silverrat | ef948ec84c52a12fadc9597dd0b3234783da66a983aecf52a9ca7ad97d077605

General

Target

OneDrive.exe
Size

112KB
MD5

8265876f1419ac9f2789c779ca8756b7
SHA1

349c89b04a29da021401102888889ce7e593ada4
SHA256

ef948ec84c52a12fadc9597dd0b3234783da66a983aecf52a9ca7ad97d077605
SHA512

3f8f3b7da9f8a29080cb84f0b9a34170a1da63e39d91b6706a9b25d7f1b55033051601e04735ac482a57b4285c77d04bc5817aa15f7d8565541a2a2e4b5eb218
SSDEEP

1536:abiue98UKpsOUFGsI9x1Qom1VZs/iMeLWs8zNJf:qiu68Dq3FGsI9x1lSrfLWs8zNJf

Score

10^/10

silverrat evasion persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

reserved-compilation.gl.at.ply.gg:30333

Mutex

lAxDBRhAFu

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1309888185597427763/ETaHhLbZDsm-U9W1k9LnAs5qSHWvjnwQyurgXK_j1ZDoqixvf9wWgl7hA5cBSCQU7y7A
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2128	attrib.exe
536	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	$77OneDrive.exe

Loads dropped DLL 1 IoCs

pid	Process
1612	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Microsoft OneDrive\\$77OneDrive.exe\""	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	discord.com
5	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2500	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2932	OneDrive.exe
2932	OneDrive.exe
2932	OneDrive.exe
2384	$77OneDrive.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeDebugPrivilege	2932	OneDrive.exe
Token: SeDebugPrivilege	2384	$77OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2384	$77OneDrive.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2128	2932	OneDrive.exe	34
PID 2932 wrote to memory of 2128	2932	OneDrive.exe	34
PID 2932 wrote to memory of 2128	2932	OneDrive.exe	34
PID 2932 wrote to memory of 536	2932	OneDrive.exe	36
PID 2932 wrote to memory of 536	2932	OneDrive.exe	36
PID 2932 wrote to memory of 536	2932	OneDrive.exe	36
PID 2932 wrote to memory of 1612	2932	OneDrive.exe	39
PID 2932 wrote to memory of 1612	2932	OneDrive.exe	39
PID 2932 wrote to memory of 1612	2932	OneDrive.exe	39
PID 1612 wrote to memory of 2500	1612	cmd.exe	41
PID 1612 wrote to memory of 2500	1612	cmd.exe	41
PID 1612 wrote to memory of 2500	1612	cmd.exe	41
PID 1612 wrote to memory of 2384	1612	cmd.exe	42
PID 1612 wrote to memory of 2384	1612	cmd.exe	42
PID 1612 wrote to memory of 2384	1612	cmd.exe	42
PID 2384 wrote to memory of 2296	2384	$77OneDrive.exe	44
PID 2384 wrote to memory of 2296	2384	$77OneDrive.exe	44
PID 2384 wrote to memory of 2296	2384	$77OneDrive.exe	44
PID 2384 wrote to memory of 880	2384	$77OneDrive.exe	46
PID 2384 wrote to memory of 880	2384	$77OneDrive.exe	46
PID 2384 wrote to memory of 880	2384	$77OneDrive.exe	46
PID 2384 wrote to memory of 2248	2384	$77OneDrive.exe	48
PID 2384 wrote to memory of 2248	2384	$77OneDrive.exe	48
PID 2384 wrote to memory of 2248	2384	$77OneDrive.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2128	attrib.exe
536	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
"C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Microsoft OneDrive"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2128
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:536
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2500
- - C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe
    "C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77OneDrive.exe
      4⤵
      PID:2296
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77OneDrive.exe" /TR "C:\Users\Admin\Microsoft OneDrive\$77OneDrive.exe \"\$77OneDrive.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:880
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77OneDrive.exe
      4⤵
      PID:2248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3536.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD72D.tmp.bat

Filesize
158B

MD5
fefedf4133aae2647950bbd446a7b9d2

SHA1
c0095d6d385b8157adb92f89aa01ab158e07949a

SHA256
7e146b3f3a10cbb6c37148935084e2782c7f3d161d541ac3446c051b15c5864c

SHA512
ea3cd18d5139153c52db009f11a111de31dec005540ef072cb1dbb3fa05ebb538c07f8c6f5a36f4d8797d3965bbe44a65d56aea00915e2e25d7156782e903c9b

Download Submit
\Users\Admin\Microsoft OneDrive\$77OneDrive.exe

Filesize
112KB

MD5
8265876f1419ac9f2789c779ca8756b7

SHA1
349c89b04a29da021401102888889ce7e593ada4

SHA256
ef948ec84c52a12fadc9597dd0b3234783da66a983aecf52a9ca7ad97d077605

SHA512
3f8f3b7da9f8a29080cb84f0b9a34170a1da63e39d91b6706a9b25d7f1b55033051601e04735ac482a57b4285c77d04bc5817aa15f7d8565541a2a2e4b5eb218

Download Submit
memory/2384-18-0x000000013FAA0000-0x000000013FAC0000-memory.dmp

Filesize
128KB

Download
memory/2932-0-0x000007FEF6173000-0x000007FEF6174000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x000000013F840000-0x000000013F860000-memory.dmp

Filesize
128KB

Download
memory/2932-2-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-3-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2932-13-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads