Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gofile.io/d/...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://gofile.io/d/q0xgdS

  • Sample

    250204-w7pl5ayjaj

Score
10/10
silverratxwormdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

contract-released.gl.at.ply.gg:25964

Mutex

sergADEwxve_eceeADEUdfseef

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discordapp.com/api/webhooks/1302520798933684265/tWVuRmMGAhojEcmdSKJWo2Eeh5507_c05ZIwM-hG5OX9G_HzVXO0dnJkhD7ydkr2zaJY

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    endob2RsQ1pvdE5HV0ppT0pLRUZTZmRBUkREbHpT

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    4

  • server_signature

    ENyFlCXhdlwbTqnnVTnnu7baNc+t7jaX3P8dqjIkQvDnoYVn9nIrvsURUC/Fsto539ICxe8+rbOK3uyVLY5aw7HhLxVG2H85Cmz/jbOGL5m2WuKkqP3v1zs6qOKvKydv6oLgrlFX+mXRA5VJArZroc/zMtaP0YvbhxoratPgAPsiKMOK5YmiISCPf117y6IceeIxf2vWfDBcTML/J5AwY6NkSHVUm9E0On/Ak8/PcAWHKCz5f/1U5Tkx1PoXCdArH56zTYor80AhA3EhcphecofzXEG0uhDE0AW72WScgxRZJxOgL2Xk9jABuzkankvQMRKElW4UNzWDnblLIuJKRzLdBxl73gc9dESLLM3K3KjHxQ82Wl1gxF1f1h+3u4Piw9zIzorlTn0xZb0ur5DpgUWESIYd9S4X88of2DnYLi4PM8VCADvaKU8mTlXm9dTjdYdlPGHYeeAuOxfuNJ1Y730K7fUW8qn3k0NDTxml10GATnMoJ2+up3GDksurHwO4LKKzbe4p6pMvEPLxui0NZMRqCb2p0O5XeW0T6q2GV4SLhi0i9ro9HZwmvhgmzAsD7WR3Rw1eeO6NTAnKdOnt4UZMkR7oUOyr7bda9x6Y62oubapo6PuC6HzX+GQOv3OlJnIUDNIVDv7sZPjKqqtuycRauZc+9FXmDjomvhv+YRY=

Extracted

Family

xworm

C2

contract-released.gl.at.ply.gg:25964

Attributes
  • Install_directory

    %Public%

  • install_file

    SecurityHealthSystray.exe

Targets

    • Target

      https://gofile.io/d/q0xgdS

    Score
    10/10
    silverratxwormdefense_evasiondiscoveryexecutionpersistencerattrojan

    • Detect Xworm Payload

    • SilverRat

      SilverRat is trojan written in C#.

      trojansilverrat

    • Silverrat family

      silverrat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks