Overview

overview

10

Static

static

10

Rat.exe

windows7-x64

10

Rat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2025, 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rat.exe

  • Size

    45KB

  • MD5

    c41469be0e653ddb4552a3f1a16caba6

  • SHA1

    d2e0c8d5bd49337b5cef1f325632ba6c356d5661

  • SHA256

    166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0

  • SHA512

    0599b00efc97b7805679040903e9b5f7fdfa7c4e00e7b12fc0a79b89286dea6665efd87f817b9b9f8e2e165714df07e8dbe21b3121b0af3f6f3c87b10837c749

  • SSDEEP

    768:00Mk3L5X0UC22ynqUS08+oRULQcN9hzyxJjB6SV38vrL/we:00M/my7Gs698bo638v/we

Score
10/10
silverratdefense_evasionexecutionpersistencetrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

buying-magic.gl.at.ply.gg:17699

Mutex

SilverMutex_mCvmEafTxB

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discord.com/api/webhooks/1339299451642314845/g1Gv5jULSz8Pebm4NzbJROiNI4YMerdc5dgzha88cgyOa16Ji2c67zQdw45RArDpsUDf

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    SFloWnRSeGdTU1NRTFBBYWREQ0NCRldsRnN1SllL

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    2

  • server_signature

    RA/q8t7T8c1coVbZmtUD+5mXhK3PC1gWieRwjUrBL49TtEyadC8Jcwm3qYckSaXiYcaY1z2SmBSUbT2zl6JCyDVrbDNb3Zzn9/sjJBLw3jATENnxacaVDsWsanIIeayXh/mJCGGNxtAy2Z0557uWz4A8z+qOppIpEb8VjJqBxJziD88EmINH/FqQEOKP+nH2fnkITPcetENdd6AI7kuu7iynMux8lM5/hUn+VCQpx0AxIpH5m9ZwSQkJ62nnasTNDF0owmqHKUNI815+MLZboPf4DpUTWslulIgebd3BvjfLEbsmPR4kK+lcfOZeuFqvp/Fbe4TPD05LvxrTQy8+AK+/tfITiTSrRXKeyvF8pYX6yr1CH2tOt1WFieGegCD3TCP/+gqsYx7lgHBlxMn2KZlGK4jHiDw42CrICcG9IXE0XkZE7qJRyQPPPGjoITU7sMyq43MmdBmCcV14ImVPl0p9F3ExjfMoHQWKumxeZ5nijoEoCIZO8ktAJOk81zzdXZWJ9jQ0xYcq2sd4774q02CJBhDsQphxJcly3Qlhk2wKQoBHpGo8OG1nqS76mvkKQeJgodERzqCpn230+rHRnWdvZn4PpY2/gyB+pGwYTZB/EGMxMxwNgz3fwJUkFazscDCKibD7vZo2mWkDsm5bVT6FnbSthrt94Yy0qDaKYZU=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

    trojansilverrat
  • Silverrat family
    silverrat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rat.exe
    "C:\Users\Admin\AppData\Local\Temp\Rat.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2636
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2084
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp648.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2768
      • C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
        "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:656
        • C:\Windows\system32\schtasks.exe
          "schtasks.exe" /query /TN $77Windows Security Process.exe
          4⤵
            PID:2992
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /Create /SC ONCE /TN "$77Windows Security Process.exe" /TR "C:\Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe \"\$77Windows Security Process.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2060
          • C:\Windows\system32\schtasks.exe
            "schtasks.exe" /query /TN $77Windows Security Process.exe
            4⤵
              PID:2064
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2204
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp648.tmp.bat
        Filesize

        176B

        MD5

        ccdcf3373f4fba1cb8760881819c3bd8

        SHA1

        715c5320db163da1523e2d9b739ed9dfaf0b9b46

        SHA256

        2d7dfb1bc0b90729c56fa958d12dc0edf8d6007ab79dc13ada597e6ce76a1ae6

        SHA512

        4ad727c623d3af9214903faf5e94c458472792d441e1efcc143f832b4cf114d64b091b35b5e4f2eab8140fa4f98d9b2bdee721de8cfa65deb0d0b5e256462f9b

        Download Submit

      • \Users\Admin\AppData\Roaming\zt-WD\$77Windows Security Process.exe
        Filesize

        45KB

        MD5

        c41469be0e653ddb4552a3f1a16caba6

        SHA1

        d2e0c8d5bd49337b5cef1f325632ba6c356d5661

        SHA256

        166fc117f762f70928200d37c24352583e1aca1aba54429975ac828452cf5ff0

        SHA512

        0599b00efc97b7805679040903e9b5f7fdfa7c4e00e7b12fc0a79b89286dea6665efd87f817b9b9f8e2e165714df07e8dbe21b3121b0af3f6f3c87b10837c749

        Download Submit

      • memory/656-19-0x000000013FA40000-0x000000013FA50000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2124-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2124-1-0x000000013FA90000-0x000000013FAA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2124-2-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2124-3-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2124-4-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2124-14-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2204-24-0x000000001B5A0000-0x000000001B882000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2204-25-0x0000000002690000-0x0000000002698000-memory.dmp

        Filesize

        32KB

        Download