Overview

overview

10

Static

static

10

Zenith Pai...th.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2025, 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zenith Paid (free)/Zenith.exe

  • Size

    253KB

  • MD5

    a3f5ca99bab4cd1278c4ba236e2ebdc0

  • SHA1

    39140ab5086d55fda03bbaf10f5d21f12b8cbb65

  • SHA256

    9489fa54b4d4b8445967acdd0c82f5bde71d5fc7176e29cba1a0e489e14e2260

  • SHA512

    a3a608f2e51fd4065662579b6f2b20046600e90385375425de62e3436478864b6d0b81862a0172322fc8947886ac3e7358914cb9ae6ed40b22c45c2100c0e10d

  • SSDEEP

    3072:uPmKPpGI/9d9tsOJJP3TrIp3LLffmqdWnX/7v:Z0/9dJJJ/Tr0bCiWXL

Score
10/10
silverratdefense_evasionexecutionpersistencetrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

primary-spencer.gl.at.ply.gg:44605

Mutex

SilverMutex_THTKnubHYs

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discord.com/api/webhooks/1360028237673271410/L71d1vKuqVi0a8hRaNkZVq16u74QldOvKu2ka_rmGztXjyZ_2kCjg6qcKhW8ADujYXyZ

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    eG90dHZtYlpmaWpZd1FZQ2l3b2N4TURvUWZSYkxS

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    4

  • server_signature

    PwsFwyulCMo6APH+AHSxvFJ5Sh1NCPDclAC0Rad1OYF1TVa6KVvqaOPlEYIR2tcrD0uLpS3MYaA+J/JrgifE4UvnMghukhnlrrNe6LK4S6PYn3T+ysqaJE8OWIAtSMipFU6SIYVOGBqpZb2JEvjNk3c0n358BbxsroFUGY0k5PtWap2ymVwA0MSYcZujbe0FNZ/BHcKzjGiv+9Yb1m0KZJQ6JU8E9eBlVeJSLOMluNvRNerLrrfG/ft62MFDVlCgeKLY9ISd7cE2Z6eTzgmG/oMfkTrdvzvFJQ4frklKfdA+/TrNa1PK2n7txPzA130BAOCY/lmeEKTfYC7COtfsTYGXHcR7eXivgeZIhq4hoQnNgbdV9JP1d+mYaFKLqAX/JkP+wgXcEHTUTkyfnUXp3nzGMHxK+/dD3938GBulI0+JKJaq1ryX+lIg+Khh2WfBm7IQ5kYt1C7A6j7/FNY8aLcTM+1XEKGOq9I+eUSCAFPKkd9Or8HMU4Q3rtvyaqaSPTJHVEtBNUtFDUi6bbCUm/JneGvaKjrngZ1Wg0mx3JfVv144FOmoYrHZ/IhnWWthuZ6lE5UoYn2SRwg8o4WhNNX784I5I8MqfYuUD5tbh2TUd1xlXdPs4EQAZJVMCqMQkajQFyhdNGmR/u3RdnUpXi2V3qBUlVqteTpzms0A7VA=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

    trojansilverrat
  • Silverrat family
    silverrat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zenith Paid (free)\Zenith.exe
    "C:\Users\Admin\AppData\Local\Temp\Zenith Paid (free)\Zenith.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\wininit.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3040
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2008
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9A7.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5712
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3552
      • C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe
        "C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe"
        3⤵
        • Executes dropped EXE
        PID:5008
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe
      C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4960

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hld4r5me.jcw.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpD9A7.tmp.bat
    Filesize

    160B

    MD5

    6eb3f9ef6ebbc92fcb2ecfe9b1a0e3fa

    SHA1

    ddab5d8973da4771100b5d021c684f889f520b1f

    SHA256

    6bcbf9760ca46fc1a342abf655ad7348408899980098a514206b7e5247eade9b

    SHA512

    213021b4925dbb783f9f664a9de0953a34ac775aff16501eb195008c881b35b422b5236c7b63e9b9635e6f34e110038036d2cb4f4301528b014d37bac06a51dc

    Download Submit

  • C:\Users\Admin\wininit.exe\$77runtimebroker.exe.exe
    Filesize

    253KB

    MD5

    a3f5ca99bab4cd1278c4ba236e2ebdc0

    SHA1

    39140ab5086d55fda03bbaf10f5d21f12b8cbb65

    SHA256

    9489fa54b4d4b8445967acdd0c82f5bde71d5fc7176e29cba1a0e489e14e2260

    SHA512

    a3a608f2e51fd4065662579b6f2b20046600e90385375425de62e3436478864b6d0b81862a0172322fc8947886ac3e7358914cb9ae6ed40b22c45c2100c0e10d

    Download Submit

  • memory/2516-0-0x00007FFE6A663000-0x00007FFE6A665000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2516-1-0x0000000000490000-0x00000000004D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2516-2-0x00007FFE6A660000-0x00007FFE6B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2516-3-0x00007FFE6A663000-0x00007FFE6A665000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2516-4-0x00007FFE6A660000-0x00007FFE6B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2516-9-0x00007FFE6A660000-0x00007FFE6B121000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4960-23-0x000002EE07E80000-0x000002EE07EA2000-memory.dmp

    Filesize

    136KB

    Download