Dippin a toe into Malware
I have always been interested in malware analysis and threat intel, but I knew it wasn’t an easy lift especially since I lack the knowledge of the ocean of programming languages that exist. But, I figured I have to start somewhere and there has to be a ‘lite’ version of this so to speak— that I can learn from. My idea was to find a strain of malware, find out how it works (after it’s been analyzed by someone much smarter), see what I can learn, and then find out what all interesting threat groups are using it.
AsyncRAT
First things first, where can I find some malware that has already been looked into and get juicy info on it? My first go to was AnyRun. I looked through “Top Today” in AnyRuns Threat Intelligence page and came across a malware named AsyncRAT, it was top 5 in their malware trends tracker with 61 daily activities as of February 3rd 2026.
History
AsyncRAT started as a legitimate open source remote access tool that was released via GitHub in 2019 by a user known as “NYAN CAT”. AsyncRAT seems to have expanded far beyond its predecessor Quasar RAT introducing stealth and modulability. Site
What I know
As its name suggest AsyncRAT is a Remote Access Trojan (RAT), so when looking through these submissions I should be looking for the execution of a program and network communication for the initiation of commands possibly coming to and from a Command and Control software(C2).
I was able to find a plethora of public submissions with the AsyncRAT tag within AnyRun, some of which were not even a day old!
Analysis of an Analysis
The sample: Sample1 An executable (Ubuntu11.exe) Reads system information from registry such as Computer name and supported languages. Checks to see if the machine has already been compromised via MUTEX. Drops 2 files: "C:\Users\admin\AppData\Roaming\Ubuntu11.exe" "C:\Users\admin\AppData\Local\Temp\tmp69E3.tmp.bat" Alters the windows startup registry (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) key making it run the executable it dropped at startup Value: "C:\Users\admin\AppData\Roaming\Ubuntu11.exe" The bat file runs timeout 3 this may be to delay execution as to not look suspicious?
The executable dropped in the users AppData was the true malware it contained configurations for communication with 5 different C2 addresses over 2 ports. It confirmed the ability to run on startup which was seen being executed by the initial exe. 
Running the C2 IP addresses through virus total gave me a bit of insight on the threat actors, almost all of their C2 communications were going through Cloudflare redirectors. One of the locations of the IPs was Vientiane, Laos. In recent news AsyncRAT has not only been using Cloudflare’s redirector services but also taking advantage of TryCloudflare Cloudflare’s free tunneling service for multistage delivery. Cyberpress Darkreading link
Impact
AsyncRAT is widely used by threat actors all over the globe targeting multiple infrastructures and since its creation in 2019 it has done nothing but grow in use. a recent report
A look at a deeper dive
I found a technical analysis of AsyncRAT in VXUnderground that dives into the code of AsyncRAT. It is really well done and an easy read, THIS is the stuff I want to end up getting into once I figure out the best way to do these types of analysis it will become a big part of this blog. From what I understood in this writeup AsyncRAT can be very stealthy checking for Antivirus, Sandboxing, and even Disc space. It also has a neat admin checking bat file that will run every time someone logs in checks if they are admin and then deletes its self. There were some tell tell signs from what I found that was also in the writeup like the location of the bat file, the executable, and the edit of the registry key value.
Future
This was really fun and it really left me with wanting to do more. Like I said once I figure out how to safely do these deeper types of analysis I definitely want to take a stab at it. It was cool learning about malwares use of MUTEX to check if a machine has already been compromised and seeing just how stealthy AsyncRAT can be via the deep dive I found.