Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
SilverClient.exe
-
Size
43KB
-
Sample
250302-as6q7sxxf1
-
MD5
df9212a0163effe64095200b9ad867f5
-
SHA1
e8a77b166ba19784bfd0546dd62397a0acae1310
-
SHA256
d494db603dfaf4c18809920edcf13c698a305f62fead6e94f2a5f88d403e6feb
-
SHA512
09b7813508360ee8e925285da66db02cc834641de926a02d025d882ea22b98a2cf593f1627c65fb1c120bfcad3e4025cfd5ef490248d4f2aedc9bf96f3bc9dac
-
SSDEEP
768:rbEGkZdPd1C8oe/R56nfcbeiickhO8i2amxR5rdkWK2RUjQv9SwBzu+QSB6SvZMY:rgRui5AfcbeiiNJxR0D2GUv9M+5o0SnY
Behavioral task
behavioral1
Sample
SilverClient.exe
Resource
win10ltsc2021-20250218-en
Malware Config
Extracted
silverrat
1.0.0.0
4.tcp.ngrok.io:13975
lAxDBRhAFu
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
discord
https://discord.com/api/webhooks/1345519723651006547/1osSQ83PtyY43SLnhWBuoR8KAzXdHONoKnCscV1R6yfHIhgTpaWGyVY0jpsE0y3YkSzc
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
U2pYbXhHdVRmV3pFU2JkYkF2ZlBhU2FSUEh2dlVV
-
payload_url
https://g.top4top.io/p_2522c7w8u1.png
-
reconnect_delay
4
-
server_signature
yYVhLx7BDVj8OoPAdk2wduk+VxEe8mfCQHl9aHfQeLTEJdnKImoui7kEw5MbKbxidqB1JpcaE/KAdVjZghQJLOrPWTBfX31kUWdirw/oKIOYtOwN5iETUSm7+mGVPKl86rna3p6QDa9Vyg01Y23i4LtiSGBoIbfWpLMSjIn8/Q3n0VuSlfQoD19jdQbKfdXUJjyiYl7QyLfbhrMYfBAvQ+3pn9Uqg11dNq6+LH0N4ewx7DoIKVwCXA3jLn9fOraeBk7+SRUrGT+POlDtacvM3V6olVRTFumyaBULspK/3+kifzkmuvx76TmXfQpBDykUTy4KIWr1bi3EVRr6i5MoWt9e7tJ/f7v0jlu7FA06PyicgG1e1eTk02zxOHYD7CrHwV9y/hq+72oqpXE4zfBKTcD7IJDs6MsUF6hly4gC48M0sh+7ZUaXwixV7atIf+Em+tq4O6qdgQJ/oGKIQwjUiv9DUYR9CmWA2Qa0WdVOvchWMdiR5wFRwPL/VHA2WwBLFijqC4fv0M222qn2aYi2aPPHp21nTCvjj+m8lzdUdoj/f3wDfjoA8nml+bZCXcwZ65T0ZIxhf17tJbvdELwGZMeY9H8m9VuX5Nebpep5ttD70NSkvLVsGRzK5tYHze7YC/w8ePXQFLfkKhV9VXMZO8QaxaFUIVdQoMafGQ87yfM=
Targets
-
-
Target
SilverClient.exe
-
Size
43KB
-
MD5
df9212a0163effe64095200b9ad867f5
-
SHA1
e8a77b166ba19784bfd0546dd62397a0acae1310
-
SHA256
d494db603dfaf4c18809920edcf13c698a305f62fead6e94f2a5f88d403e6feb
-
SHA512
09b7813508360ee8e925285da66db02cc834641de926a02d025d882ea22b98a2cf593f1627c65fb1c120bfcad3e4025cfd5ef490248d4f2aedc9bf96f3bc9dac
-
SSDEEP
768:rbEGkZdPd1C8oe/R56nfcbeiickhO8i2amxR5rdkWK2RUjQv9SwBzu+QSB6SvZMY:rgRui5AfcbeiiNJxR0D2GUv9M+5o0SnY
-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
Silverrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
UAC bypass
-
Disables RegEdit via registry modification
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Hide Artifacts: Hidden Users
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
4Modify Registry
8