTR_EXT)
- Client.bin (PEHSTR_EXT)
- Select * From Win32_ComputerSystem (PEHSTR_EXT)
- Dotfuscated\CryptoObfuscator_Output\v4.pdb (PEHSTR_EXT)
- v4.Resources.resources (PEHSTR_EXT)
- windwos.pdb (PEHSTR_EXT)
- petrolmanagementsystem.Supplier_withdraw_pump_bank_detail.resources (PEHSTR_EXT)
- \x64\Release\WechatAnd.pdb (PEHSTR_EXT)
- windwos\bin\Debug\Dotfuscated\windwos.pdb (PEHSTR_EXT)
- 9ubmFjIG1hcmdvcnAgc2loVCHNTAG4Ic (PEHSTR_EXT)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)81e7fa249c5a779dfb397d80ed5d85b4718e6b94bb2cec78adfedb3b7732cce8643a8d498034a4c14b984a251780379cd9a11c0fc1403c1263663669614a61c9cb2830ef60073f309cb1c45a5097735b05ea4874e930429fcab9e2b430fca1723dbaf616dcaacfcf66909b7a3404d1536f9e0d230b3b59934f1ccc6fe3e205547adeac778393f2889190521e4a72153903bff700790a50d76f6d4df05f99ca83Isolate the system, delete regsvr32123.exe and related artifacts, remove registry Run key entries, and conduct credential reset due to potential remote access compromise.