Analysis Overview
SHA256
53cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1
Threat Level: Known bad
The file Borat.rar was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
AsyncRat
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 20:28
Signatures
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 20:28
Reported
2024-06-29 20:32
Platform
win10v2004-20240508-en
Max time kernel
260s
Max time network
257s
Command Line
Signatures
AsyncRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\Client.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 500031000000000045552d231000426f726174003c0009000400efbedd58a9a3dd58a9a32e000000f23302000000070000000000000000000000000000009aad050142006f00720061007400000014000000 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5000310000000000dd58a9a31000426f726174003c0009000400efbedd58a9a3dd58a9a32e000000f133020000000700000000000000000000000000000012c21e0142006f00720061007400000014000000 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e00310000000000dd58a9a311004465736b746f7000680009000400efbea8582d61dd58a9a32e00000078e101000000010000000000000000003e000000000012c21e014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\NodeSlot = "11" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Borat\Borat\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Borat\Borat\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Borat.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Borat\" -ad -an -ai#7zMap306:68:7zEvent903
C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe
"C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Desktop\Borat\Borat\Client.exe
"C:\Users\Admin\Desktop\Borat\Borat\Client.exe"
C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe
"C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Users\Admin\Desktop\Borat\Borat\Client.exe
"C:\Users\Admin\Desktop\Borat\Borat\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp | |
| N/A | 127.0.0.1:8848 | tcp |
Files
C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe
| MD5 | 65b694d69d327efe28fcbce125401e96 |
| SHA1 | 049d4d71742b99a598c074458f1f2d5b0119e912 |
| SHA256 | de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab |
| SHA512 | 7ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b |
C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe.config
| MD5 | 3e645ccca1c44a00210924a3b0780955 |
| SHA1 | 5d8e8115489ac505c1d10fdd64e494e512dba793 |
| SHA256 | f29e697efd7c5ecb928c0310ea832325bf6518786c8e1585e1b85cdc8701602f |
| SHA512 | ea7e3a6e476345870f05124a56dde266e1ad04b557b2dde83c5674cfdf3be00f26d3db6a14a8d88ecf75e2c9e3a12e6955f6c85654ba967c17664e9acc3d4f1f |
memory/2748-59-0x000001EF96AA0000-0x000001EF97EAA000-memory.dmp
C:\Users\Admin\Desktop\Borat\Borat\ServerCertificate.p12
| MD5 | 478ee44a47895e687296b9ab34df04c4 |
| SHA1 | 4b81e94f3d3a99cc01d5c57bd5bec8317f0aca4f |
| SHA256 | 4b0612b2cd5e7ecc456d5c29c89917b8ec881c5f4fd94afe157098ca96308781 |
| SHA512 | 28c0635f1e5062fcdef783aceaa8aa53531f18ce66d4aed62a99ec5b31a364e0d0d36fa237d978d75f51a859a7140d31e62aed340eae4aa769e02d1640e30c7b |
C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_w0en52dl030nftthqfvkkh0ok4obzuv5\1.0.7.0\user.config
| MD5 | acb6df8bd0fe9236ea87ea6e3c28173f |
| SHA1 | 8b1d88bd749b58905c6db258e7224a67d1179938 |
| SHA256 | ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b |
| SHA512 | a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832 |
C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_w0en52dl030nftthqfvkkh0ok4obzuv5\1.0.7.0\user.config
| MD5 | 0c6e4f57ebaba0cc4acfc8bb65c589f8 |
| SHA1 | 8c021c2371b87f2570d226b419c64c3102b8d434 |
| SHA256 | a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c |
| SHA512 | c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0 |
C:\Users\Admin\Desktop\Borat\Borat\Client.exe
| MD5 | a5f63108669956c2e6dbf61e30eb3e19 |
| SHA1 | 965d6a02ab6d4ad5b50616a604f05970e6d953f5 |
| SHA256 | d9c93200870fe1da7af28a95b6aced972320193d2dbf5e0179b713581120ce55 |
| SHA512 | 2dc8a3fe5fb82f81d7888334871e65c80863bf84bb42b777cb756a37a1ce448bc877a97b3f3e6aff3be2e1f94233d1398a1eaf2dcbb63c51c94e0d3a1b16efc5 |
memory/404-89-0x0000000000030000-0x0000000000044000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BoratRat.exe.log
| MD5 | a1c1a009d32b0fbd4d962a8853766e2e |
| SHA1 | 4f60f6bc103e6d2e17eb23d2d9213c23d39e1474 |
| SHA256 | 1a4c72a376fb49c27b4ae45efe5450e87767cfb339556e12777afa2669c329b2 |
| SHA512 | ebeb4dc2222b8a9f55e90701d4a80c8aefb43a53b4cee531a85e7e7a23e4c62123a1f20aadff0796e182918ff2073509afda7f47966655316ebe2b0c87471c41 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Desktop\Borat\Borat\bin\RemoteDesktop.dll
| MD5 | 0f93650dd78557f41b7c5467e3b6b6a7 |
| SHA1 | 382bd4496eb7439fde85832abca87cc21cb7872f |
| SHA256 | cc5b49d2a2821d4f6ef6af8a1e50994c6690d6a4daa41bd048fe79bd8b578988 |
| SHA512 | 15d0b95865316d09e9404a2507bb983a9d9e762e88d749ea61ba1ce15a229ea9d86ba09a7e6319d7bab859986f51eca6792bd42fc18fc1ac11d35b173a9d5fc6 |
C:\Users\Admin\Desktop\Borat\Borat\bin\Audio.dll
| MD5 | 9726d7fe49c8ba43845ad8e5e2802bb8 |
| SHA1 | 8bcdf790826a2ac7adfc1e8b214e8de43e086b97 |
| SHA256 | df31a70ceb0c481646eeaf94189242200fafd3df92f8b3ec97c0d0670f0e2259 |
| SHA512 | f97bc1e2ecbbc979d0eea3559c2da0982e4617eb217603224263ef825b8d98b3c52392eeef41888e6295fb60d362f9521e2f2bdaccc762c4591565f9e6248658 |
C:\Users\Admin\Desktop\Borat\Borat\bin\RemoteCamera.dll
| MD5 | acbf0f8b09320f3e967ee83fcda26f5d |
| SHA1 | bbee0fa1c88edcd0469974223fb026e1176256dc |
| SHA256 | 203300be75ad8f57972324519b2583a44e759cdd57390d6765df10288e249789 |
| SHA512 | 36a9c2810b8b86aa35cb2c18730fdd6b8547a5b9b937f0ffcaaffa5bc17566315d918e68974470ec07c3ca6f841c8d408784f3b6c3d621759edf4e4e8496d75d |
C:\Users\Admin\Desktop\Borat\Borat\bin\Regedit.dll
| MD5 | 8749c78b8ad09a3b240dd1384a17539b |
| SHA1 | b9263ac725ccd8c664ae0f9da5fc0d00adcb8c5e |
| SHA256 | 657e3f1f449c0b710b0c571ec8eee689ae16793fb63b996e0182420d768f89bd |
| SHA512 | 5a910be70c79dec36d3e5c171ba5029612ee2960b8529ffb81d581ab0f20cbc30e6093b838ce1ebc2fab9ed9bbce8ab5f995487852bcba17df4b3480f91aa81b |
C:\Users\Admin\Desktop\Borat\Borat\bin\Recovery.dll
| MD5 | b4762c63cc383eb02cb093eeb88aecf1 |
| SHA1 | a3a1fdd8612c63f6d62d5a62915966be8e922ba1 |
| SHA256 | ec768f980b651a2fbbbcffb715bcac5214730c02ff21a1a987d6db9cb04f01e1 |
| SHA512 | 51a9a8665be79a043dafe114d577988d5ab74803ab738d4d7129136372c7e1db4719c83e98c6e3aa7a8374a84cca570b34274d6bf18272906e6504872c514a1e |
memory/404-122-0x0000000002180000-0x0000000002190000-memory.dmp
memory/404-121-0x000000001C750000-0x000000001C7C6000-memory.dmp
C:\Users\Admin\Desktop\Borat\Borat\bin\Ransomware.dll
| MD5 | ef998529d037fcdb2bde6d046f99db45 |
| SHA1 | 1a38a1182155429ecc64c20ece46ec0836c32ec7 |
| SHA256 | 54f554b9e330476b3903756f62b577bab35cdef941d3d0f6a3d607862762bf91 |
| SHA512 | 4e4376c182dcdf993c6e8f55388829b9e7057e8d80be268a8469721e8ac7fc29eab65681f0f7f2c0dbad1c5bc30fdcc123774ae543770090bf01a62a0d161ece |
memory/404-123-0x0000000002200000-0x000000000221E000-memory.dmp
C:\Users\Admin\Desktop\Borat\Borat\bin\ProcessManager.dll
| MD5 | 91edcb945924df5fbf4ff123aa63199c |
| SHA1 | d124869aaee9aa1a49def714774b834335aa746e |
| SHA256 | 5b1f80ff787bdcd7ee12aa64be1f2f5f1f658bd644bbc5fd73527b51da6ce0d6 |
| SHA512 | 6927c1576a8a9ff724fe3b7d53067f97c121b272c1f2528cb8aa1806de61f36504ee4d25d56eb717a1010a80fb6b5e37c1a0c30b256fdb9a5ba5b31794146c52 |
C:\Users\Admin\Desktop\Borat\Borat\bin\Options.dll
| MD5 | 3a474b8dee059562b31887197d94f382 |
| SHA1 | b31455f9583b89cac9f655c136801673fb7b4b9a |
| SHA256 | c9b8e795c5a024f9e3c85ba64534b9bf52cc8c3d29b95ff6417dc3a54bc68b95 |
| SHA512 | cdda908adb88603302b33c99befed0394f12cc34c5a31bc7b4b614df3615ea8a6cad7ef84e7b9865342f33783006974027e39fd458e5936dec14c8ae5e98bf0a |
C:\Users\Admin\Desktop\Borat\Borat\bin\Netstat.dll
| MD5 | 12911f5654d6346fe99ef91e90849c13 |
| SHA1 | 1b8e63d03feb84d995c02dcbb74da7edfaa8c763 |
| SHA256 | 7eed1b90946a6db1fe978d177a80542b5db0bf3156c979dc8a8869a94811bf4b |
| SHA512 | 588971ef7aebae7afffb22bafdf8f8bb04bf3c474eabf6637543fe42e3e1800cc824929d953055a4f666776ea5fffe0389ef6216c1dca437e0c8a330f6670c19 |
C:\Users\Admin\Desktop\Borat\Borat\bin\Miscellaneous.dll
| MD5 | 509d41da4a688a2e50fc8e3afca074c7 |
| SHA1 | 228de17938071733585842c59ffb99177831b558 |
| SHA256 | f91973113fd01465999ce317f3e7a89df8c91a5efadcfa61e5ccce687bf3580a |
| SHA512 | 86f975c75e246100d0486aa1507f5c2030323649ae921af51583c6b287e6780e9a9bf887ef4ead11599742cdeb7c90380c7d4859340e11913c2c1f42fb34ef8e |
C:\Users\Admin\Desktop\Borat\Borat\bin\MessagePackLib.dll
| MD5 | 590b00c87d5ff2ffe09079f0406eb2cd |
| SHA1 | 92c91f1db8c2c8cc34c2e1a26f4f970f1518a7ed |
| SHA256 | adb00dee751b4ba620d3b0e002f5b6d8b89cf63b062f74ec65bba72294d553d1 |
| SHA512 | 9396620bb9d77cacd7bc2bfa44e8fb76091e314298434d8ba995595df0b2a13edf8229c465b563aa668702176ccf2de34e9fd3d1567d4ff20d94672aba4ad745 |
C:\Users\Admin\Desktop\Borat\Borat\bin\Logger.dll
| MD5 | 872145b37d107144894c9aa8729bad42 |
| SHA1 | 01610587bcfa7ac379b1f0169a2a9ab384b9116b |
| SHA256 | 2f258949fd95da6cd912beb7203a9fd5e99d050309a40341de67537edb75aadc |
| SHA512 | 0c926d24515b8ea80586c80d2613136f802badde3a788d2960ebd8f6a4d6e901d1ea220262f3d2a852c4f3da88bd69915070de920bc79eb82329c44dcab98435 |
C:\Users\Admin\Desktop\Borat\Borat\bin\Information.dll
| MD5 | 87651b12453131dafd3e91f60d8aef5a |
| SHA1 | d5db880256bffa098718894edf684ea0dc4c335d |
| SHA256 | a15d72d990686d06d89d7e11df2b16bcd5719a40298c19d046fa22c40d56af44 |
| SHA512 | 1b911a877c5a3f508421f4f250d95861a5c110cb4b67ffe05de157085c5a018d34d9574c1ef4cf9eec3ba3cdd39985863564ea2f77814812032ea796cb329afa |
C:\Users\Admin\Desktop\Borat\Borat\bin\Fun.dll
| MD5 | 499fc6ac30b3b342833c79523be4a60c |
| SHA1 | dcf1ed3fbc56d63b42c88ede88f9cad1d509e7ec |
| SHA256 | dcac599b1bab37e1a388ac469e6cc5de1f35eb02beaa6778f07a1c090ce3ea04 |
| SHA512 | b63dcf0f42a4e80747556000aeee72137735cb7177567df6cfef3f15471efb8c4dc797db8cdc870d66cd87f09ffc7ab177969b126825a69e4b5390b568462484 |
C:\Users\Admin\Desktop\Borat\Borat\bin\FileSearcher.dll
| MD5 | 0b7c33c5739903ba4f4b78c446773528 |
| SHA1 | b58555bebddf8e695880014d34a863a647da547e |
| SHA256 | 2d9625f41793f62bfe32c10b2d5e05668e321bcaf8b73414b3c31ef677b9bff4 |
| SHA512 | d3ea78dcc15e5f365df55558b911f3289f516ecb16c07b7132084ec2e3b10f496d1ef0774416775c14caffbf3107220cfc19ec910cdb2637561b12a23fd1e43f |
C:\Users\Admin\Desktop\Borat\Borat\bin\FileManager.dll
| MD5 | 4ccd3dfb14ffdddfa598d1096f0190ea |
| SHA1 | c68c30355599461aca7205a7cbdb3bb1830d59c8 |
| SHA256 | 7f8a306826fcb0ee985a2b6d874c805f7f9b2062a1123ea4bb7f1eba90fc1b81 |
| SHA512 | 2fa3ea13054d84e1a307ddc63f2a364c760b8e1882fee975585e6e1bae41cad3463495d22d0c8fb77d40e6b0336c3537ab68efb5fd84e46063a336ba20672cbc |
C:\Users\Admin\Desktop\Borat\Borat\bin\Extra.dll
| MD5 | 62c231bafa469ab04f090fcb4475d360 |
| SHA1 | 82dda56bc59ac7db05eddbe4bcf0fe9323e32073 |
| SHA256 | 6a4f32b0228092ce68e8448c6f4b74b4c654f40fb2d462c1d6bbd4b4ef09053d |
| SHA512 | 515fbdc9e792bd7ab711261c1d0185351079a2d5b104211c559cfc4c8465794ef897c43f0f825b4fc2e97a56525f73c3ad0a28de0fcf8b8bff89c26d1c97b3cc |
C:\Users\Admin\Desktop\Borat\Borat\bin\Discord.dll
| MD5 | 7ee673594bbb20f65448aab05f1361d0 |
| SHA1 | 2a29736882439ef4c9088913e7905c0408cb2443 |
| SHA256 | 8fa7634b7dca1a451cf8940429be6ad2440821ed04d5d70b6e727e5968e0b5f6 |
| SHA512 | f5d8457279a5c0684c075eae2d3de62b672303520a1c725b4f97787961e6043c73ca68d4353e5d4168a427104be65b74a9c92a87419348e92d772368e94fab7c |