CINXE.COM

A Bag of RATs: VenomRAT vs. AsyncRAT | Rapid7 Blog

<!DOCTYPE html> <html class="no-js" lang="en" dir="ltr"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" charset="utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="preload" href="//opt.rapid7.com/edge-client/v1/13222550/21485331595" referrerpolicy="no-referrer-when-downgrade" as="script"> <link rel="preconnect" href="//logx.optimizely.com"> <title>A Bag of RATs: VenomRAT vs. AsyncRAT | Rapid7 Blog</title> <meta property="og:url" content="https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/" /> <link rel="canonical" href="https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/" /> <link rel="alternate" href="https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/" hreflang="en" /> <meta name="robots" content="index, follow" /> <meta name="title" content="A Bag of RATs: VenomRAT vs. AsyncRAT | Rapid7 Blog" /> <meta name="description" content="Remote access tools (RATs) like VenomRAT and AsyncRAT allow attackers to control systems remotely, enabling data theft, espionage, and victim monitoring." /> <meta property="og:title" content="A Bag of RATs: VenomRAT vs. AsyncRAT | Rapid7 Blog" /> <meta property="og:image" content="https://blog.rapid7.com/content/images/2024/11/GettyImages-2167356719.jpg" /> <meta name="twitter:image" content="https://blog.rapid7.com/content/images/2024/11/GettyImages-2167356719.jpg" /> <meta name="twitter:title" content="A Bag of RATs: VenomRAT vs. AsyncRAT | Rapid7 Blog"> <meta name="twitter:card" content="summary_large_image"> <meta property="og:site_name" content="Rapid7" /> <meta property="og:description" content="Remote access tools (RATs) like VenomRAT and AsyncRAT allow attackers to control systems remotely, enabling data theft, espionage, and victim monitoring." /> <link rel="stylesheet" href="/includes/css/all.min.css?cb=1731962207034"> <link rel="stylesheet" href="/includes/css/bundles/pages/page.blog-resources.min.css?cb=1731962207034" /> <link rel="stylesheet" href="/includes/css/bundles/blocks/block.blog-featured-posts.min.css?cb=1731962207034" /> <link rel="stylesheet" href="/includes/css/bundles/blocks/block.blog-single-post.min.css?cb=1731962207034" /> <link rel="stylesheet" href="/includes/css/bundles/blocks/block.blog-related-posts.min.css?cb=1731962207034" /> <meta name="facetcat" content="blog" /> <script> var gIp = {"countryIsoCode":"SG","subdivisionIsoCode":null,"continentIsoCode":"AS"}; window.dataLayer = window.dataLayer || []; window.dataLayer.push({ 'conversionType': 'secondary', }); window.dataLayer.push({ 'auth': false }); window.dataLayer.push({ 'ip': '8.222.208.146' }); window.dataLayer.push({ 'isTrialUser': false, 'isCustomer': false }); </script> <script> window.dataLayer.push({ 'blog_post_tag': 'Malware,Threat Intel,Research' }); </script> <script src="https://opt.rapid7.com/edge-client/v1/13222550/21485331595" referrerpolicy="no-referrer-when-downgrade"></script> <script> (function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-WBTPTVC');</script> <link rel="icon" type="image/x-icon" href="/includes/img/favicon.ico"> <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Mulish:wght@800;900&family=Roboto:wght@300;400;700"> <link rel="preload" href="/includes/fonts/FFGoodProCompressedBlack/FFGoodProCompressedBlack.woff2" as="font" type="font/woff2" crossorigin="anonymous" /> <link rel="preload" href="/includes/fonts/FFGoodProCompressedBlack/FFGoodProCompressedBlack.woff" as="font" type="font/woff" crossorigin="anonymous" /> <script src="https://code.jquery.com/jquery-3.6.4.min.js" integrity="sha256-oP6HI9z1XaZNBrJURtCoUT5SUnxFr8s3BzRl+cbzUq8=" crossorigin="anonymous"></script> <script src="/includes/js/populateCountryState.js"></script> <script src="https://information.rapid7.com/js/forms2/js/forms2.min.js" ></script> <meta property="og:type" content="article" /> <meta property="article:published_time" content="2024-11-21T17:19:50" /> <meta property="article:modified_time" content="2024-11-22T21:40:05" /> <meta property="article:tag" content="Malware" /> <meta property="article:tag" content="Threat Intel" /> <meta property="article:tag" content="Research" /> <script src="//app-sj20.marketo.com/js/forms2/js/forms2.min.js"></script> <script type="application/ld+json"> { "@context":"https://schema.org", "@type":"Article", "publisher":{ "@type":"Organization", "name":"Rapid7 Blog", "logo":{ "@type":"ImageObject", "url":"https://www.rapid7.com/favicon.ico", "width":60, "height":60 } }, "author":{ "@type":"Person", "name":"Anna Širokova", "image":{ "@type":"ImageObject", "url":"https://blog.rapid7.com/assets/images/default-author-image.png" }, "url":"https://www.rapid7.com/blog/author/anna-sirokova/", "sameAs":[] }, "headline": "A Bag of RATs: VenomRAT vs. AsyncRAT", "url":"https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/", "image":{ "@type":"ImageObject", "url":"https://blog.rapid7.com/content/images/2024/11/GettyImages-2167356719.jpg" }, "keywords":"Malware, Threat Intel, Research", "description": "Remote access tools (RATs) like VenomRAT and AsyncRAT allow attackers to control systems remotely, enabling data theft, espionage, and victim monitoring.", "mainEntityOfPage":{ "@type":"WebPage", "@id":"https://www.rapid7.com/" }, "datePublished":"2024-11-21T17:19:50", "dateModified":"2024-11-22T21:40:05" } </script> <style type="text/css"> body .mktoForm .mktoFormCol, body .mktoForm .mktoFormRow { float: none; } #modal-subscribe h2 { padding-bottom: .25rem; } </style> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.3.1/styles/a11y-dark.min.css"> </head> <body class="pg-id-29536" data-page="29536"> <!-- Google Tag Manager (noscript) --> <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WBTPTVC" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <!-- End Google Tag Manager (noscript) --> <div id="__"></div> <!--[if lte IE 9]> <div id="ie-conditional"><spa>Your IE browser is out of date - Upgrade to the latest version of IE or Chrome for an optimal website experience.</span> <a href="https://support.microsoft.com/en-us/help/17621/internet-explorer-downloads" title="Upgrade IE Now" class="button smBtn darkClear" target="_blank">Upgrade IE Now</a> <button class="close-button" type="button" id="closeIEBar"> <img src="../includes/img/close_white.svg"> </button> </div> <![endif]--> <div class="off-canvas-wrapper"> <div class="off-canvas-wrapper-inner" data-off-canvas-wrapper> <div id="r7-global-nav"> <header class="r7-nav mobile show-main--init "><section class="search-bar search-bar--mobile hide animate-out"><form action="/search"><div class="container flex flex-jc-c flex-ai-c"><div class="search-content flex flex-jc-fs flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" placeholder="Search"/><input type="submit" class="search-submit button blue" value="Search"/><a id="btnSearchCloseMobile" class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></div></div></form></section><div class="search-overlay search-overlay--mobile overlay "></div><nav class="main-nav "><div class="container flex flex-jc-sb flex-ai-c"><div class="flex flex-jc-c flex-ai-c"><a class="main-nav__toggle"><i class="r7-icon text-white"></i></a></div><a class="main-nav__logo flex flex-jc-c flex-ai-c text-center" href="https://www.rapid7.com/" target=""><img src="/Areas/Docs/includes/img/r7-nav/Rapid7_logo.svg" alt="Rapid7 Home"/></a><a class="search flex flex-jc-c flex-ai-c"><i class="r7-icon r7-icon-search-magnify text-white"></i></a></div><div class="main-nav__links flex flex-jc-c"><ul><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="94c6b63f-d792-4b41-92a6-2e4f2a081b5d">Platform</a><div id="94c6b63f-d792-4b41-92a6-2e4f2a081b5d" class="dropdown-content two-col" role="dialog" aria-labelledby="Platform"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">TECHNOLOGY</div><div class="dropdown-footer-title">The Rapid7 Command Platform</div><div class="dropdown-footer-subtitle">AI-Powered Cybersecurity Platform</div></div><div class="dropdown-button column-pad"><a href="/platform/" class="button" aria-role="button">Explore</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">PLATFORM</li><li class="dropdown-item"><a href="/platform/"><div class="dropdown-text">Platform<div class="dropdown-category">ELITE TECHNOLOGY</div></div></a></li><li class="dropdown-item"><a href="/info/ai-hub-page/"><div class="dropdown-text">AI-Engine<div class="dropdown-category">INTELLIGENT TOOLS</div></div></a></li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">Rapid7 Labs<div class="dropdown-category">TRUSTED INTELLIGENCE</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">SOLUTIONS</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed Threat Complete<div class="dropdown-category">MANAGED XDR</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Surface Command<div class="dropdown-category">ATTACK SURFACE MANAGEMENT</div></div></a></li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Command<div class="dropdown-category">EXPOSURE MANAGEMENT</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/products/" aria-role="button" aria-haspopup="dialog" aria-controls="44c220b3-1f84-4d8a-968d-120bd2497318">Products</a><div id="44c220b3-1f84-4d8a-968d-120bd2497318" class="dropdown-content two-col" role="dialog" aria-labelledby="Products"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW!</div><div class="dropdown-footer-title">Exposure Command</div><div class="dropdown-footer-subtitle">Take Command of Your Attack Surface</div></div><div class="dropdown-button column-pad"><a href="/products/command/request-demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION &amp; RESPONSE</li><li class="dropdown-item"><a href="/products/insightidr/"><div class="dropdown-text">Next-Gen SIEM<div class="dropdown-category">INSIGHTIDR</div></div></a></li><li class="dropdown-item"><a href="/products/threat-command/"><div class="dropdown-text">Threat Intelligence<div class="dropdown-category">THREAT COMMAND</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Management<div class="dropdown-category">EXPOSURE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Attack Surface Management<div class="dropdown-category">SURFACE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/insightvm/"><div class="dropdown-text">Vulnerability Management<div class="dropdown-category">INSIGHTVM</div></div></a></li><li class="dropdown-item"><a href="/products/insightcloudsec/"><div class="dropdown-text">Cloud-Native Application Protection<div class="dropdown-category">INSIGHTCLOUDSEC</div></div></a></li><li class="dropdown-item"><a href="/products/insightappsec/"><div class="dropdown-text">Application Security Testing<div class="dropdown-category">INSIGHTAPPSEC</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/services/" aria-role="button" aria-haspopup="dialog" aria-controls="1b7649be-c4d7-48b5-930c-25e08f561409">Services</a><div id="1b7649be-c4d7-48b5-930c-25e08f561409" class="dropdown-content two-col" role="dialog" aria-labelledby="Services"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">MXDR</div><div class="dropdown-footer-title">Managed Threat Complete</div><div class="dropdown-footer-subtitle">24x7 MXDR to secure your extended ecosystem</div></div><div class="dropdown-button column-pad"><a href="/services/managed-detection-and-response-mdr/demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION &amp; RESPONSE</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed XDR<div class="dropdown-category">MANAGED THREAT COMPLETE</div></div></a></li><li class="dropdown-item"><a href="/services/incident-response-customer-escalation/"><div class="dropdown-text">Incident Response Services<div class="dropdown-category">EXPERIENCING A BREACH?</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/services/managed-services/vulnerability-management/"><div class="dropdown-text">Managed Vulnerability Management<div class="dropdown-category">OPTIMIZED RISK ASSESSMENT</div></div></a></li><li class="dropdown-item"><a href="/services/managed-services/managed-appsec/"><div class="dropdown-text">Managed Application Security<div class="dropdown-category">MANAGED DAST</div></div></a></li><li class="dropdown-item"><a href="/services/continuous-red-team-service/"><div class="dropdown-text">Continuous Red Teaming<div class="dropdown-category">VECTOR COMMAND</div></div></a></li><li class="dropdown-item"><a href="/services/security-consulting/penetration-testing-services/"><div class="dropdown-text">Penetration Testing Services<div class="dropdown-category">TEST YOUR DEFENSES</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="94a5c1dc-48f4-47a4-bc22-e00f0b0d4141">Resources</a><div id="94a5c1dc-48f4-47a4-bc22-e00f0b0d4141" class="dropdown-content two-col" role="dialog" aria-labelledby="Resources"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW</div><div class="dropdown-footer-title">The 2024 Attack Intelligence Report</div><div class="dropdown-footer-subtitle">Read the latest research by Rapid7 Labs</div></div><div class="dropdown-button column-pad"><a href="/research/report/2024-attack-intelligence-report/" class="button" aria-role="button">READ NOW</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">STAY CURRENT</li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">About Rapid7 Labs<div class="dropdown-category">MEET THE RESEARCH TEAM</div></div></a></li><li class="dropdown-item"><a href="/about/events-webcasts/"><div class="dropdown-text">Events &amp; Webinars<div class="dropdown-category">CATCH US LIVE</div></div></a></li><li class="dropdown-item"><a href="/resources/"><div class="dropdown-text">Resources Library<div class="dropdown-category">DIVE INTO THE DETAILS</div></div></a></li><li class="dropdown-item"><a href="/blog/"><div class="dropdown-text">The Rapid7 Blog<div class="dropdown-category">STAY UP-TO-DATE</div></div></a></li><li class="dropdown-item"><a href="/db/"><div class="dropdown-text">Exploit Database<div class="dropdown-category">SEARCH THOUSANDS OF CVES</div></div></a></li><li class="dropdown-item"><a href="/fundamentals/"><div class="dropdown-text">Cybersecurity Fundamentals<div class="dropdown-category">LEARN THE BASICS</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">PRODUCT SUPPORT</li><li class="dropdown-item"><a href="/contact/"><div class="dropdown-text">Contact Sales<div class="dropdown-category">TALK TO AN EXPERT</div></div></a></li><li class="dropdown-item"><a href="/for-customers/"><div class="dropdown-text">Customer Support Portal<div class="dropdown-category">CONTACT SUPPORT</div></div></a></li><li class="dropdown-item"><a href="https://extensions.rapid7.com/"><div class="dropdown-text">Product Integrations<div class="dropdown-category">CONNECT EVERYTHING</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/"><div class="dropdown-text">Product Documentation<div class="dropdown-category">PRODUCT AND SERVICES GUIDES</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/release-notes/"><div class="dropdown-text">Product Release Notes<div class="dropdown-category">LATEST FEATURES</div></div></a></li><li class="dropdown-item"><a href="/product-tours/"><div class="dropdown-text">Interactive Product Tours<div class="dropdown-category">TAKE TOUR</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/about/company/" aria-role="button" aria-haspopup="dialog" aria-controls="21269255-7a1a-4e4c-a0ce-ab17582905b1">Company</a><div id="21269255-7a1a-4e4c-a0ce-ab17582905b1" class="dropdown-content two-col" role="dialog" aria-labelledby="Company"><ul class="dropdown-menu"><li class="dropdown-title">OVERVIEW</li><li class="dropdown-item"><a href="/about/company/"><div class="dropdown-text">About Us<div class="dropdown-category">OUR STORY</div></div></a></li><li class="dropdown-item"><a href="/about/leadership/"><div class="dropdown-text">Leadership<div class="dropdown-category">EXECUTIVE TEAM &amp; BOARD</div></div></a></li><li class="dropdown-item"><a href="/about/news/"><div class="dropdown-text">News &amp; Press Releases<div class="dropdown-category">THE LATEST FROM OUR NEWSROOM</div></div></a></li><li class="dropdown-item"><a href="https://careers.rapid7.com/"><div class="dropdown-text">Careers<div class="dropdown-category">JOIN RAPID7</div></div></a></li><li class="dropdown-item"><a href="/customers/"><div class="dropdown-text">Our Customers<div class="dropdown-category">Their Success Stories</div></div></a></li><li class="dropdown-item"><a href="/partners/"><div class="dropdown-text">Partners<div class="dropdown-category">Rapid7 Partner Ecosystem</div></div></a></li><li class="dropdown-item"><a href="https://investors.rapid7.com/"><div class="dropdown-text">Investors<div class="dropdown-category">Investor Relations</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">COMMUNITY &amp; CULTURE</li><li class="dropdown-item"><a href="/about/social-good/"><div class="dropdown-text">Social Good<div class="dropdown-category">OUR COMMITMENT &amp; APPROACH</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-foundation/"><div class="dropdown-text">Rapid7 Cybersecurity Foundation<div class="dropdown-category">BUILDING THE FUTURE</div></div></a></li><li class="dropdown-item"><a href="/about/diversity-equity-and-inclusion/"><div class="dropdown-text">Diversity, Equity &amp; Inclusion<div class="dropdown-category">EMPOWERING PEOPLE</div></div></a></li><li class="dropdown-item"><a href="/open-source/"><div class="dropdown-text">Open Source<div class="dropdown-category">STRENGTHENING CYBERSECURITY</div></div></a></li><li class="dropdown-item"><a href="/about/public-policy/"><div class="dropdown-text">Public Policy<div class="dropdown-category">ENGAGEMENT &amp; ADVOCACY</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-cybersecurity-partner-boston-bruins/"><div class="dropdown-text">Boston Bruins<div class="dropdown-category">Our Partnership</div></div></a></li></ul></div></li><li class="main-nav__link "><a class="" href="/partners/" aria-role="button" aria-haspopup="" aria-controls="3a3c6c0c-70ab-4811-974a-38dcc289c878">Partners</a></li><li class="dropdown main-nav__link main-nav__link--sep"><a href="#" class="dropdown-trigger has-toggle ">en</a><div class="dropdown-content right-align"><ul class="dropdown-menu"><li class="dropdown-item selected"><a href="#">English</a></li></ul></div></li><li class="main-nav__link"><a href="https://insight.rapid7.com/saml/SSO" class="has-icon"><img src="/Areas/Docs/includes/img/r7-nav/icon-lock.svg" alt=""/> Sign In</a></li></ul></div></nav><nav class="sub-nav container flex flex-ai-c"><div class="sub-nav__title"><a href="/blog/" title="Blog">Blog</a></div><ul><li class="sub-nav__link dropdown "><a class="dropdown-trigger has-toggle">Select</a><div class="dropdown-content"><ul class="dropdown-menu"><li class="dropdown-item"><a href="/blog/tag/vulnerability-management/">Vulnerability Management</a></li><li class="dropdown-item"><a href="/blog/tag/mdr-managed-detection-response/">MDR</a></li><li class="dropdown-item"><a href="/blog/tag/detection-and-response/">Detection &amp; Response</a></li><li class="dropdown-item"><a href="/blog/tag/cloud-security/">Cloud Security</a></li><li class="dropdown-item"><a href="/blog/tag/application-security/">App Security</a></li><li class="dropdown-item"><a href="/blog/tag/metasploit/">Metasploit</a></li><li class="dropdown-item"><a href="/blog/tags/">All Topics</a></li></ul></div></li></ul><a class="button button--primary" href="/trial/insight/">Start Trial</a></nav></header><div class="dropdown-overlay overlay false"></div><header class="r7-nav stuck show-main--init "><nav class="main-nav"><div class="container flex flex-jc-sb flex-ai-c"><div class="main-nav__logo"><a class="flex" href="https://www.rapid7.com/" target=""><img src="/Areas/Docs/includes/img/r7-nav/Rapid7_logo.svg" alt="Rapid7 Home"/></a></div><div class="main-nav__links flex flex-jc-c"><ul><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="94c6b63f-d792-4b41-92a6-2e4f2a081b5d">Platform</a><div id="94c6b63f-d792-4b41-92a6-2e4f2a081b5d" class="dropdown-content two-col" role="dialog" aria-labelledby="Platform"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">TECHNOLOGY</div><div class="dropdown-footer-title">The Rapid7 Command Platform</div><div class="dropdown-footer-subtitle">AI-Powered Cybersecurity Platform</div></div><div class="dropdown-button column-pad"><a href="/platform/" class="button" aria-role="button">Explore</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">PLATFORM</li><li class="dropdown-item"><a href="/platform/"><div class="dropdown-text">Platform<div class="dropdown-category">ELITE TECHNOLOGY</div></div></a></li><li class="dropdown-item"><a href="/info/ai-hub-page/"><div class="dropdown-text">AI-Engine<div class="dropdown-category">INTELLIGENT TOOLS</div></div></a></li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">Rapid7 Labs<div class="dropdown-category">TRUSTED INTELLIGENCE</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">SOLUTIONS</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed Threat Complete<div class="dropdown-category">MANAGED XDR</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Surface Command<div class="dropdown-category">ATTACK SURFACE MANAGEMENT</div></div></a></li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Command<div class="dropdown-category">EXPOSURE MANAGEMENT</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/products/" aria-role="button" aria-haspopup="dialog" aria-controls="44c220b3-1f84-4d8a-968d-120bd2497318">Products</a><div id="44c220b3-1f84-4d8a-968d-120bd2497318" class="dropdown-content two-col" role="dialog" aria-labelledby="Products"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW!</div><div class="dropdown-footer-title">Exposure Command</div><div class="dropdown-footer-subtitle">Take Command of Your Attack Surface</div></div><div class="dropdown-button column-pad"><a href="/products/command/request-demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION &amp; RESPONSE</li><li class="dropdown-item"><a href="/products/insightidr/"><div class="dropdown-text">Next-Gen SIEM<div class="dropdown-category">INSIGHTIDR</div></div></a></li><li class="dropdown-item"><a href="/products/threat-command/"><div class="dropdown-text">Threat Intelligence<div class="dropdown-category">THREAT COMMAND</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Management<div class="dropdown-category">EXPOSURE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Attack Surface Management<div class="dropdown-category">SURFACE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/insightvm/"><div class="dropdown-text">Vulnerability Management<div class="dropdown-category">INSIGHTVM</div></div></a></li><li class="dropdown-item"><a href="/products/insightcloudsec/"><div class="dropdown-text">Cloud-Native Application Protection<div class="dropdown-category">INSIGHTCLOUDSEC</div></div></a></li><li class="dropdown-item"><a href="/products/insightappsec/"><div class="dropdown-text">Application Security Testing<div class="dropdown-category">INSIGHTAPPSEC</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/services/" aria-role="button" aria-haspopup="dialog" aria-controls="1b7649be-c4d7-48b5-930c-25e08f561409">Services</a><div id="1b7649be-c4d7-48b5-930c-25e08f561409" class="dropdown-content two-col" role="dialog" aria-labelledby="Services"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">MXDR</div><div class="dropdown-footer-title">Managed Threat Complete</div><div class="dropdown-footer-subtitle">24x7 MXDR to secure your extended ecosystem</div></div><div class="dropdown-button column-pad"><a href="/services/managed-detection-and-response-mdr/demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION &amp; RESPONSE</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed XDR<div class="dropdown-category">MANAGED THREAT COMPLETE</div></div></a></li><li class="dropdown-item"><a href="/services/incident-response-customer-escalation/"><div class="dropdown-text">Incident Response Services<div class="dropdown-category">EXPERIENCING A BREACH?</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/services/managed-services/vulnerability-management/"><div class="dropdown-text">Managed Vulnerability Management<div class="dropdown-category">OPTIMIZED RISK ASSESSMENT</div></div></a></li><li class="dropdown-item"><a href="/services/managed-services/managed-appsec/"><div class="dropdown-text">Managed Application Security<div class="dropdown-category">MANAGED DAST</div></div></a></li><li class="dropdown-item"><a href="/services/continuous-red-team-service/"><div class="dropdown-text">Continuous Red Teaming<div class="dropdown-category">VECTOR COMMAND</div></div></a></li><li class="dropdown-item"><a href="/services/security-consulting/penetration-testing-services/"><div class="dropdown-text">Penetration Testing Services<div class="dropdown-category">TEST YOUR DEFENSES</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="94a5c1dc-48f4-47a4-bc22-e00f0b0d4141">Resources</a><div id="94a5c1dc-48f4-47a4-bc22-e00f0b0d4141" class="dropdown-content two-col" role="dialog" aria-labelledby="Resources"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW</div><div class="dropdown-footer-title">The 2024 Attack Intelligence Report</div><div class="dropdown-footer-subtitle">Read the latest research by Rapid7 Labs</div></div><div class="dropdown-button column-pad"><a href="/research/report/2024-attack-intelligence-report/" class="button" aria-role="button">READ NOW</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">STAY CURRENT</li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">About Rapid7 Labs<div class="dropdown-category">MEET THE RESEARCH TEAM</div></div></a></li><li class="dropdown-item"><a href="/about/events-webcasts/"><div class="dropdown-text">Events &amp; Webinars<div class="dropdown-category">CATCH US LIVE</div></div></a></li><li class="dropdown-item"><a href="/resources/"><div class="dropdown-text">Resources Library<div class="dropdown-category">DIVE INTO THE DETAILS</div></div></a></li><li class="dropdown-item"><a href="/blog/"><div class="dropdown-text">The Rapid7 Blog<div class="dropdown-category">STAY UP-TO-DATE</div></div></a></li><li class="dropdown-item"><a href="/db/"><div class="dropdown-text">Exploit Database<div class="dropdown-category">SEARCH THOUSANDS OF CVES</div></div></a></li><li class="dropdown-item"><a href="/fundamentals/"><div class="dropdown-text">Cybersecurity Fundamentals<div class="dropdown-category">LEARN THE BASICS</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">PRODUCT SUPPORT</li><li class="dropdown-item"><a href="/contact/"><div class="dropdown-text">Contact Sales<div class="dropdown-category">TALK TO AN EXPERT</div></div></a></li><li class="dropdown-item"><a href="/for-customers/"><div class="dropdown-text">Customer Support Portal<div class="dropdown-category">CONTACT SUPPORT</div></div></a></li><li class="dropdown-item"><a href="https://extensions.rapid7.com/"><div class="dropdown-text">Product Integrations<div class="dropdown-category">CONNECT EVERYTHING</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/"><div class="dropdown-text">Product Documentation<div class="dropdown-category">PRODUCT AND SERVICES GUIDES</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/release-notes/"><div class="dropdown-text">Product Release Notes<div class="dropdown-category">LATEST FEATURES</div></div></a></li><li class="dropdown-item"><a href="/product-tours/"><div class="dropdown-text">Interactive Product Tours<div class="dropdown-category">TAKE TOUR</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/about/company/" aria-role="button" aria-haspopup="dialog" aria-controls="21269255-7a1a-4e4c-a0ce-ab17582905b1">Company</a><div id="21269255-7a1a-4e4c-a0ce-ab17582905b1" class="dropdown-content two-col" role="dialog" aria-labelledby="Company"><ul class="dropdown-menu"><li class="dropdown-title">OVERVIEW</li><li class="dropdown-item"><a href="/about/company/"><div class="dropdown-text">About Us<div class="dropdown-category">OUR STORY</div></div></a></li><li class="dropdown-item"><a href="/about/leadership/"><div class="dropdown-text">Leadership<div class="dropdown-category">EXECUTIVE TEAM &amp; BOARD</div></div></a></li><li class="dropdown-item"><a href="/about/news/"><div class="dropdown-text">News &amp; Press Releases<div class="dropdown-category">THE LATEST FROM OUR NEWSROOM</div></div></a></li><li class="dropdown-item"><a href="https://careers.rapid7.com/"><div class="dropdown-text">Careers<div class="dropdown-category">JOIN RAPID7</div></div></a></li><li class="dropdown-item"><a href="/customers/"><div class="dropdown-text">Our Customers<div class="dropdown-category">Their Success Stories</div></div></a></li><li class="dropdown-item"><a href="/partners/"><div class="dropdown-text">Partners<div class="dropdown-category">Rapid7 Partner Ecosystem</div></div></a></li><li class="dropdown-item"><a href="https://investors.rapid7.com/"><div class="dropdown-text">Investors<div class="dropdown-category">Investor Relations</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">COMMUNITY &amp; CULTURE</li><li class="dropdown-item"><a href="/about/social-good/"><div class="dropdown-text">Social Good<div class="dropdown-category">OUR COMMITMENT &amp; APPROACH</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-foundation/"><div class="dropdown-text">Rapid7 Cybersecurity Foundation<div class="dropdown-category">BUILDING THE FUTURE</div></div></a></li><li class="dropdown-item"><a href="/about/diversity-equity-and-inclusion/"><div class="dropdown-text">Diversity, Equity &amp; Inclusion<div class="dropdown-category">EMPOWERING PEOPLE</div></div></a></li><li class="dropdown-item"><a href="/open-source/"><div class="dropdown-text">Open Source<div class="dropdown-category">STRENGTHENING CYBERSECURITY</div></div></a></li><li class="dropdown-item"><a href="/about/public-policy/"><div class="dropdown-text">Public Policy<div class="dropdown-category">ENGAGEMENT &amp; ADVOCACY</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-cybersecurity-partner-boston-bruins/"><div class="dropdown-text">Boston Bruins<div class="dropdown-category">Our Partnership</div></div></a></li></ul></div></li><li class="main-nav__link "><a class="" href="/partners/" aria-role="button" aria-haspopup="" aria-controls="3a3c6c0c-70ab-4811-974a-38dcc289c878">Partners</a></li></ul></div><div class="main-nav__utility"><ul><li class="dropdown language"><a href="#" class="dropdown-trigger has-toggle ">en</a><div class="dropdown-content right-align"><ul class="dropdown-menu"><li class="dropdown-item selected"><a href="#">English</a></li></ul></div></li><li class="signin"><a href="https://insight.rapid7.com/saml/SSO"><img src="/Areas/Docs/includes/img/r7-nav/icon-lock.svg" alt=""/>Sign In</a></li></ul></div></div></nav><section class="search-bar hide"><div class="container flex flex-jc-c flex-ai-c"><form action="/search" class="search-content flex flex-jc-c flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" autoComplete="off" placeholder="Search"/><input type="submit" class="search-submit button blue" value="Search"/><a class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></form></div></section><div class="search-overlay overlay "></div><nav class="sub-nav "><div class="container flex flex-jc-sb"><a class="logo circle-button" href="https://www.rapid7.com/"><img src="/Areas/Docs/includes/img/r7-nav/Rapid7_logo-short.svg" alt="Rapid7 logo"/></a><div class="sub-nav__links flex"><ul class="flex flex-ai-c"><li class="sub-nav__title"><a href="/blog/" title="Blog">Blog</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/vulnerability-management/">Vulnerability Management</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/mdr-managed-detection-response/">MDR</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/detection-and-response/">Detection &amp; Response</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/cloud-security/">Cloud Security</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/application-security/">App Security</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/metasploit/">Metasploit</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tags/">All Topics</a></li></ul></div><div class="sub-nav__utility"><a class="search" role="button" tabindex="0"><i class="r7-icon r7-icon-search-magnify"></i></a><a class="button button--primary" href="/trial/insight/">Start Trial</a><a class="to-top circle-button" tabindex="0"><i class="r7-icon r7-icon-arrow-chevron-up-solid"></i></a></div></div></nav></header> </div> <div class="off-canvas-content" data-off-canvas-content> <div id="menuOverlay" class="reveal-overlay"></div> <section class="longhero"> <div class="grid-container"> <div class="grid-x grid-padding-x expanded"> <div class="medium-12 cell"></div> </div> </div> </section> <div class="pageContent"> <section class="blog-single-post"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="small-12 medium-6 medium-offset-1 large-7 large-offset-1 cell blog-single-post__main-column"> <div class="grid-y"> <div class="blog-single-post__main-column--heading"> <h1>A Bag of RATs: VenomRAT vs. AsyncRAT</h1> <div> <ul class="blog-post-info"> <li class="date">Nov 21, 2024</li> <li class="time">7 min read</li> <li class="name"> <a href="/blog/author/anna-sirokova/">Anna Širokova</a> </li> </ul> <ul class="blog-post-social float-right"> <li><a href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/&amp;title=A+Bag+of+RATs%3a+VenomRAT+vs.+AsyncRAT&amp;summary=Remote+access+tools+(RATs)+have+long+been+a+favorite+tool+for+cyber+attackers%2c+since+they+enable+remote+control+over+compromised+systems+and+facilitate+data+theft%2c+espionage%2c+and+continuous+monitoring+of+victims.+Among+the+well-known+RATs+are+VenomRAT+and+AsyncRAT." class="linkedin" onclick="window.open(this.href, 'linkedin-share', 'width=520,height=570');return false;"></a></li> <li><a href="https://twitter.com/intent/tweet?text=A+Bag+of+RATs%3a+VenomRAT+vs.+AsyncRAT&amp;url=https%3a%2f%2fwww.rapid7.com%2fblog%2fpost%2f2024%2f11%2f21%2fa-bag-of-rats-venomrat-vs-asyncrat%2f" class="twitter-x" onclick="window.open(this.href, 'twitter-share', 'width=550,height=235');return false;"></a></li> <li><a href="https://www.facebook.com/sharer/sharer.php?u=https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/" class="facebook" onclick="window.open(this.href, 'facebook-share','width=580,height=296');return false;"></a></li> </ul> </div> </div> <div class="post-content"> <p><i class="updated-at">Last updated at Fri, 22 Nov 2024 21:40:05 GMT</i></p> <h2 id="introduction">Introduction</h2><!--kg-card-begin: markdown--><p>Remote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control over compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the well-known RATs are VenomRAT and AsyncRAT. These are open-source RATs and have been making headlines for their frequent use by different threat actors, including Blind Eagle/APT-C-36, Coral Rider, NullBulge, and OPERA1ER. Both RATs have their roots in QuasarRAT, another open-source project, which explains their similarities. However, as both have evolved over time, they have diverged in terms of functionalities and behavior, which affects how attackers use them and how they are detected.</p> <!--kg-card-end: markdown--><p>Interestingly, as these RATs evolved, some security vendors have started to blur the line between them, often grouping detections under a single label, such as AsyncRAT or AsyncRAT/VenomRAT. This indicates how closely related the two are, but also suggests that their similarities may cause challenges for detection systems. We took a closer look at recent samples of each RAT to examine how they differ, if at all.</p><p>This comparison explores the core technical differences between VenomRAT and AsyncRAT by analyzing their architecture, capabilities, and tactics.</p><!--kg-card-begin: markdown--><p>Here's a comparison table between VenomRAT and AsyncRAT based on the findings</p> <table> <thead> <tr> <th><strong>Capability</strong></th> <th><strong>VenomRAT</strong></th> <th><strong>AsyncRAT</strong></th> </tr> </thead> <tbody> <tr> <td><strong>AMSI Bypass</strong></td> <td>✔ Patches AmsiScanBuffer in amsi.dll (In-memory patching) T1562.001</td> <td>✘ Not implemented</td> </tr> <tr> <td><strong>ETW Bypass</strong></td> <td>✔ Patches EtwEventWrite in ntdll.dll (In-memory patching) T1562.006</td> <td>✘ Not implemented</td> </tr> <tr> <td><strong>Keylogging</strong></td> <td>✔ Advanced keylogger with filtering and process tracking T1056.001</td> <td>✔ Basic keylogger with clipboard logging T1056.001</td> </tr> <tr> <td><strong>Anti-analysis Techniques</strong></td> <td>✔ Uses WMI for OS detection, VM check T1497.001</td> <td>✔ VM, sandbox, and debugger detection T1497</td> </tr> <tr> <td><strong>Hardware Interaction</strong></td> <td>✔ Collects CPU, RAM, GPU, and software data using WMI T1082</td> <td>✔ Collects system data via Win32_ComputerSystem T1082</td> </tr> <tr> <td><strong>Process discovery</strong></td> <td>✔ This the capability to obtain a listing of running processes T1057</td> <td>✘ Not implemented</td> </tr> <tr> <td><strong>Anti-process Monitoring</strong></td> <td>✔ Terminates system monitoring and security processes T1562.009</td> <td>✘ Not implemented</td> </tr> <tr> <td><strong>Webcam Access</strong></td> <td>✔ Camera detection and access T1125</td> <td>✘ Not implemented</td> </tr> <tr> <td><strong>Dynamic API Resolution</strong></td> <td>✔ DInvokeCore class for dynamic API resolution T1027.007</td> <td>✘ Not implemented</td> </tr> <tr> <td><strong>Encrypts the configuration</strong></td> <td>✔ 16-byte salt (&quot;VenomRATByVenom&quot;) T1027.013</td> <td>✔ 32-byte binary salt T1027.013</td> </tr> <tr> <td><strong>Error Handling</strong></td> <td>✔ Silent failures with basic try-catch</td> <td>✔ Sends detailed error reports to C2 T1071</td> </tr> </tbody> </table> <!--kg-card-end: markdown--><h2 id="technical-analysis">Technical analysis</h2><p>In this technical analysis, we compare two specific RAT samples:</p><ul><li><strong>VenomRAT</strong>: 1574d418de3976fc9a2ba0be7bf734b919927d49bd5e74b57553dfc6eee67371</li><li><strong>AsyncRAT</strong>: caf9e2eac1bac6c5e09376c0f01fed66eea96acc000e564c907e8a1fbd594426</li></ul><p>Both AsyncRAT and VenomRAT are open-source remote access tools developed in C# and built on the .NET Framework (v4.0.30319). A preliminary analysis based on <a href="https://github.com/mandiant/capa/tree/master/web/explorer">CAPA</a> results revealed several shared characteristics between the two. For example, both RATs use standard libraries like <strong>System.IO</strong>, <strong>System.Security.Cryptography</strong>, and <strong>System.Net</strong> for file handling, encryption, and networking. They also have common cryptographic components such as <strong>HMACSHA256, AES,</strong> and <strong>SHA256Managed</strong>, indicating similar encryption routines. Indeed, upon closer code examination, we found that their encryption classes were identical, with only one minor difference: AsyncRAT uses a 32-byte binary <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)#:~:text=In%20cryptography%2C%20a%20salt%20is,needed%20for%20a%20successful%20attack.">salt</a>, while VenomRAT uses a 16-byte salt derived from the string "VenomRATByVenom." Additionally, both RATs share similarities in configuration handling, mutex creation, and parts of their anti-analysis class.</p><p>However, the CAPA analysis also highlighted distinct differences between the two. Certain features present in one RAT were notably absent in the other. To verify, we manually reviewed code in both samples and described the differences below.</p><h2 id="keylogging-and-system-hooking">Keylogging and System Hooking</h2><p>In the samples we analyzed the keylogger was present only in VenomRAT. However, the open-source version of AsyncRAT has a keylogger plugin. We therefore decided to investigate whether the VenomRAT keylogger implementation is the same as AsyncRAT’s implementation. Our findings suggest that the keylogging functionality is different. We summarized a comparative analysis of their keylogging implementations in the table below. Additionally, the VenomRAT keylogger configuration file<strong> DataLogs.conf </strong>and log files are saved in the user’s <strong>%AppData%\MyData</strong> folder.</p><!--kg-card-begin: markdown--><table> <thead> <tr> <th style="text-align:center">Feature</th> <th style="text-align:center">VenomRAT</th> <th style="text-align:center">AsyncRAT</th> </tr> </thead> <tbody> <tr> <td style="text-align:center">Low-level keyboard hook (WH_KEYBOARD_LL)</td> <td style="text-align:center">✔</td> <td style="text-align:center">✔</td> </tr> <tr> <td style="text-align:center">Keystroke Processing</td> <td style="text-align:center">✔</td> <td style="text-align:center">✔</td> </tr> <tr> <td style="text-align:center">Window/Process Tracking</td> <td style="text-align:center">Tracks both process and window title</td> <td style="text-align:center">Tracks window title only</td> </tr> <tr> <td style="text-align:center">Clipboard Logging</td> <td style="text-align:center">✘</td> <td style="text-align:center">✔</td> </tr> <tr> <td style="text-align:center">Log Transmission</td> <td style="text-align:center">Periodic log sending to C2</td> <td style="text-align:center">Continuous log sending to C2</td> </tr> <tr> <td style="text-align:center">Filtering Mechanism</td> <td style="text-align:center">✔</td> <td style="text-align:center">✘</td> </tr> <tr> <td style="text-align:center">Error Handling</td> <td style="text-align:center">Silent failures with basic try-catch</td> <td style="text-align:center">Sends detailed error reports to C2</td> </tr> <tr> <td style="text-align:center">Additional Features</td> <td style="text-align:center">Focused on keystrokes</td> <td style="text-align:center">Handles both keystrokes and clipboard</td> </tr> <tr> <td style="text-align:center">Thread Management</td> <td style="text-align:center">✘</td> <td style="text-align:center">✔</td> </tr> </tbody> </table> <!--kg-card-end: markdown--><h2 id="anti-analysis">Anti-Analysis</h2><p>Both AsyncRAT and Venom RAT have similar implementations of the anti-analysis classes. However, we can see notable differences. AsyncRAT focuses on a broad spectrum of detection techniques, including:</p><ul><li><strong>Virtual Machine Detection</strong>: It checks for known system manufacturer names such as VMware,VirtualBox, or Hyper-V.</li><li><strong>Sandbox Detection</strong>: It looks for sandbox-related DLLs, such as <strong>SbieDll.dll</strong> from Sandboxie.</li><li><strong>Debugger Detection</strong>: AsyncRAT uses <strong>CheckRemoteDebuggerPresent</strong> to detect if it's being monitored by a debugger.</li><li><strong>Disk Size Check</strong>: It avoids execution on machines with less than 60GB disk size.</li></ul><p>On the other hand, VenomRAT uses a more targeted approach. The virtual machine detection method in <strong>VenomRAT</strong> relies on querying system memory through <strong>WMI</strong> (Windows Management Instrumentation) to query system memory via <strong>Win32_CacheMemory</strong>. The method relies on counting cache memory entries, and if the number is less than 2 cache memories, it assumes the system is a virtual machine (VM). However, modern VMs are more sophisticated, and simply relying on counting cache memories may not be effective.</p><p>The other difference is, instead of targeting debuggers or sandboxes, VenomRAT attempts to avoid running on server operating systems by querying the <strong>Win32_OperatingSystem WMI</strong> class and checking the <strong>ProductType</strong>, which differentiates between desktop and server environments. We summarized class differences in the table below.</p><!--kg-card-begin: markdown--><table> <thead> <tr> <th>Feature</th> <th>AsyncRAT AntiAnalysis Class</th> <th>Venom RAT Anti_Analysis Class</th> </tr> </thead> <tbody> <tr> <td>VM Detection</td> <td>✔</td> <td>✔</td> </tr> <tr> <td>Sandbox Detection</td> <td>✔</td> <td>✘</td> </tr> <tr> <td>Debugger Detection</td> <td>✔</td> <td>✘</td> </tr> <tr> <td>Operating System Detection</td> <td>✔</td> <td>✔</td> </tr> <tr> <td>Process Discovery</td> <td>✘</td> <td>✔</td> </tr> </tbody> </table> <!--kg-card-end: markdown--><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://blog.rapid7.com/content/images/2024/11/Screenshot-2024-11-20-at-3.25.49-PM.png" class="kg-image"><figcaption>Figure 1: Side by side comparison of Anti-Analysis class of AsycRAT(let) and VenomRAT(right)</figcaption></figure><h2 id="hardware-interaction">Hardware Interaction</h2><p>VenomRAT has hardware interaction capabilities, allowing it to gather detailed system information through <strong>WMI queries</strong> with <strong>ManagementObjectSearcher</strong> objects. These features are encapsulated in the <strong>CGRInfo</strong> class, which enables the collection of CPU, RAM, GPU, and software data:</p><ul><li><strong>GetCPUName()</strong>: Retrieves the CPU name and the number of cores</li><li><strong>GetRAM()</strong>: Fetches the total installed physical memory (RAM)</li><li><strong>GetGPU()</strong>: Obtains the GPU name and driver version</li><li><strong>GetInstalledApplications()</strong>: Scans the Windows Registry to compile a list of installed applications</li><li><strong>GetUserProcessList()</strong>: Collects information on all running processes with visible windows</li></ul><p>The collected data is sent back to the command-and-control (C2) server. This class is absent in both the version of AsyncRAT we analyzed and the open-source version.</p><h2 id="dcrat-joined-the-party-with-antiprocess-and-camera-classes">DcRAT joined the party with AntiProcess and Camera classes</h2><p>VenomRAT includes two notable classes absent in AsyncRAT: the AntiProcess and Camera classes.</p><p>The AntiProcess class is an anti-monitoring and anti-detection component of VenomRAT. Malware uses the Windows API function <strong>CreateToolhelp32Snapshot</strong> to get a snapshot of all running processes and search for specific processes. We categorized the processes the malware is looking for below.</p><p><strong>System Monitoring Tools </strong>that can prevent users from identifying or stopping VenomRAT.</p><ul><li>Taskmgr.exe</li><li>ProcessHacker.exe</li><li>procexp.exe</li></ul><p><strong>Security &amp; Antivirus Processes: </strong>Terminating them reduces the risk of VenomRAT being detected or removed by security software.</p><ul><li>MSASCui.exe</li><li>MsMpEng.exe</li><li>MpUXSrv.exe</li><li>MpCmdRun.exe</li><li>NisSrv.exe</li></ul><p><strong>System Configuration Utilities: </strong>By targeting these, VenomRAT prevents users from adjusting security settings, inspecting registry changes, or manually removing the malware.</p><ul><li>ConfigSecurityPolicy.exe</li><li>MSConfig.exe</li><li>Regedit.exe</li><li>UserAccountControlSettings.exe</li><li>Taskkill.exe</li></ul><p>If a matching process is found, it terminates it by its process ID (PID).</p><p>The Camera class is designed to detect webcams on a Windows system by querying the available system devices using COM interfaces. It retrieves a list of devices by category, specifically looking for video input devices. The class uses the <strong>ICreateDevEnum</strong> and <strong>IPropertyBag</strong> interfaces to enumerate and extract the device names.</p><p>However, both these classes, although absent in AasyncRAT, are not exclusive to VenomRAT only. Apparently they are exact copycats of yet another open-source RAT, DcRAT.</p><h2 id="amsi-and-etw-bypass">AMSI and ETW Bypass</h2><p>This class was found only in the VenomRAT sample and is designed to bypass key Windows security mechanisms through in-memory patching. It specifically disables two critical Windows security features: AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows), which are often used by antivirus software and monitoring tools to detect malware.</p><h4 id="key-functions-"><strong>Key Functions:</strong></h4><ul><li><strong>AMSI Bypass</strong>: The class patches the <strong>AmsiScanBuffer</strong> function within <strong>amsi.dll</strong> to prevent AMSI from scanning for malicious content.</li><li><strong>ETW Bypass</strong>: The class patches the <strong>EtwEventWrite</strong> function in <strong>ntdll.dll</strong>, which stops <strong>ETW</strong> from logging events related to the malware’s activity.</li></ul><p>The patching process is performed in-memory. The class dynamically checks the system's architecture (32-bit or 64-bit) and loads the appropriate DLLs (<strong>amsi.dll</strong> and <strong>ntdll.dll</strong>) to apply the patches based on the platform. The techniques used by VenomRAT closely mirror those found in the <a href="https://github.com/cobbr/SharpSploit/tree/master/SharpSploit/Evasion">SharpSploit</a> project, an open-source tool often used by penetration testers and red teams to test and bypass security features in a controlled environment. SharpSploit contains classes for bypassing both AMSI and ETW using similar in-memory patching methods, which likely served as inspiration for VenomRAT's implementation.</p><p>This security bypass functionality makes VenomRAT more capable of evading modern security defenses.</p><h2 id="dynamic-api-resolution">Dynamic API resolution</h2><p>VenomRAT has yet another class which is absent in AsyncRAT. The <strong>DInvokeCore</strong> class is implemented to<strong> </strong>dynamically resolve and call Windows API functions at runtime; this method bypasses traditional static imports, making it harder for antivirus and endpoint detection and response (EDR) systems to detect malicious activity.</p><p>Instead of statically importing Windows APIs, the class resolves function addresses at runtime (e.g., from <strong>ntdll.dll</strong> or <strong>kernel32.dll</strong>) using methods like <strong>GetLibraryAddress</strong> and <strong>GetExportAddress</strong>. This approach makes it difficult for static analysis tools to flag malicious behavior.</p><p>It uses the <strong>NtProtectVirtualMemory</strong> method to alter memory protection settings, allowing execution of code in memory regions that are normally non-executable—an effective method for in-memory execution of malicious payloads.</p><p>Implementation of <strong>DInvokeCore</strong> closely mirrors the open-source SharpSploit Generic class from the <a href="https://github.com/TheWover/DInvoke">D/Invoke</a> project by <a href="https://github.com/TheWover">TheWover</a>. The DInvokeCore class from VenomRAT appears to be a simplified version, which lacks some features but has core techniques for dynamic API invocation.</p><h2 id="conclusion">Conclusion</h2><p>Our analysis was sparked by detection vendors grouping VenomRAT and AsyncRAT under the same label, blurring the lines between the two. While they indeed belong to the QuasarRAT<strong> </strong>family, they are still different RATs.</p><p>AsyncRAT appears to closely match the latest open-source release (v0.5.8). However, the VenomRAT seems to have evolved and added other capabilities, although a lot of them seem to be a copy-paste from another open-source RAT (DcRAT) and the SharpSploit project. Despite this, VenomRAT presents more advanced evasion techniques, making it a more sophisticated threat.</p><p>Therefore, it’s important for security vendors to treat them as distinct threats, recognizing that VenomRAT brings more advanced evasion capabilities, even if much of it isn’t truly unique. To help to resolve this confusion, we are sharing an updated VenomRAT YARA rule with the community, helping improve detection and response efforts.</p><h2 id="rapid7-customers">Rapid7 customers</h2><p><a href="https://www.rapid7.com/products/insightidr/">InsightIDR</a> and <a href="https://www.rapid7.com/services/managed-detection-and-response-mdr/">Managed Detection and Response (MDR)</a> customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. The following rule will alert on a wide range of malicious hashes tied to behavior in this blog:  Suspicious Process - Malicious Hash On Asset</p><h2 id="yara-rule">YARA rule</h2><p>The VenomRAT YARA rule can be found on the <a href="https://github.com/rapid7/Rapid7-Labs/blob/main/Yara/mal_rat_VenomRAT.yar">Rapid7 Labs GitHub here</a>.<br></p> </div> </div> <div class="grid-y post-bottom-info__wrapper"> <div class="cell-padding"> <div class="post-bottom-info" id="post-bottom-info"> <div class="grid-x"> <div class="medium-12 large-6 cell text-center large-text-left smpad-btm"> <h4>POST TAGS</h4> <div class="tag-row wrapper-item"> <div class="blog-resources__tags"> <ul> <li> <a href="/blog/tag/malware-latest-news/" title="Malware">Malware</a> </li> <li> <a href="/blog/tag/threat-intel/" title="Threat Intel">Threat Intel</a> </li> <li> <a href="/blog/tag/research/" title="Research">Research</a> </li> </ul> </div> </div> <h4>SHARING IS CARING</h4> <ul class="blog-post-social"> <li> <a href="https://www.linkedin.com/shareArticle?mini=true&amp;url=https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/&amp;title=A+Bag+of+RATs%3a+VenomRAT+vs.+AsyncRAT&amp;summary=Remote+access+tools+(RATs)+have+long+been+a+favorite+tool+for+cyber+attackers%2c+since+they+enable+remote+control+over+compromised+systems+and+facilitate+data+theft%2c+espionage%2c+and+continuous+monitoring+of+victims.+Among+the+well-known+RATs+are+VenomRAT+and+AsyncRAT." onclick="window.open(this.href, 'linkedin-share', 'width=520,height=570');return false;" class="linkedin"></a> </li> <li> <a href="https://twitter.com/intent/tweet?text=A+Bag+of+RATs%3a+VenomRAT+vs.+AsyncRAT&amp;url=https%3a%2f%2fwww.rapid7.com%2fblog%2fpost%2f2024%2f11%2f21%2fa-bag-of-rats-venomrat-vs-asyncrat%2f" onclick="window.open(this.href, 'twitter-share', 'width=550,height=235');return false;" class="twitter-x"></a> </li> <li> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/" onclick="window.open(this.href, 'facebook-share','width=580,height=296');return false;" class="facebook"></a> </li> </ul> </div> <div class="cell medium-12 large-6 end"> <div class="author-box text-center large-text-left"> <div class="content"> <div class="column-left"> <h4>AUTHOR</h4> </div> <div class="column-right"> <a href="/blog/author/anna-sirokova/" class="post-author" data-bg="https://blog.rapid7.com/assets/images/default-author-image.png"> </a> </div> <a class="name" href="/blog/author/anna-sirokova/" title="Anna Širokova"> Anna Širokova </a> </div> <p> </p> <a href="/blog/author/anna-sirokova/" class=" button smBtn clear">View Anna's Posts</a> </div> </div> </div> </div> </div> </div> </div> <div class="small-12 medium-4 large-3 cell blog-single-post__right-column medium-order-1 small-order-2"> <div class="blog-post-img hide-for-small-only"> <img loading="lazy" src="https://blog.rapid7.com/content/images/2024/11/GettyImages-2167356719.jpg" alt=""> </div> <section class="blog-resources"> <div class="blog-resources__topics"> <div class="text-center large-text-left blog-resources__heading"> <h2>Topics</h2> </div> <ul> <li class="text-center medium-text-left"> <a href="/blog/tag/metasploit/"> Metasploit &nbsp;<i>(657)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/vulnerability-management/"> Vulnerability Management &nbsp;<i>(362)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/research/"> Research &nbsp;<i>(240)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/detection-and-response/"> Detection and Response &nbsp;<i>(205)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/vulnerability-disclosure/"> Vulnerability Disclosure &nbsp;<i>(149)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/emergent-threat-response/"> Emergent Threat Response &nbsp;<i>(142)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/cloud-security/"> Cloud Security &nbsp;<i>(136)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/secops/"> Security Operations &nbsp;<i>(21)</i> </a> </li> </ul> </div> <div class="blog-resources__tags"> <div class="text-center large-text-left blog-resources__heading"> <h2>Popular Tags</h2> </div> <div class="search"> <div class="search-wrapper"> <input class="search-input" placeholder="Search Tags" disabled> <i class="r7-icon r7-icon-search-magnify"></i> </div> </div> <div class="blog-resources__tags-no-search"> <ul class="text-center medium-text-left large-text-left"> <li><a href="/blog/tag/metasploit/">Metasploit</a></li> <li><a href="/blog/tag/metasploit-weekly-wrapup/">Metasploit Weekly Wrapup</a></li> <li><a href="/blog/tag/vulnerability-management/">Vulnerability Management</a></li> <li><a href="/blog/tag/research/">Research</a></li> <li><a href="/blog/tag/logentries/">Logentries</a></li> <li><a href="/blog/tag/detection-and-response/">Detection and Response</a></li> </ul> </div> <div class="blog-resources__tags-search hide"></div> </div> </section> <section class="blog-related-posts hide-for-small-only"> <div class="text-center large-text-left blog-resources__heading"> <h2>Related Posts</h2> </div> <div class="blog-related-posts__wrapper"> <div class="blog-related-posts__wrapper--item"> <p class="left"> New “CleverSoar” Installer Targets Chinese and Vietnamese Users </p> <p class="right"><a href="/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/">Read More</a></p> </div> <div class="blog-related-posts__wrapper--item"> <p class="left"> Multiple Vulnerabilities in Wowza Streaming Engine (Fixed) </p> <p class="right"><a href="/blog/post/2024/11/20/multiple-vulnerabilities-in-wowza-streaming-engine-fixed/">Read More</a></p> </div> <div class="blog-related-posts__wrapper--item"> <p class="left"> LodaRAT: Established Malware, New Victim Patterns </p> <p class="right"><a href="/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/">Read More</a></p> </div> <div class="blog-related-posts__wrapper--item"> <p class="left"> Ransomware Groups Demystified: CyberVolk Ransomware </p> <p class="right"><a href="/blog/post/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/">Read More</a></p> </div> </div> </section> </div> <div class="medium-10 medium-offset-1 cell small-12 medium-order-2 small-order-1"> <section class="blog-featured-posts"> <div class="grid-container blog-section-wrapper"> <div class="grid-x grid-padding-x"> <div class="text-center large-text-left blog-featured-posts__heading"> <h2>Related Posts</h2> </div> <div class="grid-x grid-padding-y grid-padding-x--sm"> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/11/GettyImages-2179361762.jpg"> <a href="/blog/post/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/" class="slide" role="button" aria-label="New “CleverSoar” Installer Targets Chinese and Vietnamese Users"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">Research</span> </div> <div class="slide__content--headline"> New “CleverSoar” Installer Targets Chinese and Vietnamese Users </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/11/vuln-disclosure-banner.jpeg"> <a href="/blog/post/2024/11/20/multiple-vulnerabilities-in-wowza-streaming-engine-fixed/" class="slide" role="button" aria-label="Multiple Vulnerabilities in Wowza Streaming Engine (Fixed)"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">Vulnerability Disclosure</span> </div> <div class="slide__content--headline"> Multiple Vulnerabilities in Wowza Streaming Engine (Fixed) </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/11/GettyImages-1014112770.jpg"> <a href="/blog/post/2024/11/12/lodarat-established-malware-new-victim-patterns/" class="slide" role="button" aria-label="LodaRAT: Established Malware, New Victim Patterns"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">Malware</span> </div> <div class="slide__content--headline"> LodaRAT: Established Malware, New Victim Patterns </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/10/GettyImages-1479650035.jpg"> <a href="/blog/post/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/" class="slide" role="button" aria-label="Ransomware Groups Demystified: CyberVolk Ransomware"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">Labs</span> </div> <div class="slide__content--headline"> Ransomware Groups Demystified: CyberVolk Ransomware </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> </div> </div> <div class="cell text-center"> <a class="button mdBtn btn-secondary" href="/blog/posts/">View All Posts</a> </div> </div> </section> </div> </div> </div> </section> </div> <footer > <section class="search-scroll"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="medium-5 medium-offset-1 cell footer__search"> <form action="/search/"> <label for="search" class="sr-only">Search</label> <input class="sb-search-input" placeholder="Search all the things" type="search" value="" name="q" id="search"> <input class="sb-search-submit" type="submit" value="Submit Search" alt="Search all the things"> </form> </div> <div class="medium-5 cell footer__scroll"> <a href="#__" class="smooth"> <span>BACK TO TOP</span> <picture><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/up-arrow-lightgray.png?format=webp&width=1200&quality=90 1200w, /includes/img/up-arrow-lightgray.png?format=webp&width=1024&quality=90 1024w, /includes/img/up-arrow-lightgray.png?format=webp&width=640&quality=90 640w, /includes/img/up-arrow-lightgray.png?format=webp&width=480&quality=90 480w" type="image/webp" /><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/up-arrow-lightgray.png?width=1200 1200w, /includes/img/up-arrow-lightgray.png?width=1024 1024w, /includes/img/up-arrow-lightgray.png?width=640 640w, /includes/img/up-arrow-lightgray.png?width=480 480w" /><img alt="" decoding="async" loading="lazy" src="/includes/img/up-arrow-lightgray.png?width=1200" /></picture> </a> </div> </div> </div> </section> <div class="grid-container"> <section class="footer__links grid-x grid-padding-x"> <div class="medium-10 medium-offset-1 cell footer__links-wrapper"> <div class="footer__links-col"> <div class="footer__links-section footer__contact"> <a href="/"> <picture><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/Rapid7_logo.svg?format=webp&width=1200&quality=90 1200w, /includes/img/Rapid7_logo.svg?format=webp&width=1024&quality=90 1024w, /includes/img/Rapid7_logo.svg?format=webp&width=640&quality=90 640w, /includes/img/Rapid7_logo.svg?format=webp&width=480&quality=90 480w" type="image/webp" /><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/Rapid7_logo.svg?width=1200&quality=90 1200w, /includes/img/Rapid7_logo.svg?width=1024&quality=90 1024w, /includes/img/Rapid7_logo.svg?width=640&quality=90 640w, /includes/img/Rapid7_logo.svg?width=480&quality=90 480w" /><img alt="Rapid7 logo" class="logo" decoding="async" loading="lazy" src="/includes/img/Rapid7_logo.svg?width=1200&quality=90" /></picture> </a> <div class="footer__links-title">CUSTOMER SUPPORT</div> <a class="link" href="tel:1-866-390-8113">+1-866-390-8113 (Toll Free)</a> <div class="footer__links-title">SALES SUPPORT</div> <a class="link" href="tel:866-772-7437">+1-866-772-7437 (Toll Free)</a> <div class="footer__breach"> <div class="footer__breach-title">Need to report an Escalation or a Breach?</div> <div class="footer__breach-contact"> <a aria-role="button" href="/services/incident-response-customer-escalation/" class="button mdBtn btn-primary r7-icon-lightning-bolt">Get Help</a> </div> </div> </div> <div class="footer__links-section footer__solutions"> <div class="footer__links-title">SOLUTIONS</div> <a class="link" href="/platform/">The Command Platform</a> <a class="link" href="/products/command/exposure-management/">Exposure Command</a> <a class="link" href="/services/managed-detection-and-response-mdr/">Managed Threat Complete</a> </div> </div> <div class="footer__links-col"> <div class="footer__links-section footer__support"> <div class="footer__links-title">SUPPORT & RESOURCES</div> <a class="link" href="https://www.rapid7.com/for-customers/">Product Support</a> <a class="link" href="https://www.rapid7.com/resources/">Resource Library</a> <a class="link" href="https://www.rapid7.com/customers/">Our Customers</a> <a class="link" href="https://www.rapid7.com/about/events-webcasts/">Events & Webcasts</a> <a class="link" href="https://www.rapid7.com/services/training-certification/">Training & Certification</a> <a class="link" href="https://www.rapid7.com/fundamentals/">Cybersecurity Fundamentals</a> <a class="link" href="https://www.rapid7.com/db/">Vulnerability & Exploit Database</a> </div> <div class="footer__links-section footer__about"> <div class="footer__links-title">ABOUT US</div> <a class="link" href="https://www.rapid7.com/about/company/">Company</a> <a class="link" href="https://www.rapid7.com/about/diversity-equity-and-inclusion/">Diversity, Equity, and Inclusion</a> <a class="link" href="https://www.rapid7.com/about/leadership/">Leadership</a> <a class="link" href="https://www.rapid7.com/about/news/">News & Press Releases</a> <a class="link" href="https://www.rapid7.com/about/public-policy/">Public Policy</a> <a class="link" href="https://www.rapid7.com/open-source/">Open Source</a> <a class="link" href="https://investors.rapid7.com/overview/default.aspx">Investors</a> </div> </div> <div class="footer__links-col"> <div class="footer__links-section footer__connect"> <div class="footer__links-title">CONNECT WITH US</div> <a class="link" href="https://www.rapid7.com/contact/">Contact</a> <a class="link" href="https://www.rapid7.com/blog/">Blog</a> <a class="link" href="https://insight.rapid7.com/login">Support Login</a> <a class="link" href="https://careers.rapid7.com/careers-home">Careers</a> <div class="footer__links-social"> <a class="linkedin no-new-open" aria-label="LinkedIn" href="https://www.linkedin.com/company/39624" target="_blank"></a> <a class="twitter-x no-new-open" aria-label="Twitter" href="https://twitter.com/Rapid7" target="_blank"></a> <a class="facebook no-new-open" aria-label="Facebook" href="https://www.facebook.com/rapid7" target="_blank"></a> <a class="instagram no-new-open" aria-label="Instagram" href="https://www.instagram.com/rapid7/" target="_blank"></a> </div> </div> </div> </div> </section> </div> <section class="footer__legal"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="medium-10 medium-offset-1 cell"> <div class="footer__legal-copyright">&copy; Rapid7</div> <div class="footer__legal-link"><a href="/legal/">Legal Terms</a></div> &nbsp; | &nbsp; <div class="footer__legal-link"><a href="/privacy-policy/">Privacy Policy</a></div> &nbsp; | &nbsp; <div class="footer__legal-link"><a href="/export-notice/">Export Notice</a></div> &nbsp; | &nbsp; <div class="footer__legal-link"><a href="/trust/">Trust</a></div> &nbsp; | &nbsp; <div class="footer__legal-link"><a href=""><a href="#" onclick="OneTrust.ToggleInfoDisplay(); return false;"> Do Not Sell or Share My Personal Information</a></a></div> &nbsp; | &nbsp; <div class="footer__legal-link"><a href=""><a href="#" onclick="OneTrust.ToggleInfoDisplay(); return false;">Cookie Preferences</a></a></div> </div> </div> </div> </section> <section class="contact-sticky"> <div class="grid-container"> <div class="grid-x grid-padding-x expanded"> <div id="stickyButtons" class="cell driftInit"> <div class="contactBtn"> <a id="sticky_contact_btn" role="button" tabindex="0" class="gray button"> Contact Us </a> </div> </div> </div> </div> </section> <div class="reveal light hasSidebar" id="stickyContact" data-reveal> <section class="contactForm"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="large-9 cell"> <form id="contactModal" class="formBlock freemail mkto contactModal" data-block-name="Contact Form Block"> <div id="intro"> <div id="thankyouText" style="display:none;" class="messageBox green"> <h4><span class="success">Success!</span> Thank you for submission. We will be in touch shortly.</h4> </div> <div id="errorText" style="display:none;" class="messageBox red"> <h4><span class="error">Oops!</span> There was a problem in submission. Please try again.</h4> </div> <div> <h2>Submit your information and we will get in touch with you.</h2> </div> </div> <fieldset> <p id="fieldInstruction" class="instructions">All fields are mandatory</p> <dl> <dd> <label for="firstName">First Name</label> <input id="firstName" type="text" name="firstName" autocomplete="given-name"> </dd> </dl> <dl> <dd> <label for="lastName">Last Name</label> <input id="lastName" type="text" name="lastName" autocomplete="family-name"> </dd> </dl> <dl> <dd> <label for="jobTitle">Job Title</label> <input id="jobTitle" type="text" name="jobTitle" autocomplete="organization-title"> </dd> </dl> <dl> <dd> <label for="jobLevel">Job Level</label> <select name="jobLevel" id="jobLevel" class="normalSelect dropdownSelect"> <option value="0">Job Level</option> <option value="Analyst">Analyst</option> <option value="System/Security Admin">System/Security Admin</option> <option value="Manager">Manager</option> <option value="Director">Director</option> <option value="VP">VP</option> <option value="CxO">CxO</option> <option value="Student">Student</option> <option value="Other">Other</option> </select> </dd> </dl> <dl> <dd> <label for="companyName">Company</label> <input id="companyName" type="text" name="companyName" autocomplete="organization"> </dd> </dl> <dl> <dd> <label for="email">Email</label> <input id="email" type="text" name="email" autocomplete="email"> </dd> </dl> <dl> <dd> <div class="intl-phone"> <label for="phone">Phone</label> <div class="flag-container"> <div class="selected-flag"> <div class="iti-flag"></div> </div> <ul class="country-list"></ul> </div> <input id="phone" type="text" name="phone" autocomplete="tel-national" /> </div> </dd> </dl> <dl> <dd> <label for="country">Country</label> <select name="country" id="country" class="form_SelectInstruction normalSelect" onchange="updateCountryData('#contactModal');"></select> </dd> </dl> <dl> <dd> <label for="state">State</label> <select name="state" id="state" class="form_SelectInstruction normalSelect dropdownSelect"></select> </dd> </dl> <dl class="clearfix expand"> <dd> <label for="contactType">Reason for Contact</label> <select name="contactType" id="contactType" class="normalSelect dropdownSelect"> <option value="0">- Select -</option> <option value="20437" data-subopts="20437|Request a Demo;20438|Get Pricing Info;20439|General">I&#39;d like to learn more about vulnerability management</option> <option value="20440" data-subopts="20440|Request a Demo;20441|Get Pricing Info;20442|General">I&#39;d like to learn more about application security</option> <option value="20443" data-subopts="20443|Request a Demo;20444|Get Pricing Info;20445|General">I&#39;d like to learn more about incident detection and response</option> <option value="20433" data-subopts="20433|Request a Demo;20446|Get Pricing Info;20447|General">I&#39;d like to learn more about cloud security</option> <option value="20448" data-subopts="">I&#39;d like to learn more about Rapid7 professional or managed services</option> <option value="20450" data-subopts="">I&#39;d like to learn more about visibility, analytics, and automation</option> <option value="20434" data-subopts="20434|Request a Demo;20435|Get Pricing Info;20436|General">I&#39;d like to learn more about building a comprehensive security program</option> <option value="21019" data-subopts="21019|Request a demo;21021|Get Pricing Info;21020|General">I&#39;d like to learn more about threat intelligence.</option> </select> </dd> </dl> <dl class="clearfix expand" id="contactTypeSecondaryParent" style="display:none;"> <dd> <label for="contactTypeSecondary" class="sr-only">- Select -</label> <select name="contactTypeSecondary" id="contactTypeSecondary" class="normalSelect dropdownSelect"> <option value="0">- Select -</option> </select> </dd> </dl> <dl class="clearfix expand hide" id="howDidYouHearParent" > <dd> <label for="howDidYouHear">How did you hear about us?</label> <input id="howDidYouHear" type="text" name="howDidYouHear"> </dd> </dl> <dl class="expand" id="consultant" style="display: none;"> <dd> <input id="consultantField" type="checkbox" class="r7-check"> <label for="consultantField">I am a consultant, partner, or reseller.</label> </dd> </dl> <dl class="expand checkboxContainer" id="optout" style="display:none;"> <dd> <input id="explicitOptOut" type="checkbox" class="r7-check"> <label for="explicitOptOut">I do not want to receive emails regarding Rapid7's products and services.</label> </dd> <dd> <div class="disc"> <p>Issues with this page? Please email <a href="mailto:info@rapid7.com">info@rapid7.com</a>. Please see updated <a href="/privacy-policy/">Privacy Policy</a></p> </div> </dd> </dl> <dl class="expand captchaDisclaimer"> <dd> <p class="text-left" style="font-size: 0.75rem; line-height: 1.25rem;">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</p> </dd> </dl> <dl class="captchaBlock"> <dd> <div class="g-recaptcha" data-size="invisible" data-sitekey="6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a"></div> </dd> </dl> <dl class="expand"> <dd><button class="submit button btn-primary mdBtn">Submit</button></dd> </dl> <input type="hidden" id="formName" value="ContactPage"> <input type="hidden" id="contactUsFormURL" value="https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-asyncrat/"> <input type="hidden" id="landorExpand" value="land"> </fieldset> </form> <script src="//www.google.com/recaptcha/api.js?hl=en&render=6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a"></script> </div> <div class="large-3 cell sidebar"> <p><img class="logo" src="/includes/img/logo-black.png" alt="Rapid7 logo" data-src="/includes/img/logo-black.png"></p> <h3>General:</h3> <p><a href="mailto:info@rapid7.com">info@rapid7.com</a></p> <h3>Sales:</h3> <p><a href="tel:1-866-772-7437">+1-866-772-7437</a><br><a href="mailto:sales@rapid7.com">sales@rapid7.com</a></p> <h3>Support:</h3> <p><a href="tel:1-866-390-8113">+1&ndash;866&ndash;390&ndash;8113 (toll free)</a><br><a href="mailto:support@rapid7.com">support@rapid7.com</a></p> <h3>Incident Response:</h3> <p><a href="tel:1-844-787-4937">1-844-727-4347</a></p> <p><a class="view_more" href="/contact/">More Contact Info</a></p> </div> </div> </div> </section> <button class="close-button" data-close="" aria-label="Close reveal" type="button"></button> </div> </footer> <div class="reveal light" id="modal-subscribe" data-reveal> <h2>Never miss a blog</h2> <p>Get the latest stories, expertise, and news about security today.</p> <form id="mktoForm_4144"></form> <div id="thankyou" style="display: none;">You’re almost done! <br> Check your email to confirm your subscription.</div> <script> if (typeof MktoForms2 === 'undefined') { $('body').addClass('load'); } else { MktoForms2.loadForm("//information.rapid7.com", "411-NAK-970", 4144, function (form) { form.onSuccess(function (values, followUpUrl) { window.dataLayer.push({ 'event': 'form_submit_success' }); form.getFormElem().hide(); document.getElementById("thankyou").style.display = "block"; return false; }); }); } </script> <button class="close-button" data-close="" aria-label="Close reveal" type="button"></button> </div> </div> </div> </div> <!-- scripts --> <script src="/includes/js/all.min.js?cb=1731962207034"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.3.1/highlight.min.js"></script> <script> (function ($) { $(document).ready(function () { // Handle subscribe button click $('.subscribe-btn').on('click', function () { $('#modal-subscribe').foundation('open'); }); }); $(window).on("load", function () { // Highlight Metasploit console snippets hljs.registerLanguage('msf', function () { return { name: 'msf', keywords: {}, contains: [ { scope: 'prompt.name', begin: '^(msf\\d?|meterpreter)', relevance: 10 }, { begin: ' (exploit|payload|auxiliary|encoder|evasion|post|nop)\\(', end: '>', scope: 'test', contains: [ { scope: 'prompt.mod', begin: '(?!\\()([\\w/]+)(?=\\))' }, ] }, { scope: 'error', begin: '^\\[\\-\\]' }, { scope: 'good', begin: '^\\[\\+\\]' }, { scope: 'status', begin: '^\\[\\*\\]' }, { scope: 'warning', begin: '^\\[\\!\\]' }, hljs.QUOTE_STRING_MODE ], illegal: '\\S' }; }); hljs.highlightAll(); }); })(jQuery); </script> <script></script> <script src="/includes/js/bundles/shared/vidyard.min.js?cb=1731962207034" async defer></script> <script src="/includes/js/bundles/blocks/block.blog-tags-list.min.js?cb=1731962207034" async defer></script> <style type="text/css"> .blog-single-post__main-column .post-content a.subscribe-btn { color:#fff; } </style> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10