Overview

overview

10

Static

static

3

ad616acb49...47.exe

windows7-x64

6

ad616acb49...47.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747

  • Size

    8KB

  • Sample

    241123-csy3ga1qdr

  • MD5

    e618f84aafa47620606982c4abbc7d67

  • SHA1

    6f6e1f34130d3468da33ce0cadebddfce494255b

  • SHA256

    ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747

  • SHA512

    a5de82399c37e6441edbca72899588c5cbf5574968a81a2a4fe02aa5101a51a4c7b07219c92f10255005f2c8fe6abb66e1d493942e7757b6dfd0c318eb01b704

  • SSDEEP

    96:zdXT3QNm17yCqN1BN3CyvI35R0k7+AmRuPKuHVlXxdbyIzNt:xrX7yCqDyyvYv+Am4PHVlXnyK

Score
10/10
silverratdiscoveryexecutionpersistencetrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

Mutex

SilverMutex_GAZUkcCGjo

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    c0pTT0F4YUlWdnprRUZXU0lZck5EUEdMcFJ1UnpG

  • reconnect_delay

    4

  • server_signature

    N+iIgSoPCcWhCD0PCuU1EnqdssSySClpb5jHn0rlzcGXjOiC8ogxjV2ydCOO+ArBSp8RSv40oajf12v1vhqfmk2ilGPMWjEbqLvPDU2LMgihDzwv3ZfuA6mP2Aa/Unj1blMMQJIfhkDRZ8Y/8D4k3yCrzjkQpVL/lzoytAKaxhscaFQWcUzMysFWdzTOXj3EGXxOUftnKNoeefKDUkkgsOkR8CtSM/hj7iXHgsq5nnhloGeE1zAP9Sfk3YWSl/FkqV9JxjUEiN3eZX9csVjzZ53RP9RqcnALfPHrx/g9CYTRlm4W+e3cO3hGznYJCYZMSkqmPmRpJrecIcL9gkIvfUtbr5vyN9G26VEJDcKUe0URP7GL6HSw+qZ3Mgtb64YVV9GPP/kFtBxewsjmF6szDIlCmHGihNo5kT50Aqxzsv3Vhks9p5hZpt2fvOlKHwYlu+kg9RYn/90wIP28qUbfInnbw4zOcEuhgu9YnApx380zyAJg7tD2dts5W/vcyRBrnIXtJlGVeFEh8pQQI7Mr9esuQkX6GmMcWGX+lB244AgTEf3lKcC0ADB3UiLdGy7HwB4X2cUqvuyXJQicFfuf+wMMh3Q9Ocg+AG696zSjFSZdGbA722nbixPfZWlp0l1z0GF7ntSbelpa67RgjQQc6PlepRIlylqCjTg/EASPPvE=

Targets

    • Target

      ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747

    • Size

      8KB

    • MD5

      e618f84aafa47620606982c4abbc7d67

    • SHA1

      6f6e1f34130d3468da33ce0cadebddfce494255b

    • SHA256

      ad616acb49d68d155b0ded0a269e9f823fda47f9a125e1a3eb8a71ffbd3d4747

    • SHA512

      a5de82399c37e6441edbca72899588c5cbf5574968a81a2a4fe02aa5101a51a4c7b07219c92f10255005f2c8fe6abb66e1d493942e7757b6dfd0c318eb01b704

    • SSDEEP

      96:zdXT3QNm17yCqN1BN3CyvI35R0k7+AmRuPKuHVlXxdbyIzNt:xrX7yCqDyyvYv+Am4PHVlXnyK

    Score
    10/10
    discoverysilverratexecutionpersistencetrojan

    • SilverRat

      SilverRat is trojan written in C#.

      trojansilverrat

    • Silverrat family

      silverrat

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks