silverrat | c9c505c8607cad0f8b787fe677ac182fc697930d9ef1895178c50e4f8d99f0c0 | Triage

Analysis

max time kernel
839s
max time network
841s
platform
windows7_x64
resource
win7-20240903-ja
resource tags

arch:x64arch:x86image:win7-20240903-jalocale:ja-jpos:windows7-x64systemwindows
submitted
08/03/2025, 20:05 UTC

Sharing

Report Analysis Logs

General

Target

rat/SilverClient - Copy (14).exe
Size

43KB
MD5

44a5ff2feda2634ae7d9fadc97ebd0a0
SHA1

9a763aefd806585e11a36203e575ae142f38bc6c
SHA256

5dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8
SHA512

cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca
SSDEEP

768:GdmcASe38zJ/Ol6IoZmtPHJm7+avCJ8eEPNRULQD9PUGa7AB6Sh/lE:GdmcASeuOtvhmeZKNGsD9pYAoS/lE

Score

10^/10

silverrat defense_evasion execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

if-eventually.gl.at.ply.gg:17094

Mutex

Mutex_DthEiIseBZ

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
eGlwZU1BZVJwdkFBdllxYmdRQUJ2eWtsbVVURFhE
reconnect_delay
0
server_signature
82XrwJstrm0nqjslD808bx+Ume3efeGMf7zUlVkngpQb87z21PsSKQBcTZK9EaXM0QyjpcsVNJXl0qmSosxJJOm0KKVMHYKGnVBNCZLj5O99+4v22ZWCi56RWOs9+ng8qwN8xdzn3HnKucPRz7a8JhI+UEI2ukS8ZhVfV7qf1oq6FwIG1uh4L4GwsQcfllQtFIzrcJqIdmWxM3WuMauxIW/Zzj51aSjpesrkHtxhBfKl3W4xhpX5jcWIcCiLfvfQ9E+PNUX749MGWb8fbvDdeI5yZun92ZZlcYpsymaYSEGIyzYotaZEVnsVattoVvsdOkWrsVqlKf4XIPFxmijkMaGQ/ayfFFpbjWPbyeJGlIAa+KbR5CxvF59/zedZirVAcFOWAzE/E/+kyxIbNtd6o7GZE2ZcIsMeei2HIjuCiWKsiV7qLY7vd//T8Rf8mG5/4i/xCiDG7HHX4oSx6mi6u97uThj6ULk43RmOL+fHaV2J+DewyDSivdrRWlQ95pX8FlRiKXlaJIxCbTWOwxsK2xebzkbsUKGGsOwCA/UQJ1TXNmatbaNqldHgqXKgYSFLRIiLDgM0xZQ+ThJag+cRkT7qr7W7HVaFlDNiLbVm4QZ34Iy//W3TM7w17dYghMhn3550gafqXCLOIH9vPh+YF9KVG3e3EOrkYaDUQK13PxY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

pid	Process
2748	attrib.exe
2636	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
1948	$77Runtime Broker.exe

Loads dropped DLL 1 IoCs

pid	Process
2312	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\SysTemp64\\$77Runtime Broker.exe\""	SilverClient - Copy (14).exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

PowerShell

pid	Process
2000	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1428	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1808	schtasks.exe
2600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2184	SilverClient - Copy (14).exe
2184	SilverClient - Copy (14).exe
2184	SilverClient - Copy (14).exe
1948	$77Runtime Broker.exe
2000	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	2144	vssvc.exe
Token: SeRestorePrivilege	2144	vssvc.exe
Token: SeAuditPrivilege	2144	vssvc.exe
Token: SeDebugPrivilege	2184	SilverClient - Copy (14).exe
Token: SeDebugPrivilege	1948	$77Runtime Broker.exe
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	$77Runtime Broker.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2748	2184	SilverClient - Copy (14).exe	32
PID 2184 wrote to memory of 2748	2184	SilverClient - Copy (14).exe	32
PID 2184 wrote to memory of 2748	2184	SilverClient - Copy (14).exe	32
PID 2184 wrote to memory of 2636	2184	SilverClient - Copy (14).exe	34
PID 2184 wrote to memory of 2636	2184	SilverClient - Copy (14).exe	34
PID 2184 wrote to memory of 2636	2184	SilverClient - Copy (14).exe	34
PID 2184 wrote to memory of 2312	2184	SilverClient - Copy (14).exe	38
PID 2184 wrote to memory of 2312	2184	SilverClient - Copy (14).exe	38
PID 2184 wrote to memory of 2312	2184	SilverClient - Copy (14).exe	38
PID 2312 wrote to memory of 1428	2312	cmd.exe	40
PID 2312 wrote to memory of 1428	2312	cmd.exe	40
PID 2312 wrote to memory of 1428	2312	cmd.exe	40
PID 2312 wrote to memory of 1948	2312	cmd.exe	41
PID 2312 wrote to memory of 1948	2312	cmd.exe	41
PID 2312 wrote to memory of 1948	2312	cmd.exe	41
PID 1948 wrote to memory of 1800	1948	$77Runtime Broker.exe	43
PID 1948 wrote to memory of 1800	1948	$77Runtime Broker.exe	43
PID 1948 wrote to memory of 1800	1948	$77Runtime Broker.exe	43
PID 1948 wrote to memory of 1808	1948	$77Runtime Broker.exe	45
PID 1948 wrote to memory of 1808	1948	$77Runtime Broker.exe	45
PID 1948 wrote to memory of 1808	1948	$77Runtime Broker.exe	45
PID 1948 wrote to memory of 292	1948	$77Runtime Broker.exe	47
PID 1948 wrote to memory of 292	1948	$77Runtime Broker.exe	47
PID 1948 wrote to memory of 292	1948	$77Runtime Broker.exe	47
PID 1948 wrote to memory of 2000	1948	$77Runtime Broker.exe	49
PID 1948 wrote to memory of 2000	1948	$77Runtime Broker.exe	49
PID 1948 wrote to memory of 2000	1948	$77Runtime Broker.exe	49
PID 1948 wrote to memory of 2600	1948	$77Runtime Broker.exe	51
PID 1948 wrote to memory of 2600	1948	$77Runtime Broker.exe	51
PID 1948 wrote to memory of 2600	1948	$77Runtime Broker.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

pid	Process
2748	attrib.exe
2636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (14).exe
"C:\Users\Admin\AppData\Local\Temp\rat\SilverClient - Copy (14).exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2748
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2636
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpED0.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1428
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:1800
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77Runtime Broker.exe" /TR "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe \"\$77Runtime Broker.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1808
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77Runtime Broker.exe
      4⤵
      PID:292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2000
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

DNS

if-eventually.gl.at.ply.gg

$77Runtime Broker.exe

Remote address:

8.8.8.8:53

Request

if-eventually.gl.at.ply.gg

IN A

Response

if-eventually.gl.at.ply.gg

IN A

147.185.221.25

147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

1.2kB
52 B
11
1
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

950 B
52 B
9
1
147.185.221.25:17094

if-eventually.gl.at.ply.gg

tls

$77Runtime Broker.exe

368 B
132 B
4
3

8.8.8.8:53

if-eventually.gl.at.ply.gg

dns

$77Runtime Broker.exe

72 B
88 B
1
1

DNS Request

if-eventually.gl.at.ply.gg

DNS Response

147.185.221.25

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Hide Artifacts

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpED0.tmp.bat

Filesize
198B

MD5
1287827428500860ef923ba099a05dec

SHA1
43ba24af99e72fbb656b6802ea813bcafcd23442

SHA256
f0fd60cf4d0cc5b6f95411cd4c903ae35d0f9a651618e7ae5d61334fa67dceb5

SHA512
31a1f7da19118e9842cfd69b33bee9376379e84f88129401f561a97d141be225894b2c96d01e457980ac5489ebfe5bd68e73baec4bd54b85c1e240f2be6b04e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\SysTemp64\$77Runtime Broker.exe

Filesize
43KB

MD5
44a5ff2feda2634ae7d9fadc97ebd0a0

SHA1
9a763aefd806585e11a36203e575ae142f38bc6c

SHA256
5dde6801897a7d76c16e64c0b36a3280fbf5371642a690b85ddd31538c4458d8

SHA512
cebc24998c33d7fe8bcdba5183d60c36b3ccaac247d0ee206a73485236453c109dc269522df01d85f58efd3d7a28358221f2139f11356f95f9b8283475f576ca

Download Submit
memory/1948-19-0x000000013FAF0000-0x000000013FB00000-memory.dmp

Filesize
64KB

Download
memory/2000-27-0x0000000002A50000-0x0000000002AA0000-memory.dmp

Filesize
320KB

Download
memory/2000-24-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2000-25-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2000-26-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2000-28-0x0000000002720000-0x000000000272A000-memory.dmp

Filesize
40KB

Download
memory/2000-29-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2000-30-0x000000001BA60000-0x000000001BAB8000-memory.dmp

Filesize
352KB

Download
memory/2184-4-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-3-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

Filesize
4KB

Download
memory/2184-14-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-2-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2184-1-0x000000013F5D0000-0x000000013F5E0000-memory.dmp

Filesize
64KB

Download
memory/2184-0-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

Filesize
4KB

Download