AsyncRAT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1622 | Debugger Evasion |
AsyncRAT can use the |
|
| Enterprise | T1568 | Dynamic Resolution | ||
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
AsyncRAT can hide the execution of scheduled tasks using |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
AsyncRAT can capture keystrokes on the victim’s machine.[4] |
| Enterprise | T1106 | Native API |
AsyncRAT has the ability to use OS APIs including |
|
| Enterprise | T1057 | Process Discovery |
AsyncRAT can examine running processes to determine if a debugger is present.[3] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
AsyncRAT can create a scheduled task to maintain persistence on system start-up.[3] |
| Enterprise | T1113 | Screen Capture |
AsyncRAT has the ability to view the screen on compromised hosts.[4] |
|
| Enterprise | T1082 | System Information Discovery |
AsyncRAT can check the disk size through the values obtained with |
|
| Enterprise | T1033 | System Owner/User Discovery |
AsyncRAT can check if the current user of a compromised system is an administrator. [3] |
|
| Enterprise | T1125 | Video Capture | ||
| Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
AsyncRAT can identify strings such as Virtual, vmware, or VirtualBox to detect virtualized environments.[3] |
Groups That Use This Software
References
- Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
- Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
- Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.