silverrat | c9c505c8607cad0f8b787fe677ac182fc697930d9ef1895178c50e4f8d99f0c0 | Triage

Analysis

max time kernel
841s
max time network
842s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 22:10 UTC

Sharing

Report Analysis Logs

General

Target

rat/SilverClient - Copy (2).exe
Size

43KB
MD5

44a5ff2feda2634ae7d9fadc97ebd0a0
SHA1

9a763aefd806585e11a36203e575ae142f38bc6c
SHA256

5dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8
SHA512

cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca
SSDEEP

768:GdmcASe38zJ/Ol6IoZmtPHJm7+avCJ8eEPNRULQD9PUGa7AB6Sh/lE:GdmcASeuOtvhmeZKNGsD9pYAoS/lE

Score

10^/10

silverrat defense_evasion execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

if-eventually.gl.at.ply.gg:17094

Mutex

Mutex_DthEiIseBZ

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
eGlwZU1BZVJwdkFBdllxYmdRQUJ2eWtsbVVURFhE
reconnect_delay
0
server_signature
82XrwJstrm0nqjslD808bx+Ume3efeGMf7zUlVkngpQb87z21PsSKQBcTZK9EaXM0QyjpcsVNJXl0qmSosxJJOm0KKVMHYKGnVBNCZLj5O99+4v22ZWCi56RWOs9+ng8qwN8xdzn3HnKucPRz7a8JhI+UEI2ukS8ZhVfV7qf1oq6FwIG1uh4L4GwsQcfllQtFIzrcJqIdmWxM3WuMauxIW/Zzj51aSjpesrkHtxhBfKl3W4xhpX5jcWIcCiLfvfQ9E+PNUX749MGWb8fbvDdeI5yZun92ZZlcYpsymaYSEGIyzYotaZEVnsVattoVvsdOkWrsVqlKf4XIPFxmijkMaGQ/ayfFFpbjWPbyeJGlIAa+KbR5CxvF59/zedZirVAcFOWAzE/E/+kyxIbNtd6o7GZE2ZcIsMeei2HIjuCiWKsiV7qLY7vd//T8Rf8mG5/4i/xCiDG7HHX4oSx6mi6u97uThj6ULk43RmOL+fHaV2J+DewyDSivdrRWlQ95pX8FlRiKXlaJIxCbTWOwxsK2xebzkbsUKGGsOwCA/UQJ1TXNmatbaNqldHgqXKgYSFLRIiLDgM0xZQ+ThJag+cRkT7qr7W7HVaFlDNiLbVm4QZ34Iy//W3TM7w17dYghMhn3550gafqXCLOIH9vPh+YF9KVG3e3EOrkYaDUQK13PxY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

pid	Process
2652	attrib.exe
2752	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2924	$77Runtime Broker.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysTemp64\\$77Runtime Broker.exe\""	SilverClient - Copy (2).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

PowerShell

pid	Process
2276	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2700	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1060	schtasks.exe
2308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1976	SilverClient - Copy (2).exe
1976	SilverClient - Copy (2).exe
1976	SilverClient - Copy (2).exe
2924	$77Runtime Broker.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2068	vssvc.exe
Token: SeRestorePrivilege	2068	vssvc.exe
Token: SeAuditPrivilege	2068	vssvc.exe
Token: SeDebugPrivilege	1976	SilverClient - Copy (2).exe
Token: SeDebugPrivilege	2924	$77Runtime Broker.exe
Token: SeDebugPrivilege	2276	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2924	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2652	1976	SilverClient - Copy (2).exe	34
PID 1976 wrote to memory of 2652	1976	SilverClient - Copy (2).exe	34
PID 1976 wrote to memory of 2652	1976	SilverClient - Copy (2).exe	34
PID 1976 wrote to memory of 2752	1976	SilverClient - Copy (2).exe	36
PID 1976 wrote to memory of 2752	1976	SilverClient - Copy (2).exe	36
PID 1976 wrote to memory of 2752	1976	SilverClient - Copy (2).exe	36
PID 1976 wrote to memory of 2032	1976	SilverClient - Copy (2).exe	39
PID 1976 wrote to memory of 2032	1976	SilverClient - Copy (2).exe	39
PID 1976 wrote to memory of 2032	1976	SilverClient - Copy (2).exe	39
PID 2032 wrote to memory of 2700	2032	cmd.exe	41
PID 2032 wrote to memory of 2700	2032	cmd.exe	41
PID 2032 wrote to memory of 2700	2032	cmd.exe	41
PID 2032 wrote to memory of 2924	2032	cmd.exe	42
PID 2032 wrote to memory of 2924	2032	cmd.exe	42
PID 2032 wrote to memory of 2924	2032	cmd.exe	42
PID 2924 wrote to memory of 1628	2924	$77Runtime Broker.exe	44
PID 2924 wrote to memory of 1628	2924	$77Runtime Broker.exe	44
PID 2924 wrote to memory of 1628	2924	$77Runtime Broker.exe	44
PID 2924 wrote to memory of 1060	2924	$77Runtime Broker.exe	46
PID 2924 wrote to memory of 1060	2924	$77Runtime Broker.exe	46
PID 2924 wrote to memory of 1060	2924	$77Runtime Broker.exe	46
PID 2924 wrote to memory of 2156	2924	$77Runtime Broker.exe	48
PID 2924 wrote to memory of 2156	2924	$77Runtime Broker.exe	48
PID 2924 wrote to memory of 2156	2924	$77Runtime Broker.exe	48
PID 2924 wrote to memory of 2276	2924	$77Runtime Broker.exe	50
PID 2924 wrote to memory of 2276	2924	$77Runtime Broker.exe	50
PID 2924 wrote to memory of 2276	2924	$77Runtime Broker.exe	50
PID 2924 wrote to memory of 2308	2924	$77Runtime Broker.exe	52
PID 2924 wrote to memory of 2308	2924	$77Runtime Broker.exe	52
PID 2924 wrote to memory of 2308	2924	$77Runtime Broker.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

pid	Process
2652	attrib.exe
2752	attrib.exe

C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (2).exe
"C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (2).exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2652
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2752
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A92.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2700
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:1628
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1060
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:2156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2068

Network

DNS

if-eventually.gl.at.ply.gg

$77Runtime Broker.exe

Remote address:

8.8.8.8:53

Request

if-eventually.gl.at.ply.gg

IN A

Response

if-eventually.gl.at.ply.gg

IN A

147.185.221.25

147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

3.6kB
4.8kB
39
28
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

432 B
172 B
4
4
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

364 B
172 B
4
4
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

368 B
172 B
4
4
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

364 B
172 B
4
4
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

368 B
172 B
4
4
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

364 B
172 B
4
4
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

368 B
132 B
4
3

8.8.8.8:53

if-eventually.gl.at.ply.gg

dns

$77Runtime Broker.exe

72 B
88 B
1
1

DNS Request

if-eventually.gl.at.ply.gg

DNS Response

147.185.221.25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A92.tmp.bat

Filesize
199B

MD5
e601f4fe40faa5e84685e326d8497689

SHA1
0534d8aaf3f6167305457705c6f6c8ddae7f51e9

SHA256
d43e4e5e2f3598fe40d749446041ef19aab3d48f44264af2be73dd2ce4f1601a

SHA512
9b664a2ab66c6f004b180f4374e798cccd82f87be5dbeb11a9264c3c060332ea668a9565d8a1cbcd91f80da411483d3382975ab6293b92626daeeee009379319

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe

Filesize
43KB

MD5
44a5ff2feda2634ae7d9fadc97ebd0a0

SHA1
9a763aefd806585e11a36203e575ae142f38bc6c

SHA256
5dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8

SHA512
cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca

Download Submit
memory/1976-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x000000013F510000-0x000000013F520000-memory.dmp

Filesize
64KB

Download
memory/1976-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-3-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/1976-4-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-14-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2276-24-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2276-25-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2924-19-0x000000013FB70000-0x000000013FB80000-memory.dmp

Filesize
64KB

Download