File name:	Borat.7z
Full analysis:	https://app.any.run/tasks/7c5826c0-b1b0-4656-bb7f-182c374e6ade
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	June 11, 2024, 23:51:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	asyncrat uac
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	43C20E4EE2DD87C70DD0ED082DC74431
SHA1:	71051DEE5D0480B8AA30A599A95D0AD928F7BB9E
SHA256:	B2F4CC95E54ACC818410D79072CCD44A4DBB21AFAD82C2A4608B7B52F1502867
SSDEEP:	98304:4mnI+WmnzFhcWMOo/5ucNWw7tq3o280CB6oWprH0Vtcpot+FfRT5apCeiFqQgijQ:BtYHMwzJ4hoHQLs

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)


(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Borat.7z
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\AppData\Local\Temp

PID	Process	Filename		Type
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\bin\ip2region.db		—
		MD5:—	SHA256:—
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\BackupCertificate.zip		compressed
		MD5:9322F71EDD95192E1F4D275BFD6D87F3	SHA256:F13033134C386E85A1E9009E863A3E6380438F83E3336B76A33E701A88F64946
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\BoratRat.exe		executable
		MD5:65B694D69D327EFE28FCBCE125401E96	SHA256:DE60ECBBFEF30C93FE8875EF69B358B20076D1F969FC3D21AB44D59DC9EF7CAB
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\bin\Keylogger.exe		executable
		MD5:A45679BDCF30F068032BD37A194FA175	SHA256:16BEB1AE2DE2974CCC2371D9F619F492295E590ABB65D3102E362C8EC27F2BBB
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\bin\Extra.dll		executable
		MD5:62C231BAFA469AB04F090FCB4475D360	SHA256:6A4F32B0228092CE68E8448C6F4B74B4C654F40FB2D462C1D6BBD4B4EF09053D
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\BoratRat.exe.config		xml
		MD5:3E645CCCA1C44A00210924A3B0780955	SHA256:F29E697EFD7C5ECB928C0310EA832325BF6518786C8E1585E1B85CDC8701602F
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\ServerCertificate.p12		der
		MD5:478EE44A47895E687296B9AB34DF04C4	SHA256:4B0612B2CD5E7ECC456D5C29C89917B8EC881C5F4FD94AFE157098CA96308781
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\bin\Discord.dll		executable
		MD5:7EE673594BBB20F65448AAB05F1361D0	SHA256:8FA7634B7DCA1A451CF8940429BE6AD2440821ED04D5D70B6E727E5968E0B5F6
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\bin\Audio.dll		executable
		MD5:9726D7FE49C8BA43845AD8E5E2802BB8	SHA256:DF31A70CEB0C481646EEAF94189242200FAFD3DF92F8B3EC97C0D0670F0E2259
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6492.21656\Borat\bin\FileManager.dll		executable
		MD5:4CCD3DFB14FFDDDFA598D1096F0190EA	SHA256:7F8A306826FCB0EE985A2B6D874C805F7F9B2062A1123EA4BB7F1EBA90FC1B81

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2384	svchost.exe	GET	200	23.45.13.35:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
2384	svchost.exe	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
3904	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
4680	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	—	—	unknown
6792	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
2908	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
6436	SIHClient.exe	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
6436	SIHClient.exe	GET	200	2.17.0.227:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
2384	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5076	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5140	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4364	svchost.exe	239.255.255.250:1900	—	—	—	unknown
2384	svchost.exe	23.45.13.35:80	crl.microsoft.com	Akamai International B.V.	US	unknown
4680	SearchApp.exe	23.194.131.160:443	www.bing.com	Akamai International B.V.	US	unknown
4680	SearchApp.exe	23.194.131.145:443	www.bing.com	Akamai International B.V.	US	unknown
2384	svchost.exe	2.17.0.227:80	www.microsoft.com	AKAMAI-AS	DK	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
crl.microsoft.com	23.45.13.35 23.45.13.24	whitelisted
www.bing.com	23.194.131.145 23.194.131.177 23.194.131.169 23.194.131.139 23.194.131.137 23.194.131.160 23.194.131.168 23.194.131.161 23.194.131.171	whitelisted
r.bing.com	23.194.131.160 23.194.131.169 23.194.131.171 23.194.131.139 23.194.131.168 23.194.131.137 23.194.131.161 23.194.131.177 23.194.131.145	whitelisted
www.microsoft.com	2.17.0.227	whitelisted
login.live.com	20.190.159.23 20.190.159.0 40.126.31.71 20.190.159.68 20.190.159.75 20.190.159.64 20.190.159.73 40.126.31.67	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	2.17.1.249	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
arc.msn.com	20.223.35.26	whitelisted

General Info

Borat.7z

43C20E4EE2DD87C70DD0ED082DC74431

71051DEE5D0480B8AA30A599A95D0AD928F7BB9E

B2F4CC95E54ACC818410D79072CCD44A4DBB21AFAD82C2A4608B7B52F1502867

98304:4mnI+WmnzFhcWMOo/5ucNWw7tq3o280CB6oWprH0Vtcpot+FfRT5apCeiFqQgijQ:BtYHMwzJ4hoHQLs

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

Drops the executable file immediately after the start

ASYNCRAT has been detected (YARA)

Changes the autorun value in the registry

Bypass User Account Control (fodhelper)

Bypass User Account Control (Modify registry)

Starts NET.EXE for service management

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

The process creates files with name similar to system file names

The process checks if it is being run in the virtual environment

Reads security settings of Internet Explorer

Creates file in the systems drive root

Executable content was dropped or overwritten

Executing commands from a ".bat" file

Uses TIMEOUT.EXE to delay execution

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Starts POWERSHELL.EXE for commands execution

Reads the date of Windows installation

Base64-obfuscated command line is found

Changes default file association

Starts SC.EXE for service management

Identifying current user with WHOAMI command

Found strings related to reading or modifying Windows Defender settings

BASE64 encoded PowerShell command has been detected

Uses sleep to delay execution (POWERSHELL)

INFO

Manual execution by a user

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Create files in a temporary directory

Reads the software policy settings

Reads Environment values

Checks proxy server information

Reads Microsoft Office registry keys

Process checks computer location settings

Reads security settings of Internet Explorer

Uses string replace method (POWERSHELL)

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information