AIR in Action: AsyncRAT’s 30 Days of Key-logging

An Incident Response Investigation with Binalyze AIR

The seemingly unending work to detect the silent workings of malware is a constant and stark reminder of the stakes in modern incident response. In one recent Incident Response (IR) engagement, the Binalyze CERT (Customer Experience Response Team) uncovered a prolonged campaign involving the well-known malware family AsyncRAT.

Over the course of 30 days, this Remote Access Trojan (RAT) quietly operated within the affected environment, capturing keystrokes and transmitting sensitive data back to its operators.

Guided by the Core Four Investigative Priorities—how the attacker gained access, whether they are still present, what data was taken, and which systems or users are affected—this blog walks you through our investigator’s process of uncovering and addressing the AsyncRAT attack.

Setting the Stage: How It Began

The incident started with an alert from the client’s endpoint detection and response (EDR) system. The EDR logs show an AutoHotkey.exe process trying to create a scheduled task by executing the PowerShell command:

This marked the starting point of the investigation, so to identify the breach vector, we deployed Binalyze’s Automated Investigation and Response (AIR) platform, leveraging its Evidence Acquisition and automated analysis features, to present Findings in the Investigation Hub.

It’s worth noting that if the AIR Responder had been pre-deployed on the client’s assets, any proactive threat hunt conducted using AIR could have detected this Indicator of Compromise (IOC) well before the 30 days it took the client’s EDR system to flag suspicious activity.

Deployment of Binalyze AIR and the Discovery of AsyncRAT

The AIR Responder is designed for rapid deployment across diverse infrastructures, ensuring forensic collection and analysis capabilities are operational within minutes. Whether your environment is on-premise, cloud-based, or hybrid, the AIR Responder’s adaptable architecture ensures seamless integration with your existing systems. This flexibility allows for swift response during incidents or proactive monitoring efforts.

In this particular investigation, after deploying the AIR Responder and collecting a focused evidence set, AIR’s automated analysis delivered ‘High’ Findings in the Investigation Hub. These immediately revealed signs of ‘AsyncRAT’ injected into the memory of the AppLaunch.exe process and mapped these findings to the MITRE ATT&CK Framework:

This combination of rapid deployment and the presentation of actionable insights highlights AIR’s critical role in both reactive incident response cases and proactive threat hunting.

By reviewing the process details above, we identified its Process Identifier (PID), which we then used in the Investigation Hub to gather more insights from the Process evidence.

It soon became apparent that the AppLaunch.exe process had an active connection established:

The Investigation Hub immediately provides actionable intelligence from TCP Table evidence, revealing the remote IP address linked to this connection:

VirusTotal confirmed that the remote address was associated with an AsyncRAT command-and-control (C2) server, validating its role in maintaining communication between the infected asset and the attacker’s infrastructure.

https://www.virustotal.com/gui/url/4dca8e126e79504a222e7f97125ee18282679fb1298e06ebd062346f733a0a8f

Initial Access - Investigative Priority: How Did the Attacker Get In?

Understanding how the attacker initially accessed the system is critical to mitigating vulnerabilities and preventing recurrence, it also satisfies the investigators natural curiosity to be sure they know when the intrusion began. In this case, an alert from the EDR pointed to a suspicious command line involving AutoHotkey.exe. Using AIR’s Investigation Hub, we conducted a thorough search across the collected evidence. By piecing together the data, we identified the earliest appearance of AutoHotkey.exe on 11/11/2024, marking the likely beginning of the intrusion:

Execution

When we applied a global date filter in the Investigation Hub, it uncovered a clear timeline of events that illuminated the progression of the attack. The findings revealed:

• A visit to a suspicious URL was likely tied to a phishing campaign aimed at deceiving the user and establishing an initial foothold.

• The download of ScreenConnect, a legitimate remote access tool that attackers frequently exploit to gain unauthorized control over systems.

• Multiple file transfers via ScreenConnect, indicating the attacker used it to deploy additional malicious payloads.

This timeline painted a vivid picture of the attacker’s methodology, providing crucial insights into the stages of the compromise:

The Investigation Hub identifies that the following files were transferred attributed to the ScreenConnect file transfer session:

• aaa.exe

• Buffister.bat

• Tjekkedes.wsf

• hp.bat

At the time of our analysis, the files were no longer present, preventing us from directly examining their content. However, given that they were downloaded during a ScreenConnect session—a tool frequently misused by threat actors for unauthorized remote access—we can reasonably infer their purpose. These files were likely transferred to facilitate or advance the attacker’s objectives, such as deploying AsyncRAT or other malicious payloads.

ScreenConnect and other RAT sessions often provide critical insights into an attacker’s tactics, techniques, and procedures (TTPs). The timing, sequence, and nature of these file transfers suggest they were intended to establish persistence, execute malicious code, or further the compromise. While their absence limits direct validation, these contextual clues strongly point to their role in enabling the intrusion.

Persistence - Investigative Priority: Are They Still Here?

A reference to AutoHotkey was also found in Scheduled Tasks, configured to run every 2 minutes. This frequent execution is a clear indication of a persistence mechanism designed to maintain the attacker’s foothold in the system. By scheduling the task to run so often, the attacker ensures that their malicious payload is repeatedly executed, even if it is temporarily stopped or removed.

This approach is a common tactic to guarantee continued access and control, making it more challenging to completely eradicate the threat without thoroughly addressing all traces of the scheduled task and its associated components.

Malicious script analysis

The AutoHotkey binary by itself does not perform any actions; it requires a script to define its behavior. In the scheduled task configuration, no arguments are supplied to AutoHotkey.exe, indicating that it relies on default behavior. According to AutoHotkey’s documentation, when no command-line arguments are provided, it automatically attempts to execute a script named AutoHotkey.ahk located in the same directory as the executable.

The AutoHotkey.ahk script includes functionality to create a new process and inject data directly into its memory, a technique often used in malicious operations. Toward the end of the script, we identified the exact command responsible for triggering the EDR alert, along with a reference to a file named str.txt, which was also located in the %userprofile%\\Documents directory. This provided further evidence linking the script to the observed malicious activity:

Using interACT, AIR’s Remote Shell feature, we were able to locate and retrieve the str.txt file from the asset for further analysis. This capability allowed us to examine the file’s contents and understand its role in the attacker’s operations:

In our investigation, str.txt was identified as an encoded binary containing AsyncRAT. To analyze its contents, we utilized a Python script to decode the file and reveal its underlying data:

with open("str.txt", "r") as file:

    # Read the contents of the file and split the numbers by comma

    numbers = file.read().strip().split(",")

# Convert each number to a float, multiply by 2, convert to uchar, and then to a character

chars = [chr(int(float(num) * 2) % 256) for num in numbers]

# Write the characters to a binary file

with open("output.bin", "wb") as output_file:

    # Join characters into a byte string and write

    output_file.write("".join(chars).encode("latin1"))

Exfiltration - Investigative Priority: What data was stolen?

AsyncRAT is a well-known malware family that has been extensively analyzed, so I won’t delve deeply into its general characteristics here. However, what caught my attention in this case were the numerous strings commonly associated with keylogging capabilities found in the samples, as well as the presence of a \\Log.tmp file path. These indicators strongly suggest that AsyncRAT was actively capturing and storing keystroke data on the infected system:

Using AIR’s interACT feature, we were able to pull Log.tmp from the infected asset:

A closer examination of the Log.tmp file confirmed our suspicions—AsyncRAT had been capturing and logging every keystroke on the infected system for over a month, providing the attackers with a detailed record of all user activity:

Lateral Movement - Investigative Priority: Are Other Systems/Users Affected?

To enhance detection and prevention efforts, we have compiled a table of malicious IOC files and their hash values below, offering crucial details to help identify and mitigate similar threats across other assets, both now and in the future.

Conclusion

AsyncRAT’s stealthy operation over 30 days highlights the critical need for agile, comprehensive incident response. By leveraging Binalyze AIR and applying the Core Four Investigative Priorities to our investigation, we accelerated and transformed a challenging situation into actionable insights and immediately reinforced the client’s defenses.

With Binalyze AIR, investigations are faster, smarter, and more effective. Start your journey to resilience today. Learn more.