File name:

Silver Rat [Re Lab].7z

Full analysis: https://app.any.run/tasks/e7140315-1ca9-47eb-bfc2-931829d46af9
Verdict: Malicious activity
Analysis date: July 28, 2024, 13:45:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

F06813AA321C43A69A04904CFA735A44

SHA1:

820A0F9F4C00AF6CE2583218019AD14A5C5592E2

SHA256:

A384BAD25740A4B783EAADD6ADE53D96E878E1313C34321DDFB23149FBF6366D

SSDEEP:

98304:y1xQbKAe1zHMB9LWVIj53xwaZtiYeNllW9BpKydwe/TNtc4+odMPWKkGchJ0TNi8:8lDTXY4BXyMM7kNBuybJMj5C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • SilverRat.exe (PID: 5928)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 1272)
      • csc.exe (PID: 5032)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 5312)

    • The process checks if it is being run in the virtual environment

      • SilverRat.exe (PID: 5928)

    • There is functionality for taking screenshot (YARA)

      • SilverRat.exe (PID: 5928)

    • Reads security settings of Internet Explorer

      • SilverRat.exe (PID: 5928)

    • Reads Internet Explorer settings

      • SilverRat.exe (PID: 5928)

    • Creates file in the systems drive root

      • SilverRat.exe (PID: 5928)

    • Uses .NET C# to load dll

      • SilverRat.exe (PID: 5928)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 1272)
      • csc.exe (PID: 5032)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 4336)
      • slui.exe (PID: 1432)
      • SilverRat.exe (PID: 5928)

    • Checks proxy server information

      • slui.exe (PID: 4336)
      • slui.exe (PID: 1432)
      • SilverRat.exe (PID: 5928)

    • Manual execution by a user

      • WinRAR.exe (PID: 5312)
      • SilverRat.exe (PID: 5928)

    • Creates files or folders in the user directory

      • SilverRat.exe (PID: 5928)

    • Reads the computer name

      • SilverRat.exe (PID: 5928)

    • Reads the machine GUID from the registry

      • SilverRat.exe (PID: 5928)
      • csc.exe (PID: 4688)
      • csc.exe (PID: 5032)
      • csc.exe (PID: 1272)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 5312)

    • Checks supported languages

      • SilverRat.exe (PID: 5928)
      • csc.exe (PID: 1272)
      • cvtres.exe (PID: 5824)
      • csc.exe (PID: 5032)
      • csc.exe (PID: 4688)
      • cvtres.exe (PID: 3664)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5312)

    • Create files in a temporary directory

      • SilverRat.exe (PID: 5928)
      • cvtres.exe (PID: 5824)
      • cvtres.exe (PID: 3664)

    • Disables trace logs

      • SilverRat.exe (PID: 5928)

    • Reads Environment values

      • SilverRat.exe (PID: 5928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
14
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs slui.exe slui.exe winrar.exe THREAT silverrat.exe csc.exe conhost.exe no specs cvtres.exe no specs svchost.exe csc.exe no specs conhost.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1272"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ztffdoc0.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
SilverRat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1432C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2284C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3664C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\admin\AppData\Local\Temp\RES90CF.tmp" "c:\Users\admin\Desktop\Silver Rat [Re Lab]\Resources\qPqGwJluCDtbTzB\CSCC922D3A2280448F5882EE480E92FA832.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4336C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4648\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4688"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\huzf5suq.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSilverRat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4868"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Silver Rat [Re Lab].7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5032"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\1o2ipz2t.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
SilverRat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
30 643
Read events
30 381
Write events
247
Delete events
15

Modification events

(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Silver Rat [Re Lab].7z
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(4868) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
17
Suspicious files
27
Text files
14
Unknown types
1

Dropped files

PID
Process
Filename
Type
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\Plugins\OptionsForm.dll.configxml
MD5:A78FA19B73BAA4B9BB1D29D22DFBEA83
SHA256:C53F33A5C3A7DFA005F62BC9D81AE8D6E5EB019463BD2986C32CA00CE9404F1A
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\Profiles\SocketPort.xmltext
MD5:5F807862258A390B2E2F75ABB6D2C865
SHA256:7B87C31F6D1163FC236651F5E1F3187CFA0C79D4A85D20C1C05F1DC3056C4823
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\SilverRat.exe.configxml
MD5:D6F1152D647B57F64494C3E1D32EDE94
SHA256:A47F3F83CDB9816F03632833DC361AC5E7A4C5C923AF1FDEBFA16303F9D68A72
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\Profiles\Builder.xmlhtml
MD5:3FCD4AC4720FEBAE7ED0B81913DAAF1C
SHA256:B4B7D0F7878A60E5D641443A7D4720E178568E6FEBBB38A243D3B9FB8A30842B
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\bunifu.ui.winforms.dllexecutable
MD5:686833FCCD95B4F5C8D7695A2D45955D
SHA256:578CBCFB7A01234907FB6314918EFD23A502882C79D0EE3C2E7D4AE0CF63EBC2
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\stub.cstext
MD5:255787B7316051D866D8A8A384102C9A
SHA256:1FFEF5D31A2D6DBC01177FCF7835C9D9EEB4334BD39B20EC76EB2BE1BA429F3F
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\Bunifu.Licensing.dllexecutable
MD5:C18A9E44E200C7315A1868CAAB894293
SHA256:661A5BE944DC9FB2E0EBA01C3C0584FEB3ECCA44877D77F54D0F409CE801AF22
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\Plugins\HBrowser.dllbinary
MD5:CE1D9F8C498CD8C5EE38FA94DF4B4907
SHA256:55B5EFE0A09CB5CB79308874E2E5D25C895F995754BBF960CE9A403207CE3ABD
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\bouncycastle.crypto.dllexecutable
MD5:F0B3E112CE4807A28E2B5D66A840ED7F
SHA256:333903C7D22A27098E45FC64B77A264AA220605CFBD3E329C200D7E4B42C881C
5312WinRAR.exeC:\Users\admin\Desktop\Silver Rat [Re Lab]\Plugins\Keylogger.dllprg
MD5:8E2D761CCEA68168D0B991B475155678
SHA256:C3FD1D11641109C9033FA20AF16C6B737008C137FD8A926BF0B4C6630D8AB9AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
8
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
412
null:443
https://transfer.sh/
unknown
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
200
20.42.73.30:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3952
svchost.exe
239.255.255.250:1900
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2.16.110.121:443
www.bing.com
Akamai International B.V.
DE
unknown
5900
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4340
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4128
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2432
slui.exe
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 2.16.110.121
  • 2.16.110.171
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
self.events.data.microsoft.com
  • 20.42.73.30
whitelisted
transfer.sh
  • 144.76.136.153
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Potentially Bad Traffic
ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh)
5928
SilverRat.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI)
5928
SilverRat.exe
Misc activity
ET INFO Observed File Transfer Service SSL/TLS Certificate (transfer .sh)
Misc activity
ET INFO Generic HTTP EXE Upload Outbound
Process
Message
SilverRat.exe
Animation started.
SilverRat.exe
Animation stopped.
SilverRat.exe
Wait timer started.
SilverRat.exe
Wait timer elapsed.
SilverRat.exe
Animation started.
SilverRat.exe
Animation stopped.
SilverRat.exe
Animation started.
SilverRat.exe
Animation stopped.
SilverRat.exe
Wait timer started.
SilverRat.exe
Wait timer elapsed.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Silver Rat [Re Lab].7z