Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family AsyncRat
This detection identifies Trojan:MSIL/AsyncRat.ASY, a highly dangerous Remote Access Trojan (RAT) specifically targeting the .NET platform. AsyncRat allows attackers to gain full remote control over compromised systems, enabling surveillance, data exfiltration, and execution of arbitrary commands. The presence of specific PDB debugging paths in the detected file strongly confirms its identity as a malicious AsyncRat client.
Relevant strings associated with this threat: - RAT\AsyncRat_0313\rat_Client\rat_pro\obj\Debug\rat_pro.pdb (PEHSTR_EXT) - loader\x64\Release\Espio.pdb (PEHSTR_EXT)
rule Trojan_MSIL_AsyncRat_ASY_2147848530_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/AsyncRat.ASY!MTB"
threat_id = "2147848530"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "AsyncRat"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "1"
strings_accuracy = "Low"
strings:
$x_1_1 = {25 26 26 28 ?? ?? ?? 06 25 26 02 20 60 01 00 00 28 ?? ?? ?? 06 02 8e 69 28} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}091867902dc7e6399ac313774512cff42bc097c4c20d5672e941fe50129af4a2072ce701ec0252eeddd6a0501555296bce512a7b90422addbb6d3619ae10f4ffImmediately isolate the affected system from the network to prevent further compromise or spread. Perform a full, deep scan with updated antivirus/EDR software to quarantine and remove all detected malicious files. Change all user and administrative credentials that may have been exposed, and conduct a thorough investigation to identify the initial infection vector.