silverrat | 094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b

General

Target

094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
Size

240KB
MD5

698082ab63f5a052cbe8988b609b006a
SHA1

c51ad34d4821fdec3281ff874b832fbc8bd1e846
SHA256

094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b
SHA512

ef2e878cb3e62d2bd3969c985294957c6c1728f808c7a058ec18cfcaf8f9e16043960bc7be44477393f82a98af02416e0e038efb6ea6dd4f90334dfb02c70c3e
SSDEEP

1536:1NV+sAk3jeD14bEGUx90IoGxziJWEsO+6r2ip:1vx3jeDeEGUx90dms+6X

Score

10^/10

silverrat defense_evasion execution persistence trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

traffic-equipment.gl.at.ply.gg:37035

Mutex

wnykMJYHba

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
discord
https://discord.com/api/webhooks/1362208671114723479/LvdkCF57ZASLhyMey8E8SalpGbpRjudiP5GtndFuJHj6Qkuha-CXPrshzVau_JY7H3k6
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
VFNiTWdsYVhhVVNtVUVHRU1KRndBWUxYWG9scEJZ
payload_url
https://g.top4top.io/p_2522c7w8u1.png
reconnect_delay
4
server_signature
mp9V0JWSKtT8uwTIBNy2FXRQ7hfXsX36XLCnRjK+gohUGYXq/mjIdL74SEit/sc1mm2m4XpITK4PL7PbEIDKX9MbrNT2N7n2RONx9zrBInUpkHxU/yV7xURUsSDU+qtK9HqeErndjZjTZXo0xItKkT7bX9MPd139qW/KU1C4meq/BjeSipehQYKB2f8t6r3n6Oe/fXjRAUNJvmG790Mbrh/LgduunxchcddCk7bDqoEprodwfPEAwO3PhwMdKr/efupYlBqVIx1zuoV62BTU5nO9eHknCGHtemZ4BtrcscoMWzchgPnvcbYojRXoFMdDHYOtqb6O3i+r34KboL4CSctRlCCfCs7w4VjsSJEZrNwgSStDCcyyOSXFOTZNfN9mAemip/v45EeqTvNXAMv1J4bqVw2sNE56oWuhVnrS6Vaz1uGf7oQPCrwxsg3YoGQ86uD5iEkYkpvuRuVQs2pRm1s79UDg23hXtkFdubl4BHxjlnM4BfA3n2nzekDl+jjrOsOyRh9B7TJWMGwc1FFy82w8IBowfTmMDQjnfdYH0k6/xFg8iocrze0lpJvNMj/VPOFf+vzM1gcRIJio0PMIEOrbxTAJ1G6N/QQEyaXu2vPdvaaoTQtQYOfWp/3qWZYhStIXnuP1ELQcNNW0mKRz0N9GwzfF/RCz1PFc2i17ejs=

Signatures

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3976	attrib.exe
4400	attrib.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	$77Windows Security Health Service.exe

Executes dropped EXE 2 IoCs

pid	Process
4436	$77Windows Security Health Service.exe
6032	$77Windows Security Health Service.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows Security Health Service\\$77Windows Security Health Service.exe\""	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5652	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
19	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3048	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
5652	powershell.exe
5652	powershell.exe
5652	powershell.exe
4436	$77Windows Security Health Service.exe
4436	$77Windows Security Health Service.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	5700	vssvc.exe
Token: SeRestorePrivilege	5700	vssvc.exe
Token: SeAuditPrivilege	5700	vssvc.exe
Token: SeDebugPrivilege	4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
Token: SeDebugPrivilege	4436	$77Windows Security Health Service.exe
Token: SeDebugPrivilege	5652	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4436	$77Windows Security Health Service.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 3976	4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe	90
PID 4336 wrote to memory of 3976	4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe	90
PID 4336 wrote to memory of 4400	4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe	92
PID 4336 wrote to memory of 4400	4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe	92
PID 4336 wrote to memory of 1076	4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe	103
PID 4336 wrote to memory of 1076	4336	094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe	103
PID 1076 wrote to memory of 3048	1076	cmd.exe	106
PID 1076 wrote to memory of 3048	1076	cmd.exe	106
PID 2628 wrote to memory of 4436	2628	cmd.exe	107
PID 2628 wrote to memory of 4436	2628	cmd.exe	107
PID 4436 wrote to memory of 5652	4436	$77Windows Security Health Service.exe	109
PID 4436 wrote to memory of 5652	4436	$77Windows Security Health Service.exe	109
PID 4436 wrote to memory of 2200	4436	$77Windows Security Health Service.exe	110
PID 4436 wrote to memory of 2200	4436	$77Windows Security Health Service.exe	110
PID 1076 wrote to memory of 6032	1076	cmd.exe	113
PID 1076 wrote to memory of 6032	1076	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3976	attrib.exe
4400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
"C:\Users\Admin\AppData\Local\Temp\094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3976
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC1C9.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3048
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
    3⤵
    - Executes dropped EXE
    PID:6032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5652
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "Windows Security Health Service_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2200

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a105cjev.iih.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1C9.tmp.bat

Filesize
238B

MD5
61338bc1856ded15c13a876ed0a859fe

SHA1
7db4e220462b6f072411bb927738373ec06ebde3

SHA256
54d778f44684c583825b352f5d786c02b54ed2a272b805da49d7d062036c7498

SHA512
c171b16deb36bd674d09d42610095a8c6278a138ecdf357dd7d23baa164a423bfadd563de9b66caf0242c41920c5d8eae20464eba612e3af0dc470c98406db5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe

Filesize
240KB

MD5
698082ab63f5a052cbe8988b609b006a

SHA1
c51ad34d4821fdec3281ff874b832fbc8bd1e846

SHA256
094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b

SHA512
ef2e878cb3e62d2bd3969c985294957c6c1728f808c7a058ec18cfcaf8f9e16043960bc7be44477393f82a98af02416e0e038efb6ea6dd4f90334dfb02c70c3e

Download Submit
memory/4336-0-0x00007FFAC8CF3000-0x00007FFAC8CF5000-memory.dmp

Filesize
8KB

Download
memory/4336-1-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/4336-2-0x00007FFAC8CF0000-0x00007FFAC97B1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-3-0x00007FFAC8CF3000-0x00007FFAC8CF5000-memory.dmp

Filesize
8KB

Download
memory/4336-4-0x00007FFAC8CF0000-0x00007FFAC97B1000-memory.dmp

Filesize
10.8MB

Download
memory/4336-10-0x00007FFAC8CF0000-0x00007FFAC97B1000-memory.dmp

Filesize
10.8MB

Download
memory/5652-19-0x000001614BAD0000-0x000001614BAF2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads