Malware Analysis Report

2024-10-23 19:27

Sample ID 240629-y8ymjavgqa
Target Borat.rar
SHA256 53cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1
Tags
asyncrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

53cdc49c7fb83b419c07edb45c544b106aaa37db00e8a37211678af6350a82f1

Threat Level: Known bad

The file Borat.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat rat

Asyncrat family

AsyncRat

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 20:28

Signatures

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 20:28

Reported

2024-06-29 20:32

Platform

win10v2004-20240508-en

Max time kernel

260s

Max time network

257s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Borat.rar

Signatures

AsyncRat

rat asyncrat

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 = 500031000000000045552d231000426f726174003c0009000400efbedd58a9a3dd58a9a32e000000f23302000000070000000000000000000000000000009aad050142006f00720061007400000014000000 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0 = 5000310000000000dd58a9a31000426f726174003c0009000400efbedd58a9a3dd58a9a32e000000f133020000000700000000000000000000000000000012c21e0142006f00720061007400000014000000 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1 = 7e00310000000000dd58a9a311004465736b746f7000680009000400efbea8582d61dd58a9a32e00000078e101000000010000000000000000003e000000000012c21e014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\1\0\0\NodeSlot = "11" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
N/A N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Borat\Borat\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Borat\Borat\Client.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Borat.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Borat\" -ad -an -ai#7zMap306:68:7zEvent903

C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe

"C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\Borat\Borat\Client.exe

"C:\Users\Admin\Desktop\Borat\Borat\Client.exe"

C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe

"C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Users\Admin\Desktop\Borat\Borat\Client.exe

"C:\Users\Admin\Desktop\Borat\Borat\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp
N/A 127.0.0.1:8848 tcp

Files

C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe

MD5 65b694d69d327efe28fcbce125401e96
SHA1 049d4d71742b99a598c074458f1f2d5b0119e912
SHA256 de60ecbbfef30c93fe8875ef69b358b20076d1f969fc3d21ab44d59dc9ef7cab
SHA512 7ab57642e414e134e851d9aa2ed3ef8b483f3a5f77877cdc04e08d7f95c44884f8ccc6beaf8ba7f6949cfd7398c46be46c024d4fdeacd3a332d4565609baad5b

C:\Users\Admin\Desktop\Borat\Borat\BoratRat.exe.config

MD5 3e645ccca1c44a00210924a3b0780955
SHA1 5d8e8115489ac505c1d10fdd64e494e512dba793
SHA256 f29e697efd7c5ecb928c0310ea832325bf6518786c8e1585e1b85cdc8701602f
SHA512 ea7e3a6e476345870f05124a56dde266e1ad04b557b2dde83c5674cfdf3be00f26d3db6a14a8d88ecf75e2c9e3a12e6955f6c85654ba967c17664e9acc3d4f1f

memory/2748-59-0x000001EF96AA0000-0x000001EF97EAA000-memory.dmp

C:\Users\Admin\Desktop\Borat\Borat\ServerCertificate.p12

MD5 478ee44a47895e687296b9ab34df04c4
SHA1 4b81e94f3d3a99cc01d5c57bd5bec8317f0aca4f
SHA256 4b0612b2cd5e7ecc456d5c29c89917b8ec881c5f4fd94afe157098ca96308781
SHA512 28c0635f1e5062fcdef783aceaa8aa53531f18ce66d4aed62a99ec5b31a364e0d0d36fa237d978d75f51a859a7140d31e62aed340eae4aa769e02d1640e30c7b

C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_w0en52dl030nftthqfvkkh0ok4obzuv5\1.0.7.0\user.config

MD5 acb6df8bd0fe9236ea87ea6e3c28173f
SHA1 8b1d88bd749b58905c6db258e7224a67d1179938
SHA256 ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b
SHA512 a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832

C:\Users\Admin\AppData\Local\Server\BoratRat.exe_Url_w0en52dl030nftthqfvkkh0ok4obzuv5\1.0.7.0\user.config

MD5 0c6e4f57ebaba0cc4acfc8bb65c589f8
SHA1 8c021c2371b87f2570d226b419c64c3102b8d434
SHA256 a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c
SHA512 c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

C:\Users\Admin\Desktop\Borat\Borat\Client.exe

MD5 a5f63108669956c2e6dbf61e30eb3e19
SHA1 965d6a02ab6d4ad5b50616a604f05970e6d953f5
SHA256 d9c93200870fe1da7af28a95b6aced972320193d2dbf5e0179b713581120ce55
SHA512 2dc8a3fe5fb82f81d7888334871e65c80863bf84bb42b777cb756a37a1ce448bc877a97b3f3e6aff3be2e1f94233d1398a1eaf2dcbb63c51c94e0d3a1b16efc5

memory/404-89-0x0000000000030000-0x0000000000044000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BoratRat.exe.log

MD5 a1c1a009d32b0fbd4d962a8853766e2e
SHA1 4f60f6bc103e6d2e17eb23d2d9213c23d39e1474
SHA256 1a4c72a376fb49c27b4ae45efe5450e87767cfb339556e12777afa2669c329b2
SHA512 ebeb4dc2222b8a9f55e90701d4a80c8aefb43a53b4cee531a85e7e7a23e4c62123a1f20aadff0796e182918ff2073509afda7f47966655316ebe2b0c87471c41

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\Borat\Borat\bin\RemoteDesktop.dll

MD5 0f93650dd78557f41b7c5467e3b6b6a7
SHA1 382bd4496eb7439fde85832abca87cc21cb7872f
SHA256 cc5b49d2a2821d4f6ef6af8a1e50994c6690d6a4daa41bd048fe79bd8b578988
SHA512 15d0b95865316d09e9404a2507bb983a9d9e762e88d749ea61ba1ce15a229ea9d86ba09a7e6319d7bab859986f51eca6792bd42fc18fc1ac11d35b173a9d5fc6

C:\Users\Admin\Desktop\Borat\Borat\bin\Audio.dll

MD5 9726d7fe49c8ba43845ad8e5e2802bb8
SHA1 8bcdf790826a2ac7adfc1e8b214e8de43e086b97
SHA256 df31a70ceb0c481646eeaf94189242200fafd3df92f8b3ec97c0d0670f0e2259
SHA512 f97bc1e2ecbbc979d0eea3559c2da0982e4617eb217603224263ef825b8d98b3c52392eeef41888e6295fb60d362f9521e2f2bdaccc762c4591565f9e6248658

C:\Users\Admin\Desktop\Borat\Borat\bin\RemoteCamera.dll

MD5 acbf0f8b09320f3e967ee83fcda26f5d
SHA1 bbee0fa1c88edcd0469974223fb026e1176256dc
SHA256 203300be75ad8f57972324519b2583a44e759cdd57390d6765df10288e249789
SHA512 36a9c2810b8b86aa35cb2c18730fdd6b8547a5b9b937f0ffcaaffa5bc17566315d918e68974470ec07c3ca6f841c8d408784f3b6c3d621759edf4e4e8496d75d

C:\Users\Admin\Desktop\Borat\Borat\bin\Regedit.dll

MD5 8749c78b8ad09a3b240dd1384a17539b
SHA1 b9263ac725ccd8c664ae0f9da5fc0d00adcb8c5e
SHA256 657e3f1f449c0b710b0c571ec8eee689ae16793fb63b996e0182420d768f89bd
SHA512 5a910be70c79dec36d3e5c171ba5029612ee2960b8529ffb81d581ab0f20cbc30e6093b838ce1ebc2fab9ed9bbce8ab5f995487852bcba17df4b3480f91aa81b

C:\Users\Admin\Desktop\Borat\Borat\bin\Recovery.dll

MD5 b4762c63cc383eb02cb093eeb88aecf1
SHA1 a3a1fdd8612c63f6d62d5a62915966be8e922ba1
SHA256 ec768f980b651a2fbbbcffb715bcac5214730c02ff21a1a987d6db9cb04f01e1
SHA512 51a9a8665be79a043dafe114d577988d5ab74803ab738d4d7129136372c7e1db4719c83e98c6e3aa7a8374a84cca570b34274d6bf18272906e6504872c514a1e

memory/404-122-0x0000000002180000-0x0000000002190000-memory.dmp

memory/404-121-0x000000001C750000-0x000000001C7C6000-memory.dmp

C:\Users\Admin\Desktop\Borat\Borat\bin\Ransomware.dll

MD5 ef998529d037fcdb2bde6d046f99db45
SHA1 1a38a1182155429ecc64c20ece46ec0836c32ec7
SHA256 54f554b9e330476b3903756f62b577bab35cdef941d3d0f6a3d607862762bf91
SHA512 4e4376c182dcdf993c6e8f55388829b9e7057e8d80be268a8469721e8ac7fc29eab65681f0f7f2c0dbad1c5bc30fdcc123774ae543770090bf01a62a0d161ece

memory/404-123-0x0000000002200000-0x000000000221E000-memory.dmp

C:\Users\Admin\Desktop\Borat\Borat\bin\ProcessManager.dll

MD5 91edcb945924df5fbf4ff123aa63199c
SHA1 d124869aaee9aa1a49def714774b834335aa746e
SHA256 5b1f80ff787bdcd7ee12aa64be1f2f5f1f658bd644bbc5fd73527b51da6ce0d6
SHA512 6927c1576a8a9ff724fe3b7d53067f97c121b272c1f2528cb8aa1806de61f36504ee4d25d56eb717a1010a80fb6b5e37c1a0c30b256fdb9a5ba5b31794146c52

C:\Users\Admin\Desktop\Borat\Borat\bin\Options.dll

MD5 3a474b8dee059562b31887197d94f382
SHA1 b31455f9583b89cac9f655c136801673fb7b4b9a
SHA256 c9b8e795c5a024f9e3c85ba64534b9bf52cc8c3d29b95ff6417dc3a54bc68b95
SHA512 cdda908adb88603302b33c99befed0394f12cc34c5a31bc7b4b614df3615ea8a6cad7ef84e7b9865342f33783006974027e39fd458e5936dec14c8ae5e98bf0a

C:\Users\Admin\Desktop\Borat\Borat\bin\Netstat.dll

MD5 12911f5654d6346fe99ef91e90849c13
SHA1 1b8e63d03feb84d995c02dcbb74da7edfaa8c763
SHA256 7eed1b90946a6db1fe978d177a80542b5db0bf3156c979dc8a8869a94811bf4b
SHA512 588971ef7aebae7afffb22bafdf8f8bb04bf3c474eabf6637543fe42e3e1800cc824929d953055a4f666776ea5fffe0389ef6216c1dca437e0c8a330f6670c19

C:\Users\Admin\Desktop\Borat\Borat\bin\Miscellaneous.dll

MD5 509d41da4a688a2e50fc8e3afca074c7
SHA1 228de17938071733585842c59ffb99177831b558
SHA256 f91973113fd01465999ce317f3e7a89df8c91a5efadcfa61e5ccce687bf3580a
SHA512 86f975c75e246100d0486aa1507f5c2030323649ae921af51583c6b287e6780e9a9bf887ef4ead11599742cdeb7c90380c7d4859340e11913c2c1f42fb34ef8e

C:\Users\Admin\Desktop\Borat\Borat\bin\MessagePackLib.dll

MD5 590b00c87d5ff2ffe09079f0406eb2cd
SHA1 92c91f1db8c2c8cc34c2e1a26f4f970f1518a7ed
SHA256 adb00dee751b4ba620d3b0e002f5b6d8b89cf63b062f74ec65bba72294d553d1
SHA512 9396620bb9d77cacd7bc2bfa44e8fb76091e314298434d8ba995595df0b2a13edf8229c465b563aa668702176ccf2de34e9fd3d1567d4ff20d94672aba4ad745

C:\Users\Admin\Desktop\Borat\Borat\bin\Logger.dll

MD5 872145b37d107144894c9aa8729bad42
SHA1 01610587bcfa7ac379b1f0169a2a9ab384b9116b
SHA256 2f258949fd95da6cd912beb7203a9fd5e99d050309a40341de67537edb75aadc
SHA512 0c926d24515b8ea80586c80d2613136f802badde3a788d2960ebd8f6a4d6e901d1ea220262f3d2a852c4f3da88bd69915070de920bc79eb82329c44dcab98435

C:\Users\Admin\Desktop\Borat\Borat\bin\Information.dll

MD5 87651b12453131dafd3e91f60d8aef5a
SHA1 d5db880256bffa098718894edf684ea0dc4c335d
SHA256 a15d72d990686d06d89d7e11df2b16bcd5719a40298c19d046fa22c40d56af44
SHA512 1b911a877c5a3f508421f4f250d95861a5c110cb4b67ffe05de157085c5a018d34d9574c1ef4cf9eec3ba3cdd39985863564ea2f77814812032ea796cb329afa

C:\Users\Admin\Desktop\Borat\Borat\bin\Fun.dll

MD5 499fc6ac30b3b342833c79523be4a60c
SHA1 dcf1ed3fbc56d63b42c88ede88f9cad1d509e7ec
SHA256 dcac599b1bab37e1a388ac469e6cc5de1f35eb02beaa6778f07a1c090ce3ea04
SHA512 b63dcf0f42a4e80747556000aeee72137735cb7177567df6cfef3f15471efb8c4dc797db8cdc870d66cd87f09ffc7ab177969b126825a69e4b5390b568462484

C:\Users\Admin\Desktop\Borat\Borat\bin\FileSearcher.dll

MD5 0b7c33c5739903ba4f4b78c446773528
SHA1 b58555bebddf8e695880014d34a863a647da547e
SHA256 2d9625f41793f62bfe32c10b2d5e05668e321bcaf8b73414b3c31ef677b9bff4
SHA512 d3ea78dcc15e5f365df55558b911f3289f516ecb16c07b7132084ec2e3b10f496d1ef0774416775c14caffbf3107220cfc19ec910cdb2637561b12a23fd1e43f

C:\Users\Admin\Desktop\Borat\Borat\bin\FileManager.dll

MD5 4ccd3dfb14ffdddfa598d1096f0190ea
SHA1 c68c30355599461aca7205a7cbdb3bb1830d59c8
SHA256 7f8a306826fcb0ee985a2b6d874c805f7f9b2062a1123ea4bb7f1eba90fc1b81
SHA512 2fa3ea13054d84e1a307ddc63f2a364c760b8e1882fee975585e6e1bae41cad3463495d22d0c8fb77d40e6b0336c3537ab68efb5fd84e46063a336ba20672cbc

C:\Users\Admin\Desktop\Borat\Borat\bin\Extra.dll

MD5 62c231bafa469ab04f090fcb4475d360
SHA1 82dda56bc59ac7db05eddbe4bcf0fe9323e32073
SHA256 6a4f32b0228092ce68e8448c6f4b74b4c654f40fb2d462c1d6bbd4b4ef09053d
SHA512 515fbdc9e792bd7ab711261c1d0185351079a2d5b104211c559cfc4c8465794ef897c43f0f825b4fc2e97a56525f73c3ad0a28de0fcf8b8bff89c26d1c97b3cc

C:\Users\Admin\Desktop\Borat\Borat\bin\Discord.dll

MD5 7ee673594bbb20f65448aab05f1361d0
SHA1 2a29736882439ef4c9088913e7905c0408cb2443
SHA256 8fa7634b7dca1a451cf8940429be6ad2440821ed04d5d70b6e727e5968e0b5f6
SHA512 f5d8457279a5c0684c075eae2d3de62b672303520a1c725b4f97787961e6043c73ca68d4353e5d4168a427104be65b74a9c92a87419348e92d772368e94fab7c