Overview

overview

10

Static

static

1

test.txt

windows11-21h2-x64

10

Resubmissions

19-02-2025 15:01

250219-sd5jpstkem 10

19-02-2025 14:36

250219-rylfwssqcq 7

19-02-2025 13:45

250219-q2l16a1rfz 10

19-02-2025 13:42

250219-qzvwaa1rdv 4

18-02-2025 16:21

250218-ttqadstlfr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.txt

  • Size

    18B

  • Sample

    250216-mfpclssnak

  • MD5

    5b3f97d48c8751bd031b7ea53545bdb6

  • SHA1

    88be3374c62f23406ec83bb11279f8423bd3f88d

  • SHA256

    d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

  • SHA512

    ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6

Score
10/10
dcratsilverratcredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

auto-london.gl.at.ply.gg:51655

Mutex

SilverMutex_kTAAZjMenK

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discord.com/api/webhooks/1253749007772160090/mxExcAUGlJgTCbYOk_u7JJAnNpsIhMne5e0PjqkRY2MV_40Bgpix2Ezib84aFxRmN66j

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    QnZ2VW1rTFlUa09ESXhCRkdHYURSSlBBdk5SQk5J

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    0

  • server_signature

    RMCh38rJRIwRMYf2Sbpd9BzSePeTpscme+fLNDX9Bf6O5IR+EWvJS971m1lprJ/vpdLYQPZIImuX69267sqtVY2b3yH1lw7e7EZaXIHsGFR2uyeUjLQeAjD47DWaaKkGg8wKKEQ7AX8lBa1tYmqDorMfwQ9K2xlGjrxnS9ZotbBaz/KmFDUSwnUEWc6K5tKdqXQ5scv4Iejt9hGqjIxCo1c3AyRwr1eezKhGK66t4Y1aPVfqkIwuI23vWEPPjJYRDn5dWq5EykrPUBvH+OORD9xrQmM63F/gLb5d5/LlrOqSfkd5/yTv8YROpQfzMAYH5k10o6P4I+oBlGpJ9MwzL5Y4JBHSJyiG/m9XuEYKxe1zgffuIhU/xo30i0YC/hkKd5U8BP5k6PdZg9OLI+a8k7sa4/Sk/9Zkjx27VuOZdZs8IMP9t8mumexIqz2fvkwSO79gNHehbK8Y1feAFrlzCMoxK06XKuMRCyGOPse3sNm57TPHUBbk5yhteOGujQ9402QViU3tL9ZQR4rN71H4CBlNHaHbc0PO4+WhgxaAkr3W2/OOCyoaGrX1Kv18VFwwqB9Gqj0wG0MsA+femZUx/+SY41jQ715JwPCrD4aNkKu7xrjYnii+JjVsgNqaLVOhWv1VjL3qkCJ9kf0c7ob8qNOXaePlpZmHsWg/fgChnAk=

Targets

    • Target

      test.txt

    • Size

      18B

    • MD5

      5b3f97d48c8751bd031b7ea53545bdb6

    • SHA1

      88be3374c62f23406ec83bb11279f8423bd3f88d

    • SHA256

      d8fce9dd9c65ca143343f7711859a7cffc3c5e656a8b84108183fb769a12ed8b

    • SHA512

      ed2de1eec50310ced4bde8ef6ae4b7902920b007df7b6aeb200cfe9fcc0d36ef05af7526c4675be2feac52831668798d5fe3523175efad6f6549b30f30a0b5d6

    Score
    10/10
    dcratsilverratcredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationratspywarestealertrojanupx

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • SilverRat

      SilverRat is trojan written in C#.

      trojansilverrat

    • Silverrat family

      silverrat

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      defense_evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      defense_evasion

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

4
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks