Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 11:06

General

  • Target

    BoratRat_Cracked.exe

  • Size

    20.0MB

  • MD5

    c68cf8d1c438a9c59878deb36d17e197

  • SHA1

    fc6158fbab2762f1da42c7a486fd04bd8b547f05

  • SHA256

    9e7e71f470c44d253d72a78f1ccdde34b4a0bff6242d86006cd6e364b6bbf79c

  • SHA512

    67bad918bf1b4d1d1461ae949c7ef9e953fe447df46e7d32484914ef74cc658d8746b5bb2fb354f8c07fb961d9e4b395e7c2dab4e49e6b26d0af51aad5b27ccf

  • SSDEEP

    393216:nm2XTCP+Zw6NLIsFfskh1BmXGnfBd+Ly:nmmTCP+Zlnk0rmkBYLy

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 63 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BoratRat_Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\BoratRat_Cracked.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2244
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2416
    • C:\Users\Admin\Desktop\Client.exe
      "C:\Users\Admin\Desktop\Client.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1716

    Network

      No results found
    • 127.0.0.1:8848
      Client.exe
    • 127.0.0.1:8848
      Client.exe
    • 127.0.0.1:8848
      Client.exe
    • 127.0.0.1:8848
      Client.exe
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Server\BoratRat_Cracked.exe_Url_wi0iqtchtc4kqw3og201wkj2ust21obp\1.0.7.0\user.config

      Filesize

      309B

      MD5

      0c6e4f57ebaba0cc4acfc8bb65c589f8

      SHA1

      8c021c2371b87f2570d226b419c64c3102b8d434

      SHA256

      a9539ba4eae9035b2ff715f0e755aa772b499d72ccab23af2bf5a2dc2bcfa41c

      SHA512

      c6b877ff887d029e29bf35f53006b8c84704f73b74c616bf97696d06c6ef237dff85269bdf8dfb432457b031dd52410e2b883fd86c3f54b09f0a072a689a08c0

    • C:\Users\Admin\AppData\Local\Server\BoratRat_Cracked.exe_Url_wi0iqtchtc4kqw3og201wkj2ust21obp\1.0.7.0\user.config

      Filesize

      580B

      MD5

      acb6df8bd0fe9236ea87ea6e3c28173f

      SHA1

      8b1d88bd749b58905c6db258e7224a67d1179938

      SHA256

      ec2b3fc4d011e9b8a04188d8f2ff280de854dde7d6ebf8e871e0642f789dfa5b

      SHA512

      a4222c0f5aeba58679c21361dcb6ab2c7ed1d9cae41d2839089fdb7bbaac3b8735afff8b302557f85389daa977b826cee77b944ba598e3fa6c2a16781453a832

    • C:\Users\Admin\AppData\Local\Temp\Cab44C0.tmp

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\Local\Temp\ServerCertificate.p12

      Filesize

      1KB

      MD5

      9fdc5bf10b448a549b9bd1cac87339b8

      SHA1

      37a950f11ec8106a8d8605821a1cf90c7424072e

      SHA256

      9ab0c40a3cd77716165d701988049168281bce9819a36781e5cdeafcf264b9ed

      SHA512

      5beec295ee1fa050b918ef64620b75bd273de3b3bf01c913c33e88960a172fd9245da39c78eeeba7709d8ff8711ec4c4eff56ca47c0005442f6afc9116924e84

    • C:\Users\Admin\AppData\Local\Temp\Tar61A5.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Users\Admin\Desktop\Client.exe

      Filesize

      56KB

      MD5

      b385e7d9aa37eb43cf97b622eda20146

      SHA1

      8703a917ef11726ead2597b14c79a4f6e083cccd

      SHA256

      da5421adcba64cd3eeafdd61ab8202fa0379f620f88cfa318acc07a03dca9e9a

      SHA512

      55b315f1df56e6f3eed57d1d71ed7de0888367a0ffef1e6175f20b3fbf8affaaeb849cf5e17105d4956c38a595e54975692a36d5961acad3a19fa0651b8770e8

    • memory/1716-109-0x00000000020B0000-0x00000000020BE000-memory.dmp

      Filesize

      56KB

    • memory/1716-89-0x00000000006D0000-0x00000000006DC000-memory.dmp

      Filesize

      48KB

    • memory/1716-67-0x0000000000470000-0x0000000000480000-memory.dmp

      Filesize

      64KB

    • memory/1716-50-0x0000000000040000-0x0000000000054000-memory.dmp

      Filesize

      80KB

    • memory/2244-14-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

      Filesize

      4KB

    • memory/2244-19-0x000000001EC10000-0x000000001EC20000-memory.dmp

      Filesize

      64KB

    • memory/2244-18-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-17-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-47-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-16-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-15-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

      Filesize

      4KB

    • memory/2244-4-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-3-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

      Filesize

      9.9MB

    • memory/2244-1-0x0000000000DD0000-0x00000000021D6000-memory.dmp

      Filesize

      20.0MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.