File name:	Borat.7z.zip
Full analysis:	https://app.any.run/tasks/8e5cbea8-be5c-467c-bcc7-5fed51a00e1f
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	June 18, 2024, 23:24:22
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	asyncrat uac
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	4ECD7D61FD44BA9B00F9FFFE56104AEA
SHA1:	99B41343D4208B84737D2D14EA89DF52A0265CBD
SHA256:	6DB561AB725644112034E859CEC376DB6A522ED25BE6D7C584A13010BE015845
SSDEEP:	98304:k91etKPlcheaO2oxQisWOIs7RVIFH4XT9MF1n3CWsYtif0tNovTskyH964CCRzPo:h6OIAGw4FOdNJ9XA78Gohf

ZipRequiredVersion:	51
ZipBitFlag:	0x0009
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:06:18 23:23:48
ZipCRC:	0xe7150820
ZipCompressedSize:	9109042
ZipUncompressedSize:	9106234
ZipFileName:	Borat.7z


(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B0500A916BAAED6C1DA01
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Borat.7z.zip
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(4388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:

PID	Process	Filename		Type
3448	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3448.38963\Borat.7z		—
		MD5:—	SHA256:—
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\ip2region.db		—
		MD5:—	SHA256:—
3448	WinRAR.exe	C:\USERS\ADMIN\APPDATA\ROAMING\WINRAR\VERSION.DAT		binary
		MD5:7D31876EB47AE2A3B79B683AD9C48371	SHA256:BE9A37D971EBE7B68B38B9E4542A7BAB833ADF0729DA244864F2405B000BC59B
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\ServerCertificate.p12		der
		MD5:478EE44A47895E687296B9AB34DF04C4	SHA256:4B0612B2CD5E7ECC456D5C29C89917B8EC881C5F4FD94AFE157098CA96308781
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\BackupCertificate.zip		compressed
		MD5:9322F71EDD95192E1F4D275BFD6D87F3	SHA256:F13033134C386E85A1E9009E863A3E6380438F83E3336B76A33E701A88F64946
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\BoratRat.exe		executable
		MD5:65B694D69D327EFE28FCBCE125401E96	SHA256:DE60ECBBFEF30C93FE8875EF69B358B20076D1F969FC3D21AB44D59DC9EF7CAB
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\Discord.dll		executable
		MD5:7EE673594BBB20F65448AAB05F1361D0	SHA256:8FA7634B7DCA1A451CF8940429BE6AD2440821ED04D5D70B6E727E5968E0B5F6
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\BoratRat.exe.config		xml
		MD5:3E645CCCA1C44A00210924A3B0780955	SHA256:F29E697EFD7C5ECB928C0310EA832325BF6518786C8E1585E1B85CDC8701602F
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\Audio.dll		executable
		MD5:9726D7FE49C8BA43845AD8E5E2802BB8	SHA256:DF31A70CEB0C481646EEAF94189242200FAFD3DF92F8B3EC97C0D0670F0E2259
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\FileSearcher.dll		executable
		MD5:0B7C33C5739903BA4F4B78C446773528	SHA256:2D9625F41793F62BFE32C10B2D5E05668E321BCAF8B73414B3C31EF677B9BFF4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
5480	SystemSettings.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
2828	svchost.exe	GET	200	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?87b8ae9d9866baf0	unknown	—	—	unknown
2828	svchost.exe	GET	200	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?a0fe5b62d776de37	unknown	—	—	unknown
2828	svchost.exe	GET	200	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?aba3df5823c7890e	unknown	—	—	unknown
3984	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4552	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
1332	svchost.exe	2.18.64.200:80	—	Administracion Nacional de Telecomunicaciones	UY	unknown
1332	svchost.exe	2.18.64.212:80	—	Administracion Nacional de Telecomunicaciones	UY	unknown
3984	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
1088	svchost.exe	104.110.17.248:80	go.microsoft.com	AKAMAI-AS	NO	unknown
3984	svchost.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	unknown
3984	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2844	svchost.exe	20.42.65.85:443	v10.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2844	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
login.live.com	20.190.159.2 20.190.159.64 20.190.159.23 20.190.159.4 20.190.159.68 20.190.159.75 40.126.31.67 20.190.159.0 40.126.31.69 40.126.31.73 20.190.159.73	whitelisted
go.microsoft.com	104.110.17.248	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
v10.events.data.microsoft.com	20.42.65.85	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
self.events.data.microsoft.com	20.42.73.28	whitelisted
fs.microsoft.com	104.110.31.147	whitelisted
v20.events.data.microsoft.com	52.168.112.66	whitelisted
dns.msftncsi.com	131.107.255.255 fd3e:4f5a:5b81::1	shared

Process	Message
TiWorker.exe	Populating UpdatePolicy AllowList
TiWorker.exe	All policies are allowed
TiWorker.exe
TiWorker.exe	SKU MDM licensing allow list string from SLAPI:
TiWorker.exe	AboveLock\|Accounts\|ActiveXControls\|ADMXIngest\|AllowMessageSync\|AppHVSI\|ApplicationDefaults\|AllowAllTrustedApps\|AllowAppStoreAutoUpdate\|AllowAutomaticAppArchiving\|AllowDeveloperUnlock\|AllowGameDVR\|AllowSharedUserAppData\|ApplicationRestrictions\|Audit\|ConfigureChatIcon\|LaunchAppAfterLogOn\|MSIAllowUserControlOverInstall\|MSIAlwaysInstallWithElevatedPrivileges\|RestrictAppDataToSystemVolume\|RestrictAppToSystemVolume\|AppRuntime\|AttachmentManager\|Authentication\|Autoplay\|BitLocker\|BITS\|Bluetooth\|Browser\|Camera\|Cellular\|Connectivity\|ControlPolicyConflict\|CredentialProviders\|CredentialsDelegation\|CredentialsUI\|Cryptography\|DataProtection\|DataUsage\|Defender\|DeliveryOptimization\|Desktop\|ConfigureSystemGuardLaunch\|EnableVirtualizationBasedSecurity\|DeviceHealthMonitoring\|DeviceInstallation\|DeviceLock\|Display\|DmaGuard\|ErrorReporting\|Eap\|Education\|EnterpriseCloudPrint\|EventLogService\|AllowClipboardHistory\|AllowCopyPaste\|AllowCortana\|AllowDeviceDiscovery\|AllowManualMDMUnenrollment\|AllowSaveAsOfOfficeFiles\|AllowScreenCapture\|AllowSharingOfOfficeFiles\|AllowSIMErrorDialogPromptWhenNoSIM\|AllowSyncMySettings\|AllowTailoredExperiencesWithDiagnosticData\|AllowTaskSwitcher\|AllowThirdPartySuggestionsInWindowsSpotlight\|AllowVoiceRecording\|DoNotShowFeedbackNotifications\|DoNotSyncBrowserSettings\|AllowFindMyDevice\|ExploitGuard\|Feeds\|FileExplorer\|Games\|Handwriting\|HumanPresence\|InternetExplorer\|Kerberos\|KioskBrowser\|Knobs\|LanmanWorkstation\|Licensing\|LocalPoliciesSecurityOptions\|LocalUsersAndGroups\|Lockdown\|Maps\|MemoryDump\|MSSecurityGuide\|MSSLegacy\|Multitasking\|NetworkIsolation\|NetworkListManager\|NewsAndInterests\|Notifications\|OneDrive\|Power\|Printers\|Privacy\|RemoteAssistance\|RemoteDesktopServices\|RemoteDesktop\|RemoteManagement\|RemoteProcedureCall\|RemoteShell\|RestrictedGroups\|Search\|Security\|Settings\|SmartScreen\|Speech\|Start\|Storage\|System\|SystemServices\|TaskManager\|TaskScheduler\|TenantRestrictions\|TextInput\|TimeLanguageSettings\|Troubleshooting\|Update\|UserRights\|VirtualizationBasedTechnology\|WiFi\|WindowsLogon\|WirelessDisplay\|Location\|WindowsAutopilot\|WindowsConnectionManager\|WindowsDefenderSecurityCenter\|WindowsInkWorkspace\|WindowsPowerShell\|WindowsSandbox\|WiredNetwork\|ADMX_

General Info

Borat.7z.zip

4ECD7D61FD44BA9B00F9FFFE56104AEA

99B41343D4208B84737D2D14EA89DF52A0265CBD

6DB561AB725644112034E859CEC376DB6A522ED25BE6D7C584A13010BE015845

98304:k91etKPlcheaO2oxQisWOIs7RVIFH4XT9MF1n3CWsYtif0tNovTskyH964CCRzPo:h6OIAGw4FOdNJ9XA78Gohf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

ASYNCRAT has been detected (YARA)

Drops the executable file immediately after the start

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

Bypass User Account Control (Modify registry)

Bypass User Account Control (fodhelper)

SUSPICIOUS

Reads the Internet Settings

The process creates files with name similar to system file names

Reads security settings of Internet Explorer

The process checks if it is being run in the virtual environment

Creates file in the systems drive root

Executable content was dropped or overwritten

Reads settings of System Certificates

Uses WMIC.EXE to obtain local storage devices information

Starts CMD.EXE for commands execution

Uses WMIC.EXE to obtain commands that are run when users log in

Process uses IPCONFIG to discover network configuration

Get information on the list of running processes

Process uses ARP to discover network configuration

Starts SC.EXE for service management

Uses ROUTE.EXE to obtain the routing table information

Suspicious use of NETSH.EXE

Reads the date of Windows installation

Changes default file association

INFO

Checks supported languages

Reads the computer name

Manual execution by a user

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files or folders in the user directory

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Reads Environment values

Reads the software policy settings

Reads security settings of Internet Explorer

Reads the time zone

Reads the Internet Settings

Reads Microsoft Office registry keys

Reads Windows Product ID

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules