AsyncRAT Being Distributed in Fileless Form

The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. The distributed AsyncRAT is executed in fileless form through multiple script files and is thought to be distributed as a compressed file attachment in emails. AsyncRAT is an open-source RAT malware developed with .NET that can execute various malicious activities under the command of the attacker.

The compressed file being distributed through phishing emails has an html file and executing this file will save the internal malicious data as an ISO file. ISO is an extension being used commonly in recent times by various malware.

Inside the compressed file

HTML file that generates a malicious ISO file

The generated ISO file uses file names related to receipts and invoices, and the ISO file contains VBScript and bat files.

  • File Name
Inside ISO file (1)

Inside ISO file (2)

The VBScript executes the bat file generated alongside it and the bat file executes an obfuscated command.

VBS Code

BAT Code

The following decoded commands executes a malicious PowerShell command through cmd. The PowerShell command additionally executes another PowerShell command existing in a certain path.

  • Decoded command

A portion of the additional PowerShell command looks as below and serves the feature where, after generating a total of 5 script files, executes them. See the list and figures below for features of the 5 generated scripts.

Additional PowerShell command (1)

Additional PowerShell command (2)

1. C:\ProgramData\Express\xx.vbs

xx.vbs code

This is the first script file executed after the 5 scripts are generated. This script executes the file C:\ProgramData\Express\xx.bat generated alongside it.

2. C:\ProgramData\Express\xx.bat

xx.bat code

This script has the feature of registering the file C:\ProgramData\Express\Cotrl.vbs on the task scheduler. The files registered on the scheduler are set to be run every 3 minutes.

3. C:\ProgramData\Express\Cotrl.vbs


This script executes the file C:\ProgramData\Express\ Cotrl.vbs.

4. C:\ProgramData\Express\Cotrl.bat

Cotrl.bat code

This script force closes the PowerShell process and executes the file C:\ProgramData\Express\Cotrl.ps1.

5. C:\ProgramData\Express\Cotrl.ps1

Cotrl.ps1 code (1)

Cotrl.ps1 code (2)

This script, which is the last to be executed, is the one that performs the actual malicious behavior. The script contains 2 pieces of malicious data, and these are Loader and AsyncRAT respectively. The first data which performs the role of Loader is loaded and the corresponding data’s GIT.local Execute method is run. Here, the path “C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe” and the second data (AsyncRAT) are transmitted as factors.

The Execute method of GIT.local is as below and using the path and malicious data transmitted as factors, performs an injection on a normal process (C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe).



The injected data is AsyncRAT and is an open-source malicious RAT code published on GitHub. It receives commands from the attacker through C2 and can perform various malicious behaviors and most malicious actions are performed through the transmitted plugin. The default features include Anti-VM, keylogging and remote shell.

  • C2
C2 Decryption

Anti VM

There has been an recent increase in the distribution of malware through ISO files. Moreover, the malware is being executed in fileless format, making it difficult for users to identify what type of malware was executed. Users should refrain from opening files from unknown sources and must run regular checkups on their PC.

[File Detection]
Dropper/HTML.Generic (2022.08.11.03)
Trojan/PowerShell.Loader (2022.08.18.00)
Dropper/ISO.Agent (2022.08.18.00)
Trojan/BAT.Runner (2022.08.18.00)
Downloader/BAT.Generic (2022.08.18.00)
Trojan/VBS.Runner (2022.08.18.00)


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

0 0 votes
Article Rating
Inline Feedbacks
View all comments