File name:	Borat.7z.zip
Full analysis:	https://app.any.run/tasks/8e5cbea8-be5c-467c-bcc7-5fed51a00e1f
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	June 18, 2024, 23:24:22
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	asyncrat uac
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	4ECD7D61FD44BA9B00F9FFFE56104AEA
SHA1:	99B41343D4208B84737D2D14EA89DF52A0265CBD
SHA256:	6DB561AB725644112034E859CEC376DB6A522ED25BE6D7C584A13010BE015845
SSDEEP:	98304:k91etKPlcheaO2oxQisWOIs7RVIFH4XT9MF1n3CWsYtif0tNovTskyH964CCRzPo:h6OIAGw4FOdNJ9XA78Gohf

ZipRequiredVersion:	51
ZipBitFlag:	0x0009
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:06:18 23:23:48
ZipCRC:	0xe7150820
ZipCompressedSize:	9109042
ZipUncompressedSize:	9106234
ZipFileName:	Borat.7z


(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	VerInfo
Value: 005B0500A916BAAED6C1DA01
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Borat.7z.zip
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3448) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(4388) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:

PID	Process	Filename		Type
3448	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3448.38963\Borat.7z		—
		MD5:—	SHA256:—
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\ip2region.db		—
		MD5:—	SHA256:—
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\BoratRat.exe		executable
		MD5:65B694D69D327EFE28FCBCE125401E96	SHA256:DE60ECBBFEF30C93FE8875EF69B358B20076D1F969FC3D21AB44D59DC9EF7CAB
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\Audio.dll		executable
		MD5:9726D7FE49C8BA43845AD8E5E2802BB8	SHA256:DF31A70CEB0C481646EEAF94189242200FAFD3DF92F8B3EC97C0D0670F0E2259
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\Information.dll		executable
		MD5:87651B12453131DAFD3E91F60D8AEF5A	SHA256:A15D72D990686D06D89D7E11DF2B16BCD5719A40298C19D046FA22C40D56AF44
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\BackupCertificate.zip		compressed
		MD5:9322F71EDD95192E1F4D275BFD6D87F3	SHA256:F13033134C386E85A1E9009E863A3E6380438F83E3336B76A33E701A88F64946
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\FileSearcher.dll		executable
		MD5:0B7C33C5739903BA4F4B78C446773528	SHA256:2D9625F41793F62BFE32C10B2D5E05668E321BCAF8B73414B3C31EF677B9BFF4
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\FileManager.dll		executable
		MD5:4CCD3DFB14FFDDDFA598D1096F0190EA	SHA256:7F8A306826FCB0EE985A2B6D874C805F7F9B2062A1123EA4BB7F1EBA90FC1B81
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\BoratRat.exe.config		xml
		MD5:3E645CCCA1C44A00210924A3B0780955	SHA256:F29E697EFD7C5ECB928C0310EA832325BF6518786C8E1585E1B85CDC8701602F
4388	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa4388.39971\Borat\bin\Netstat.dll		executable
		MD5:12911F5654D6346FE99EF91E90849C13	SHA256:7EED1B90946A6DB1FE978D177A80542B5DB0BF3156C979DC8A8869A94811BF4B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1332	svchost.exe	GET	200	2.18.64.212:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	—
3984	svchost.exe	GET	304	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?951ec8ab5ba0455b	unknown	—	—	—
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	—
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	—
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	—
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	—
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	—
2868	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	—
1088	svchost.exe	POST	403	104.110.17.248:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	—
3984	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4552	svchost.exe	239.255.255.250:1900	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	unknown
1332	svchost.exe	2.18.64.200:80	—	Administracion Nacional de Telecomunicaciones	UY	unknown
1332	svchost.exe	2.18.64.212:80	—	Administracion Nacional de Telecomunicaciones	UY	unknown
3984	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
1088	svchost.exe	104.110.17.248:80	go.microsoft.com	AKAMAI-AS	NO	unknown
3984	svchost.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	unknown
3984	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
2844	svchost.exe	20.42.65.85:443	v10.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2844	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
login.live.com	20.190.159.2 20.190.159.64 20.190.159.23 20.190.159.4 20.190.159.68 20.190.159.75 40.126.31.67 20.190.159.0 40.126.31.69 40.126.31.73 20.190.159.73	unknown
go.microsoft.com	104.110.17.248	unknown
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172	unknown
ocsp.digicert.com	192.229.221.95	unknown
v10.events.data.microsoft.com	20.42.65.85	unknown
settings-win.data.microsoft.com	51.104.136.2	unknown
self.events.data.microsoft.com	20.42.73.28	unknown
fs.microsoft.com	104.110.31.147	unknown
v20.events.data.microsoft.com	52.168.112.66	unknown
dns.msftncsi.com	131.107.255.255 fd3e:4f5a:5b81::1	unknown

Process	Message
TiWorker.exe	Populating UpdatePolicy AllowList
TiWorker.exe	All policies are allowed
TiWorker.exe
TiWorker.exe	SKU MDM licensing allow list string from SLAPI:
TiWorker.exe	AboveLock\|Accounts\|ActiveXControls\|ADMXIngest\|AllowMessageSync\|AppHVSI\|ApplicationDefaults\|AllowAllTrustedApps\|AllowAppStoreAutoUpdate\|AllowAutomaticAppArchiving\|AllowDeveloperUnlock\|AllowGameDVR\|AllowSharedUserAppData\|ApplicationRestrictions\|Audit\|ConfigureChatIcon\|LaunchAppAfterLogOn\|MSIAllowUserControlOverInstall\|MSIAlwaysInstallWithElevatedPrivileges\|RestrictAppDataToSystemVolume\|RestrictAppToSystemVolume\|AppRuntime\|AttachmentManager\|Authentication\|Autoplay\|BitLocker\|BITS\|Bluetooth\|Browser\|Camera\|Cellular\|Connectivity\|ControlPolicyConflict\|CredentialProviders\|CredentialsDelegation\|CredentialsUI\|Cryptography\|DataProtection\|DataUsage\|Defender\|DeliveryOptimization\|Desktop\|ConfigureSystemGuardLaunch\|EnableVirtualizationBasedSecurity\|DeviceHealthMonitoring\|DeviceInstallation\|DeviceLock\|Display\|DmaGuard\|ErrorReporting\|Eap\|Education\|EnterpriseCloudPrint\|EventLogService\|AllowClipboardHistory\|AllowCopyPaste\|AllowCortana\|AllowDeviceDiscovery\|AllowManualMDMUnenrollment\|AllowSaveAsOfOfficeFiles\|AllowScreenCapture\|AllowSharingOfOfficeFiles\|AllowSIMErrorDialogPromptWhenNoSIM\|AllowSyncMySettings\|AllowTailoredExperiencesWithDiagnosticData\|AllowTaskSwitcher\|AllowThirdPartySuggestionsInWindowsSpotlight\|AllowVoiceRecording\|DoNotShowFeedbackNotifications\|DoNotSyncBrowserSettings\|AllowFindMyDevice\|ExploitGuard\|Feeds\|FileExplorer\|Games\|Handwriting\|HumanPresence\|InternetExplorer\|Kerberos\|KioskBrowser\|Knobs\|LanmanWorkstation\|Licensing\|LocalPoliciesSecurityOptions\|LocalUsersAndGroups\|Lockdown\|Maps\|MemoryDump\|MSSecurityGuide\|MSSLegacy\|Multitasking\|NetworkIsolation\|NetworkListManager\|NewsAndInterests\|Notifications\|OneDrive\|Power\|Printers\|Privacy\|RemoteAssistance\|RemoteDesktopServices\|RemoteDesktop\|RemoteManagement\|RemoteProcedureCall\|RemoteShell\|RestrictedGroups\|Search\|Security\|Settings\|SmartScreen\|Speech\|Start\|Storage\|System\|SystemServices\|TaskManager\|TaskScheduler\|TenantRestrictions\|TextInput\|TimeLanguageSettings\|Troubleshooting\|Update\|UserRights\|VirtualizationBasedTechnology\|WiFi\|WindowsLogon\|WirelessDisplay\|Location\|WindowsAutopilot\|WindowsConnectionManager\|WindowsDefenderSecurityCenter\|WindowsInkWorkspace\|WindowsPowerShell\|WindowsSandbox\|WiredNetwork\|ADMX_

General Info

Borat.7z.zip

4ECD7D61FD44BA9B00F9FFFE56104AEA

99B41343D4208B84737D2D14EA89DF52A0265CBD

6DB561AB725644112034E859CEC376DB6A522ED25BE6D7C584A13010BE015845

98304:k91etKPlcheaO2oxQisWOIs7RVIFH4XT9MF1n3CWsYtif0tNovTskyH964CCRzPo:h6OIAGw4FOdNJ9XA78Gohf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Drops the executable file immediately after the start

ASYNCRAT has been detected (YARA)

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

Bypass User Account Control (Modify registry)

Bypass User Account Control (fodhelper)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the Internet Settings

The process checks if it is being run in the virtual environment

The process creates files with name similar to system file names

Creates file in the systems drive root

Reads settings of System Certificates

Uses WMIC.EXE to obtain local storage devices information

Starts CMD.EXE for commands execution

Process uses ARP to discover network configuration

Uses WMIC.EXE to obtain commands that are run when users log in

Get information on the list of running processes

Process uses IPCONFIG to discover network configuration

Uses ROUTE.EXE to obtain the routing table information

Starts SC.EXE for service management

Reads the date of Windows installation

Suspicious use of NETSH.EXE

Changes default file association

Executable content was dropped or overwritten

INFO

Manual execution by a user

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Drops the executable file immediately after the start

Creates files or folders in the user directory

Create files in a temporary directory

Reads the software policy settings

Reads Environment values

Reads security settings of Internet Explorer

Reads the time zone

Reads the Internet Settings

Reads Microsoft Office registry keys

Reads Windows Product ID

Reads CPU info

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules