Hash / BilgiDeger
SHA2568c66c93d00fd52ad2efc773b29e339f3164bca178ea201009ba7d65a21f62e51
MD58b4d740adbe4635b5ee756b7a6bf996d
SHA16404251e3555978f081f9bd17e9b295f59166680
ImpHashf34d5f2d4577ed6d9ceec516c1f5a744
Dosya Adimko1.exe
Dosya Türüexe
Boyut48,640 bytes
Ilk Görülme2026-05-14

Tehdit Degerlendirmesi

Bu ornek, saldırganlara ele gecirilen sistemler uzerinde tam uzaktan kontrol imkani sunan bir RAT (Uzaktan Erisim Trojanı) olarak tespit edilmistir. Keylogging, ekran goruntüsü alma, dosya yonetimi ve kabuk erisimi gibi kapsamlı gozetleme yeteneklerine sahiptir.

Tespit Edilen Yetenekler

  • Uzaktan Erisim
  • Keylogging
  • Ekran Goruntüsü
  • Dosya Yonetimi
  • Kabuk Erisimi

MalwareBazaar Etiketleri

AsyncRATbotnetc2exetrojan

Analiz Notu

Bu ornek AsyncRAT ailesine ait ve MalwareBazaar platformundan alınmıstır. KEYDAL Guvenlik Arastirmaları tarafından metadata analizi gerceklestirilmis ve IOC veritabanına eklenmistir.

AsyncRAT — Malware Profile

AsyncRAT, 2019'da acik kaynak olarak yayimlanan C# tabanli RAT ailesidir. Ekran yakalama, keylogger, dosya islemleri, HVNC ve plugin sistemine sahiptir. C2 AES-128-CBC ile sifrelenir, TCP uzerinden calisir. JS/PDF yemi ile dagitilir.

Malware Type
RAT
Programming Language
.NET C#
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
AsyncClient

Technical Details

C# .NET, AES-128-CBC sifreleme, TCP port 6606/4449 (varsayilan), Mutex kontrol, Runtime assembly loading, Anti-analysis (VM check, Process listesi), HVNC, Keylogger, Stealer, Botnet modulu

Attribution / Threat Actor

Acik kaynak - orjinal gelistirici GitHub'da yayinladi; surekli siber suclu toplulugu tarafindan kullanilmaktadir. APT operasyonlari da dahil olmak uzere cok sayida farkli tehdit aktoru kullanmaktadir.

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (24 indicators)

IOC — AsyncRAT
# SHA256 8c66c93d00fd52ad2efc773b29e339f3164bca178ea201009ba7d65a21f62e51 # MD5 8b4d740adbe4635b5ee756b7a6bf996d # IP 185.220.101.12 # IP 45.86.86.159 # IP 193.142.146.68 # IP 149.102.143.58 # IP 89.187.167.118 # IP 185.238.228.50 # IP 5.39.63.112 # IP 193.142.146.35 # IP 37.48.89.107 # DOMAIN async-control.ddns.net # DOMAIN remote-admin-panel.ru # DOMAIN my-home-server.zapto.org # MUTEX AsyncMutex_6SI8OkPnk # MUTEX GlobalAsyncTask2025 # MUTEX AsyncMutex_4ef16dce # REGISTRY HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsNT # REGISTRY HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdate # FILEPATH %APPDATA%RoamingAsyncRATAsyncRAT.exe # FILEPATH %TEMP%SYN.exe # FILEPATH %TEMP%AsyncTask.exe # FILEPATH %APPDATA%AsyncRATclient.exe # URL https://async-rat-cdn.top/payload.exe
TypeValueNote
sha256 8c66c93d00fd52ad2efc773b29e339f3164bca178ea201009ba7d65a21f62e51
md5 8b4d740adbe4635b5ee756b7a6bf996d
ip 185.220.101.12 C2:6606
ip 45.86.86.159 C2:4444
ip 193.142.146.68 C2:7707
ip 149.102.143.58 C2:6606
ip 89.187.167.118 C2:4449
ip 185.238.228.50 AsyncRAT C2 Avrupa
ip 5.39.63.112 AsyncRAT C2 Fransa
ip 193.142.146.35 C2:6606
ip 37.48.89.107 C2:4782
domain async-control.ddns.net AsyncRAT DDNS C2 domain
domain remote-admin-panel.ru AsyncRAT panel domain - Russia hosting
domain my-home-server.zapto.org AsyncRAT dynamic DNS C2
mutex AsyncMutex_6SI8OkPnk AsyncRAT default mutex - builder degistirilmemis
mutex GlobalAsyncTask2025 AsyncRAT 2025 varyant - custom mutex
mutex AsyncMutex_4ef16dce AsyncRAT default mutex
registry HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsNT AsyncRAT persistence - system process adina
registry HKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdate AsyncRAT Run key
filepath %APPDATA%RoamingAsyncRATAsyncRAT.exe AsyncRAT dropped binary path
filepath %TEMP%SYN.exe AsyncRAT temp dropper
filepath %TEMP%AsyncTask.exe AsyncRAT dropped loader
filepath %APPDATA%AsyncRATclient.exe AsyncRAT istemci yolu
url https://async-rat-cdn.top/payload.exe AsyncRAT payload delivery URL

C2 Servers (8 recorded servers for this family)

Address Type Port Protocol Status Country
system.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —
system.io domain — TCP active —
system.io domain — TCP active —
microsoft.com domain — TCP active —
microsoft.com domain — TCP active —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
AsyncRATbotnetc2exetrojan