silverrat | c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d

General

Target

c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
Size

41KB
MD5

93ef50df74666f54da98625bc7842ff6
SHA1

eb45709f3b838482060703221f0e8283e583523f
SHA256

c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d
SHA512

d959a28008a710c22aab50e39fffc62f445e9d8acc2fd1a661d3b4b2290c3504c613533db822dd93a2a6b445f3488026b3335ed3e3be3dffd1a68ab1eec056e8
SSDEEP

768:mdoPA8PnwIt3dO3CTRkayAdzRU59fj7z1QB6SAdxU:mdold7tbzG59Lv1QotdxU

Score

10^/10

silverrat defense_evasion execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

127.0.0.1:9999

Mutex

lAxDBRhAFu

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
b0FGeVZNcFRMWVloVHR6Z0VESU5RdlpZUmxZbUFE
reconnect_delay
4
server_signature
t9H0tGywaq23QHywsvniYlva2DUEoHwEX4RZOKw6QYOUUUEs6+qPhkwL0ziJc2nYj2yd5E4o3kMJj8NRpRTkpZcyIg/ljsBjIY4uuTgySYNYShSJRrNgQc/XiUXjH546feRdpS3EuZPWH15iNA3U89kmdXU1BOtms28guz5MUZ/jdeGBHbjPJULpyM8EgGGdK3ajqJ+NWQxPHql47XGQFXqJ5PauE0xmpcMKt+LU7fe+NS0Yx11uv+tRwSlMmFhYU9pSYoS8zZ7Lyeaw8rcxs06oecNxLKcmbSH3H5QWo4qYq/Y7HAeBmLEHHB5t8+bCVeDMfccmct8s+aZpljSceGlri2HJsxEjZ7FYmh4+o8bhacTmqQyE99P1kSa4FAWPLn59j5s1nO91Sb/rMvcNUApgatm6ZRZjc+Ninv7rXwFncnT7eRSRvldp7PohX6bsJEJRMnfLT4YxM0TzqV9POSK0hjrRojbiRQWahccxQRKfg3TcVxNnNjCQWMOJ0YzNuQ0ZSTLPO3QA4v/0cwD5nBhPdhowAnMUb4j61HsPdaQnKXvlx377vbMOowWJFqGC1ES1rKn843GMu81HL7FJsfrpqglmmFTddG3IwkeJU7umxj41+anidgCco7Jzbii9D9e4l2DF3EuhYg+qIuiwNw4ACh3olxSGStXl952V/dY=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5024	attrib.exe
4036	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	powercheat.exe

Executes dropped EXE 1 IoCs

pid	Process
1012	powercheat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\powercheat\\powercheat.exe\""	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1416	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1420	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
1012	powercheat.exe
1416	powershell.exe
1416	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
Token: SeDebugPrivilege	1012	powercheat.exe
Token: SeDebugPrivilege	1416	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1012	powercheat.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 5024	2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe	87
PID 2484 wrote to memory of 5024	2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe	87
PID 2484 wrote to memory of 4036	2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe	89
PID 2484 wrote to memory of 4036	2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe	89
PID 2484 wrote to memory of 3772	2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe	100
PID 2484 wrote to memory of 3772	2484	c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe	100
PID 3772 wrote to memory of 1420	3772	cmd.exe	102
PID 3772 wrote to memory of 1420	3772	cmd.exe	102
PID 3772 wrote to memory of 1012	3772	cmd.exe	103
PID 3772 wrote to memory of 1012	3772	cmd.exe	103
PID 1012 wrote to memory of 848	1012	powercheat.exe	104
PID 1012 wrote to memory of 848	1012	powercheat.exe	104
PID 1012 wrote to memory of 4476	1012	powercheat.exe	106
PID 1012 wrote to memory of 4476	1012	powercheat.exe	106
PID 1012 wrote to memory of 2240	1012	powercheat.exe	108
PID 1012 wrote to memory of 2240	1012	powercheat.exe	108
PID 1012 wrote to memory of 1416	1012	powercheat.exe	110
PID 1012 wrote to memory of 1416	1012	powercheat.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5024	attrib.exe
4036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe
"C:\Users\Admin\AppData\Local\Temp\c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\powercheat"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:5024
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\powercheat\powercheat.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC7E4.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1420
- - C:\Users\Admin\powercheat\powercheat.exe
    "C:\Users\Admin\powercheat\powercheat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN powercheat.exe
      4⤵
      PID:848
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "powercheat.exe" /TR "C:\Users\Admin\powercheat\powercheat.exe \"\powercheat.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4476
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks.exe" /query /TN powercheat.exe
      4⤵
      PID:2240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmx2yl3z.jpa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7E4.tmp.bat

Filesize
149B

MD5
a0aea8d389a65ef5635e0cc62558b169

SHA1
ebd67d1837f52e2bbbd302eb33bdf7810c43364c

SHA256
3b246b846d95537757b795d7219efbd22cc7fceaac053a9deff683b79afc4163

SHA512
dd22ff1e25714cd08c6b517c51a3f052ba8f6b3defab45a91fe0f42061ee11a4eed90422ca21af25e187d2268594e7cf4004e9a5ef80e8287c0f26dd4ab92b92

Download Submit
C:\Users\Admin\powercheat\powercheat.exe

Filesize
41KB

MD5
93ef50df74666f54da98625bc7842ff6

SHA1
eb45709f3b838482060703221f0e8283e583523f

SHA256
c9ecb84814dbdd6ca8db5e7998eba0f0d79bf1cfc74281aaf9463e150954ae1d

SHA512
d959a28008a710c22aab50e39fffc62f445e9d8acc2fd1a661d3b4b2290c3504c613533db822dd93a2a6b445f3488026b3335ed3e3be3dffd1a68ab1eec056e8

Download Submit
memory/1012-11-0x00007FFDE64A0000-0x00007FFDE6F61000-memory.dmp

Filesize
10.8MB

Download
memory/1012-24-0x00007FFDE64A0000-0x00007FFDE6F61000-memory.dmp

Filesize
10.8MB

Download
memory/1416-17-0x0000022F7AC70000-0x0000022F7AC92000-memory.dmp

Filesize
136KB

Download
memory/2484-1-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/2484-0-0x00007FFDE64A3000-0x00007FFDE64A5000-memory.dmp

Filesize
8KB

Download
memory/2484-2-0x00007FFDE64A0000-0x00007FFDE6F61000-memory.dmp

Filesize
10.8MB

Download
memory/2484-4-0x00007FFDE64A0000-0x00007FFDE6F61000-memory.dmp

Filesize
10.8MB

Download
memory/2484-9-0x00007FFDE64A0000-0x00007FFDE6F61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads