These days threat actors are hosting their encrypted malware in user familiar places such as Google Drive, OneDrive, Discord CDN, Pastebin amongst others and target a huge victim base. This abuse is not new for GitHub too, a popular code hosting platform. In this blog, we will be getting into the nuances of  AsyncRAT Backdoor hosted on the GitHub repository and its delivery mechanism, orchestrated in different stages. 

While monitoring the Twitter handles, we came across a tweet from @Glacius_ mentioning about the availability of AsyncRAT payload on GitHub as depicted in Figure 1.

Figure 1: Tweet from @Glacius_  about AsyncRAT

From Figure 2, we can notice that the above said attacker’s GitHub repository has multiple binaries. Contents of all these binaries are encoded in decimal format to avoid being identified and detected easily.

Figure 2: GitHub repository where the malware binaries are present

This GitHub account was created on January 8, 2021 which is managed by Mohamed-Sayed with only 1 follower as shown in Figure 3. Also, we noticed that the attacker has added 2 new PE files on Jan 31st, 2021 in the “NEW” repository; possibly the threat actor is planning for another campaign. On digging deeper, we found that this attack has multi-stage payloads and finally executes the main payloads facebook.dll and stub.exe which were not available in VirusTotal at the time of writing this blog. 

Figure 3:

Now, let’s get into the details about the multi-stage scripts and the main payloads. The complete flow of this attack and the multi-stage scripts used to execute the final payload using a process injector DLL has been depicted in Figure 4.

Figure  4: Process Flow of this Malware

The initial binary fww.exe, a .NET file downloads the first stage payload “encoding.txt” from “hxxp[:]//f0509448[.]xsph[.]ru/hjebWnlfsjdlPz/encoding[.]txt” ( ip: ) and executes the encoding.txt, a VBScript using “mshta.exe” as depicted in Figure 5. 

Figure 5: Initial binary which executes the VBScript

Decoding the 1st stage VBScript, we could see that it uses Wscript.Shell command to execute the PowerShell script using PowerShell.exe and download the second stage payload “all.txt” from the same URL and execute the downloaded file using Invoke-Expression (IEX) as depicted in Figure 6.

Figure 6: Use of VBScript to download second stage payload

The second stage payload all.txt; a PowerShell script, before proceeding further checks if predefined AV files are running in the system. For  instance, “AVAST : AvastUI.exe”, “ESET : ecmds.exe”, “KASPERSKY : avpui.exe”, “AVG : AVGUI.exe” as depicted in Figure 7.

Figure 7: Checks for Famous AVs existing in the system

Once it is confirmed that none of the specified AVs are present in the system, all.txt continues its execution.  It sets Servicepointmanager as TLS 1.2 security protocol (3072 represents TLS1.2 protocol) to communicate with its server through a secure channel and downloads the third stage payload “ps1.txt” binary from the server. It converts the hex value to ascii character using “[char] [byte]” instruction and stores the string in “asciiString” variable and executes it using Invoke-Expression as depicted in Figure 8.

Figure 8: PowerShell script is used to download ps1.txt

Removing all of the junk data from the PowerShell script, ps1.txt we can also see that it is downloading the DLL “hxxps[:]//raw[.]githubusercontent[.]com/hbankers/PE/main/PE03[.]txt” and the Hbanker exe file “hxxps[:]//raw[.]githubusercontent[.]com/hbankers/v1/main/Server[.]txt” as strings using “downloadstring” function. Now, ps1.txt script executes “Reflection.assembly::Load()” command 

to load the “HAPPY” method from the DLL, PE03.txt and execute the binary Server.txt (stored in the argument HCrypt of HAPPY method)   as depicted in Figure 9 and Figure 10.

Figure 9: 4th stage script after removing junks
Figure 10: List of APIs for Process Injection

APIs “ResumeThread, Wow64SetThreadContext, SetThreadContext, Wow64GetThreadContext, GetthreadContext, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, ZwUnmapViewOfSection, CreateProcessA” are used to inject the AsyncRAT payload (server.txt) in the memory of another file and then execute the same. This technique is called the ProcessHallowing – Injection Technique.

AsyncRAT (Server.txt) carries  multiple features like checking for Anti-analysing techniques, network connection using SSL certificate, persistence techniques etc. The attacker pre-defines the domain name, port number, ssl certificate, version, mutex, key etc., and its values are in a sophisticated base64 encoded format and to decode the string it uses aesCryptoServiceProvider in addition to base64 decoder to get the original value as depicted in Figure 11.

Figure 11: Decoded string of pre-defined values

The domain which attacker tries to connect is “fat7e0recovery[.]ddns[.]net” via the port number 6666 as depicted in Figure 12. The Mutex value is “AsyncMutex_6SI8OkPnk” and it also has a server certificate “CN=AsyncRAT Server” valid from 17-01-2021 to 31-12-9999. This SSL certificate is used to encrypt the packets between the compromised system and the server.

Figure 12: Connecting the domain using the port specified

In order to detect virtual machines, AsyncRAT uses Anti-analysis techniques like 

  • Checks if the disk size is less than or equal to 50GB 
  • Checks whether the OS is XP 
  • Looks for the VM names like “Virtualbox”, “vm” or “Virtual” strings in system manufacturing data 
  • Checks for SbieDll.dll in the system to detect sandboxie virtual machines 
  • Uses CheckRemoteDebuggerPresent API to check for debugger as depicted in Figure 13.
Figure 13: Anti-analysis Technique

To be persistent in the system, AsyncRAT confirms if the user login has admin privilege. If yes, it creates a scheduled task as depicted in Figure 14, where represents the currently running malware file.

Figure 14: Creates scheduled task using cmd

If the AsyncRAT does not run with admin privilege, it creates a run entry under CurrentUser\Run for persistence. Run registry key is in reversed order and the StrReverse command is employed to retrieve the actual data “Software\\Microsoft\\Windows\\CurrentVersion\\Run”  as depicted in Figure 15.

Figure 15: Run registry key for persistence


Attackers are not only very interested in creating new malware but also trying to use every single possibility to host/spread their payloads. In this case, AsyncRAT is spread using the credibility of popular code hosting platforms to evade detection from Anti-Virus engines. We are constantly monitoring such techniques and ensuring that we provide  proactive protection against such malware attacks. As always we recommend our customers to use the K7 security products  to protect your data and keep it updated to stay protected from the latest threats. 

Indicators Of Compromise (IOCs)

MD5File NameK7 Detection Name
527EE147DC7B2E5D768945DCC7D87326fww.exeTrojan-Downloader (005771b51)
4FAC2D80A7C3AEA83D61432F66A25B69Facebook.dllTrojan (004cf1da1)
416C48AEF6DDF720BE0D8B68DD2F0BD0stub.exeTrojan (005678321)


  • Fat7e0recovery[.]ddns[.]net:6666
  • hxxps[:]//raw[.]githubusercontent[.]com/hbankers/PE/main/PE03[.]txt
  • hxxps[:]//raw[.]githubusercontent[.]com/hbankers/v1/main/Server[.]txt
  • hxxp[:]//f0509448[.]xsph[.]ru/hjebWnlfsjdlPz/encoding[.]txt

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “GitHub – Home to AsyncRAT Backdoor”