Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AsyncRAT
This is a concrete detection of AsyncRAT, a .NET-based Remote Access Trojan (RAT). The malware establishes persistence via the registry, communicates with a command-and-control server (188.227.57.46) to execute commands and download additional payloads, and uses obfuscation and anti-analysis techniques to evade detection.
Relevant strings associated with this threat: - SbieDll.dll (PEHSTR_EXT) - \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT) - Plugin.Plugin (PEHSTR_EXT) - nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS (PEHSTR_EXT) - cmd.exe /c ping 0 -n 2 & del (PEHSTR_EXT) - CompressionMode (PEHSTR_EXT) - HttpDownloadFile (PEHSTR_EXT) - get_ExecutablePath (PEHSTR_EXT) - 188.227.57.46/folder/core_Hvovthzn.jpg (PEHSTR_EXT) - Hadgbbpi.Tynwpfgdqqzvie (PEHSTR_EXT) - uu.exe (PEHSTR_EXT) - Execute (PEHSTR_EXT) - Xub.Form1.resources (PEHSTR_EXT) - ConfuserEx v1.0.0 (PEHSTR_EXT) - dPqLCOBUxlULbXCvCT.BampERXWdA9jWLsito (PEHSTR_EXT) - nVF9ahaPwEAA3Eecev.PwSxkyla6Vn3H8imOI (PEHSTR_EXT) - cizbckj.Resources (PEHSTR_EXT) - RayCry5.2 (PEHSTR_EXT) - v4.My.Resources (PEHSTR_EXT) - cuckoomon.dll (PEHSTR_EXT) - SxIn.dll (PEHSTR_EXT) - cmdvrt32.dll (PEHSTR_EXT) - nolane.Resources.resources (PEHSTR_EXT) - AsyncRAT-Client.exe (PEHSTR_EXT) - WindowsApp1.g.resources (PEHSTR_EXT) - 007Stub.g.resources (PEHSTR_EXT) - 007Stub.Properties.Resources (PEHSTR_EXT) - Kanhal.Properties (PEHSTR_EXT) - AsyncRAT (PEHSTR_EXT) - dbxqlcuy.Resources (PEHSTR_EXT) - duukukfdcyeffdtm.Resources (PEHSTR_EXT) - B0B0B0B0/ (PEHSTR_EXT) - jpeeQ0IwxWktqBxo7a.m0isIZ1u0duW28n3D5 (PEHSTR_EXT) - kSmnWlJPHFVQDBjd1A.TvcOJ1GnlFaOE2lTvU (PEHSTR_EXT) - SelenaGomez.Program (PEHSTR_EXT) - Windo.Resources (PEHSTR_EXT) - ReD_Security.resources (PEHSTR_EXT) - <t.me/GhostHackersNetwork> (PEHSTR_EXT) - ://172.86.96.111:8080/Script.ps1 (PEHSTR_EXT) - powershell -ExecutionPolicy Bypass -File $localPath (PEHSTR_EXT) - /c schtasks /create /f /sc onlogon /rl highest /tn (PEHSTR_EXT) - masterKey can not be null or empty. (PEHSTR_EXT) - erp_proje.pdb (PEHSTR_EXT) - KoiVM.Runtime (PEHSTR_EXT) - BBbH.g.resources (PEHSTR_EXT) - server.Resources.resources (PEHSTR_EXT) - Tiffy.Td9ny.resources (PEHSTR_EXT) - Patrick_Crypter_Stub.Form1.resou (PEHSTR_EXT) - TripleDESCryptoServiceProvider (PEHSTR_EXT) - Client.Modules.Keylogger (PEHSTR) - Client.Modules.Clipper (PEHSTR) - .Targets.Browsers (PEHSTR) - Passwords.Targets.System (PEHSTR) - Advanced_Calculator.Properties.Resources.resources (PEHSTR_EXT) - kbakc.exe (PEHSTR_EXT) - cmd.exe /c curl -o %temp%\ (PEHSTR_EXT) - powershell start -WindowStyle hidden %temp%\ (PEHSTR_EXT) - Mains.My.Resources (PEHSTR_EXT) - C:\Users\Public\main (PEHSTR_EXT) - .exe (PEHSTR_EXT) - /main (PEHSTR_EXT) - hxca.exe (PEHSTR_EXT) - Net.exe (PEHSTR_EXT) - vtkntsybummgbuek.Resources (PEHSTR_EXT) - rkxkkflfzhejxsp.Resources (PEHSTR_EXT) - Services.exe (PEHSTR_EXT) - ProcessHacker.exe (PEHSTR_EXT) - exe.rekcaHssecorP (PEHSTR_EXT) - injector.exe (PEHSTR_EXT) - AsyncRAT 0.4 (PEHSTR_EXT) - dqqitdai.b0p (PEHSTR_EXT) - /C choice /C Y /N /D Y /T 1 & Del (PEHSTR_EXT) - ^l'y/ (SNID) - C:\windows\temp\Client1.bin (PEHSTR_EXT) - Apollo Justice Script Editor (PEHSTR_EXT) - AsyncClient.exe (PEHSTR_EXT) - nnn.exe (PEHSTR_EXT) - schtasks /Create /SC MINUTE /MO 15 /TN (PEHSTR_EXT) - MyLoader.bat (PEHSTR_EXT) - CollapseCheck_protectedv.exe (PEHSTR_EXT) - C:\Path\To\YourApp.exe (PEHSTR_EXT) - cw.rowlqig.cn (PEHSTR_EXT) - Users\Public\Downloads\%s (PEHSTR_EXT) - Microsoft.VisualBasic.Devices (PEHSTR_EXT) - ClientAny.exe (PEHSTR_EXT) - /c schtasks /create /f /sc onlogon /ru system /rl highest /tn (PEHSTR_EXT) - EmptyClean.exe (PEHSTR) - AsyncRAT | Disbale Defender (PEHSTR_EXT) - Plugins\Wallets.dll (PEHSTR_EXT) - Cmd / Powershell (PEHSTR_EXT) - HKEY_CURRENT_USER\SOFTWARE\AsyncRAT (PEHSTR_EXT) - //127.0.0.1/payload.exe (PEHSTR_EXT) - KDF62DFJFJFF26J.bat (PEHSTR_EXT) - taskkill /F /im svchost.exe (PEHSTR_EXT) - \DiscordNukeBot\x64\Release\1.pdb (PEHSTR_EXT) - \sharescreen\x64\Release\sharescreen.pdb (PEHSTR_EXT) - /hatthgola.vmp.dll (PEHSTR_EXT) - 7>\+D7r4(qHc@3w95'Dd)gutJ$.resources (PEHSTR_EXT) - GetExecutingAssembly (PEHSTR_EXT) - ttp://139.162.22.35/1.bat (MACROHSTR_EXT) - .resources (PEHSTR_EXT) - TournamentTrackerUI.DashBoard.resources (PEHSTR_EXT) - RatDownload\x64\Release\RatLoader.pdb (PEHSTR_EXT) - download/Realease (PEHSTR_EXT) - xspymain.github.io (PEHSTR_EXT) - AsyncClient.g.resources (PEHSTR_EXT) - Stub.exe (PEHSTR_EXT) - coposProject.forgotpasswordForm.resources (PEHSTR_EXT) - coposProject.statisticsForm.resources (PEHSTR_EXT) - coposProject.historyForm.resources (PEHSTR_EXT) - coposProject.startFormTwo.resources (PEHSTR_EXT) - coposProject.startFormThree.resources (PEHSTR_EXT) - coposProject.ucInventoryEmployee.resources (PEHSTR_EXT) - coposProject.ucSalesEmployee.resources (PEHSTR_EXT) - coposProject.ucSalesReceiptEmployee.resources (PEHSTR_EXT) - coposProject.ucReceiptPo.resources (PEHSTR_EXT) - coposProject.ucInventory.resourcesd (PEHSTR_EXT) - coposProject.userControl.purchaseOrderUc.resources (PEHSTR_EXT) - Bookings_056_07.exe (PEHSTR_EXT) - Gyazo: Screen Uploader (PEHSTR_EXT) - http://144.172.116.121/uiu/Awuolavee.mp3 (PEHSTR_EXT) - \NjRat (PEHSTR_EXT) - CCCCCCCCCCCCCCCCCCCCCCCCCCCC.Resources.resources (PEHSTR_EXT) - WindowsApp3jj.Resources.resource (PEHSTR_EXT) - D$v:\wiH (PEHSTR_EXT) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
a7638001e432e609f185a01bfdeb5bf29fd4c7f59d8f429525f87760bcc0b0c5e79dc3b0fd951a447480671094efbc5fbc9a03cfcd222563c9883eb587f9ef73b0f3b0221094976e680c5ce24d20b2cd4e86612d5290c5cc661d374cdfc4e17ef11f8e2e25897c099a6ea283b3d91abbba7ef5ffc7157691d50358994a2960f485a1f1233894080f2ad174004d240fec588ec2c941824f71ca10b4e65602b50bImmediately isolate the host from the network. Perform a full system scan to remove all malicious components. Block the C2 IP address (188.227.57.46) at the firewall and reset all user credentials associated with the compromised machine.