Overview

overview

10

Static

static

10

SilverClient.exe

windows7-x64

10

SilverClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2025 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SilverClient.exe

  • Size

    43KB

  • MD5

    7ca038b550ee364bc39ba3ebbfc0fb0e

  • SHA1

    45969aca7d7850aa2fd1b1c3c03a65919effb899

  • SHA256

    632afc11c1652f563a31015c766ce4d8f0d7ea34a5668511e7c08113e657cd3d

  • SHA512

    c4d6b8aeb3397245591f2453ec0f4e55fd5333cb14b0c0fc82d0843cca925236a1143d52705cf2988580901e7bf122dc8c197da28c436fde633c244c127624c5

  • SSDEEP

    768:JZiylKt1aCmWgYV6OZi/MiZHFPsxnEsJCSZbYvlGGooooizJjwRUT0v9S9HbExhI:JZigKtFIOZvGFPsxnEFWJjwGAv9KbExy

Score
10/10
silverratevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

speed-janet.gl.at.ply.gg:2217

Mutex

SilverMutex_pJwESYkGuV

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    UXF3ckpSV0ZzZnhEVFJ3b2FDUkZJSm5UamFDcUVR

  • reconnect_delay

    4

  • server_signature

    0QuMoMl50hG1CcYtYt+ZzmC6e5xRIuOsN4JNwdpY3n6iLJ5MCkIbVsEeLoQF9+t+6R+p9l9sw4T30VPNjQy+zT81zodrqO/aBnlHgYSfNl9M25x2r0OWbvxOCPyfZz+2V9YA+X69FzwE6ivGYhChTKpiUn5Gro4lC0rq+PkTxgccw3lKXAArV1rYvFnOFEZO18MMB7Kq8QiL3Km+IIafiFcOrzh0L8gBsDD+bW7hs2ttO8xgwamoK2PnFjacYgNpqYjRRa/61i+n2gPDQK5ogANLZGgsONTFNms9CAnR7YYyfMnch1UA3e3Hkp2TWykpkk07WI8g32KSNtC9fqIKubCiWlsjsIIcJYpQ+LCUCma2YJrwU9gulilg/RZtW8cyiZYnUqq99HPtPy8+AvmkyiA/uU58ZRz2gfsO2ee2jDc95IyaM+AKLp1zdDaoovvdfJ+UIkIsjti2sQQMNYJjJJxhkqTc7qA9gzkedeKkFbyGWnXUCtCkqQxYBcxDOqQN3dFly5suHpLqtXr+2I+a5xaPvE4Q1RiUwjD1ueiTkYecRH44WTg4NQ9P4szeOT0vedXx7CIzjl32yDhaM9Ln0Ov9SsstSg+hqpT3+662TN5Q5hJ0zJq60YBB4yVEB8R84tai0Zptxz5dCz/Kua4bwblodekXC1ubAl3xuHVzAlk=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

    trojansilverrat
  • Silverrat family
    silverrat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\SilverClient.exe
    "C:\Users\Admin\AppData\Local\Temp\SilverClient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\root"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2084
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:1336
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp963.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2844
      • C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe
        "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\system32\schtasks.exe
          "schtasks.exe" /query /TN $77SecurityHealthSystray.exe.exe
          4⤵
            PID:2068
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /Create /SC ONCE /TN "$77SecurityHealthSystray.exe.exe" /TR "C:\Users\Admin\root\$77SecurityHealthSystray.exe.exe \"\$77SecurityHealthSystray.exe.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2632
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /query /TN $77SecurityHealthSystray.exe.exe
            4⤵
              PID:2692
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:992
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "SecurityHealthSystray.exe_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp963.tmp.bat
        Filesize

        160B

        MD5

        3867eea70ee6dd876e3051f783c51168

        SHA1

        4944d0c5a82e0b4b96238c3fab81d2d7d01690d0

        SHA256

        668bd62ccbc186ea800bfdf22e72b2f1166bcd35bd3525e22bf0dea6f7e973cd

        SHA512

        d60ad0645d4d92a5b1b084004f4639336e55b9c8329534d5c9b3849071bdce43a715f51ae439e741ff16264ced22cbee3f2e3e332913b7ce35305f69cfa0f3f5

        Download Submit

      • \Users\Admin\root\$77SecurityHealthSystray.exe.exe
        Filesize

        43KB

        MD5

        7ca038b550ee364bc39ba3ebbfc0fb0e

        SHA1

        45969aca7d7850aa2fd1b1c3c03a65919effb899

        SHA256

        632afc11c1652f563a31015c766ce4d8f0d7ea34a5668511e7c08113e657cd3d

        SHA512

        c4d6b8aeb3397245591f2453ec0f4e55fd5333cb14b0c0fc82d0843cca925236a1143d52705cf2988580901e7bf122dc8c197da28c436fde633c244c127624c5

        Download Submit

      • memory/992-24-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/992-25-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1704-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-1-0x000000013F640000-0x000000013F650000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1704-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1704-3-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-4-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1704-14-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2804-19-0x000000013FC90000-0x000000013FCA0000-memory.dmp

        Filesize

        64KB

        Download