| download: | /mertcuan/borat-rat/releases/download/borat/Borat.rar |
| Full analysis: | https://app.any.run/tasks/d5145f2c-e653-40d8-bd0d-cfd87a43c6bc |
| Verdict: | Malicious activity |
| Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
| Analysis date: | July 06, 2024, 17:16:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | E3B10D235C365AC49D6855DF0432BB76 |
| SHA1: | 4CE182C19796CF8D4C017FDD8FD4B390DE1EAC7E |
| SHA256: | 53CDC49C7FB83B419C07EDB45C544B106AAA37DB00E8A37211678AF6350A82F1 |
| SSDEEP: | 196608:XrmtNiLocMQin2MKY9U6Qw9w/ZpX4ff5c4lgg0:7mt5tn2y9Woff5c4G |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3348)
Actions looks like stealing of personal data
- WinRAR.exe (PID: 3348)
ASYNCRAT has been detected (YARA)
- BoratRat.exe (PID: 3196)
SUSPICIOUS
The process creates files with name similar to system file names
- WinRAR.exe (PID: 3348)
Reads security settings of Internet Explorer
- BoratRat.exe (PID: 3196)
Reads the Internet Settings
- BoratRat.exe (PID: 3196)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3348)
Checks supported languages
- BoratRat.exe (PID: 3196)
- Client.exe (PID: 3572)
Reads the machine GUID from the registry
- BoratRat.exe (PID: 3196)
- Client.exe (PID: 3572)
Manual execution by a user
- BoratRat.exe (PID: 3196)
- Client.exe (PID: 3572)
Reads Environment values
- BoratRat.exe (PID: 3196)
- Client.exe (PID: 3572)
Reads Microsoft Office registry keys
- BoratRat.exe (PID: 3196)
Reads the computer name
- BoratRat.exe (PID: 3196)
- Client.exe (PID: 3572)
Creates files or folders in the user directory
- BoratRat.exe (PID: 3196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3196 | "C:\Users\admin\Desktop\Borat\BoratRat.exe" | C:\Users\admin\Desktop\Borat\BoratRat.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: BoratRat Version: 1.0.7.0 Modules
| |||||||||||||||
| 3348 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Borat.rar | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 3572 | "C:\Users\admin\Desktop\Borat\Client.exe" | C:\Users\admin\Desktop\Borat\Client.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Version: 1.0.7.0 Modules
| |||||||||||||||
Total events
13 139
Read events
13 035
Write events
97
Delete events
7
Modification events
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Borat.rar | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3348) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
24
Suspicious files
4
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\ip2region.db | — | |
MD5:— | SHA256:— | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\Audio.dll | executable | |
MD5:9726D7FE49C8BA43845AD8E5E2802BB8 | SHA256:DF31A70CEB0C481646EEAF94189242200FAFD3DF92F8B3EC97C0D0670F0E2259 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\Extra.dll | executable | |
MD5:62C231BAFA469AB04F090FCB4475D360 | SHA256:6A4F32B0228092CE68E8448C6F4B74B4C654F40FB2D462C1D6BBD4B4EF09053D | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\Options.dll | executable | |
MD5:3A474B8DEE059562B31887197D94F382 | SHA256:C9B8E795C5A024F9E3C85BA64534B9BF52CC8C3D29B95FF6417DC3A54BC68B95 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\FileSearcher.dll | executable | |
MD5:0B7C33C5739903BA4F4B78C446773528 | SHA256:2D9625F41793F62BFE32C10B2D5E05668E321BCAF8B73414B3C31EF677B9BFF4 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\FileManager.dll | executable | |
MD5:4CCD3DFB14FFDDDFA598D1096F0190EA | SHA256:7F8A306826FCB0EE985A2B6D874C805F7F9B2062A1123EA4BB7F1EBA90FC1B81 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\Information.dll | executable | |
MD5:87651B12453131DAFD3E91F60D8AEF5A | SHA256:A15D72D990686D06D89D7E11DF2B16BCD5719A40298C19D046FA22C40D56AF44 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\Fun.dll | executable | |
MD5:499FC6AC30B3B342833C79523BE4A60C | SHA256:DCAC599B1BAB37E1A388AC469E6CC5DE1F35EB02BEAA6778F07A1C090CE3EA04 | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\Netstat.dll | executable | |
MD5:12911F5654D6346FE99EF91E90849C13 | SHA256:7EED1B90946A6DB1FE978D177A80542B5DB0BF3156C979DC8A8869A94811BF4B | |||
| 3348 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3348.1892\Borat\bin\Keylogger.exe | executable | |
MD5:A45679BDCF30F068032BD37A194FA175 | SHA256:16BEB1AE2DE2974CCC2371D9F619F492295E590ABB65D3102E362C8EC27F2BBB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 23.50.131.200:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 239.255.255.250:3702 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1372 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1372 | svchost.exe | 23.50.131.200:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
1060 | svchost.exe | 23.50.131.200:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |