Overview

overview

10

Static

static

10

0943803598...5b.exe

windows10-2004-x64

10

0943803598...5b.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    60s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17/04/2025, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe

  • Size

    240KB

  • MD5

    698082ab63f5a052cbe8988b609b006a

  • SHA1

    c51ad34d4821fdec3281ff874b832fbc8bd1e846

  • SHA256

    094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b

  • SHA512

    ef2e878cb3e62d2bd3969c985294957c6c1728f808c7a058ec18cfcaf8f9e16043960bc7be44477393f82a98af02416e0e038efb6ea6dd4f90334dfb02c70c3e

  • SSDEEP

    1536:1NV+sAk3jeD14bEGUx90IoGxziJWEsO+6r2ip:1vx3jeDeEGUx90dms+6X

Score
10/10
silverratdefense_evasionexecutionpersistencetrojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

C2

traffic-equipment.gl.at.ply.gg:37035

Mutex

wnykMJYHba

Attributes
  • certificate

    MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==

  • decrypted_key

    -|S.S.S|-

  • discord

    https://discord.com/api/webhooks/1362208671114723479/LvdkCF57ZASLhyMey8E8SalpGbpRjudiP5GtndFuJHj6Qkuha-CXPrshzVau_JY7H3k6

  • key

    yy6zDjAUmbB09pKvo5Hhug==

  • key_x509

    VFNiTWdsYVhhVVNtVUVHRU1KRndBWUxYWG9scEJZ

  • payload_url

    https://g.top4top.io/p_2522c7w8u1.png

  • reconnect_delay

    4

  • server_signature

    mp9V0JWSKtT8uwTIBNy2FXRQ7hfXsX36XLCnRjK+gohUGYXq/mjIdL74SEit/sc1mm2m4XpITK4PL7PbEIDKX9MbrNT2N7n2RONx9zrBInUpkHxU/yV7xURUsSDU+qtK9HqeErndjZjTZXo0xItKkT7bX9MPd139qW/KU1C4meq/BjeSipehQYKB2f8t6r3n6Oe/fXjRAUNJvmG790Mbrh/LgduunxchcddCk7bDqoEprodwfPEAwO3PhwMdKr/efupYlBqVIx1zuoV62BTU5nO9eHknCGHtemZ4BtrcscoMWzchgPnvcbYojRXoFMdDHYOtqb6O3i+r34KboL4CSctRlCCfCs7w4VjsSJEZrNwgSStDCcyyOSXFOTZNfN9mAemip/v45EeqTvNXAMv1J4bqVw2sNE56oWuhVnrS6Vaz1uGf7oQPCrwxsg3YoGQ86uD5iEkYkpvuRuVQs2pRm1s79UDg23hXtkFdubl4BHxjlnM4BfA3n2nzekDl+jjrOsOyRh9B7TJWMGwc1FFy82w8IBowfTmMDQjnfdYH0k6/xFg8iocrze0lpJvNMj/VPOFf+vzM1gcRIJio0PMIEOrbxTAJ1G6N/QQEyaXu2vPdvaaoTQtQYOfWp/3qWZYhStIXnuP1ELQcNNW0mKRz0N9GwzfF/RCz1PFc2i17ejs=

Signatures

  • SilverRat

    SilverRat is trojan written in C#.

    trojansilverrat
  • Silverrat family
    silverrat
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe
    "C:\Users\Admin\AppData\Local\Temp\094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3160
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3176
    • C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:3680
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B53.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3892
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
        3⤵
          PID:5412
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2300
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe"
        2⤵
        • Executes dropped EXE
        PID:4968
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:4012
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "Windows Security Health Service_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4120

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yw1j3tci.ndy.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1B53.tmp.bat
      Filesize

      238B

      MD5

      8b66b7f8033de658b44cff19e1933714

      SHA1

      f776bff7e5818cf1c9e58e1db4b4d01eba21a19d

      SHA256

      7c276cb20dd6fc477b64750bbf8141c7cba4b19c6de16f271843a479f85fb0e4

      SHA512

      5d9513107fd947f6ae07f89091b51ced4551eafc33866801fe51f93d5be8304c2c39208c7bebecdfbc92d776d7c5c1f49c4c31df40d64a400b911c4680c283c0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows Security Health Service\$77Windows Security Health Service.exe
      Filesize

      240KB

      MD5

      698082ab63f5a052cbe8988b609b006a

      SHA1

      c51ad34d4821fdec3281ff874b832fbc8bd1e846

      SHA256

      094380359816b954216cfd1c75e9be403a9a1ae88deff5886cb6366f255fab5b

      SHA512

      ef2e878cb3e62d2bd3969c985294957c6c1728f808c7a058ec18cfcaf8f9e16043960bc7be44477393f82a98af02416e0e038efb6ea6dd4f90334dfb02c70c3e

      Download Submit

    • memory/3160-0-0x00007FFC46FD3000-0x00007FFC46FD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3160-1-0x00000000006B0000-0x00000000006F0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3160-2-0x00007FFC46FD0000-0x00007FFC47A92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3160-3-0x00007FFC46FD3000-0x00007FFC46FD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3160-4-0x00007FFC46FD0000-0x00007FFC47A92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3160-10-0x00007FFC46FD0000-0x00007FFC47A92000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4012-22-0x0000021240160000-0x0000021240182000-memory.dmp

      Filesize

      136KB

      Download