| File name: | Silver Rat [Re Lab].7z |
| Full analysis: | https://app.any.run/tasks/ed6ae5f2-de9d-48cb-93c5-6ef35ea13f4b |
| Verdict: | Malicious activity |
| Analysis date: | December 02, 2023, 14:59:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | F06813AA321C43A69A04904CFA735A44 |
| SHA1: | 820A0F9F4C00AF6CE2583218019AD14A5C5592E2 |
| SHA256: | A384BAD25740A4B783EAADD6ADE53D96E878E1313C34321DDFB23149FBF6366D |
| SSDEEP: | 98304:y1xQbKAe1zHMB9LWVIj53xwaZtiYeNllW9BpKydwe/TNtc4+odMPWKkGchJ0TNi8:8lDTXY4BXyMM7kNBuybJMj5C |
MALICIOUS
Starts Visual C# compiler
- SilverRat.exe (PID: 2928)
Drops the executable file immediately after the start
- csc.exe (PID: 3996)
SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 564)
Reads Internet Explorer settings
- SilverRat.exe (PID: 2928)
Reads the Internet Settings
- SilverRat.exe (PID: 2928)
Uses .NET C# to load dll
- SilverRat.exe (PID: 2928)
INFO
Manual execution by a user
- SilverRat.exe (PID: 2928)
Reads the machine GUID from the registry
- SilverRat.exe (PID: 2928)
- csc.exe (PID: 3996)
- cvtres.exe (PID: 3436)
Reads the computer name
- SilverRat.exe (PID: 2928)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 564)
Checks supported languages
- SilverRat.exe (PID: 2928)
- csc.exe (PID: 3996)
- cvtres.exe (PID: 3436)
Creates files or folders in the user directory
- SilverRat.exe (PID: 2928)
Reads Environment values
- SilverRat.exe (PID: 2928)
Create files in a temporary directory
- SilverRat.exe (PID: 2928)
- cvtres.exe (PID: 3436)
Checks proxy server information
- SilverRat.exe (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
|---|---|---|
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
44
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 564 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Silver Rat [Re Lab].7z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 2928 | "C:\Users\admin\Desktop\Silver Rat [Re Lab]\SilverRat.exe" | C:\Users\admin\Desktop\Silver Rat [Re Lab]\SilverRat.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: SilverRat Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3436 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\admin\AppData\Local\Temp\RES1DF.tmp" "c:\Users\admin\Desktop\Silver Rat [Re Lab]\CSCCEB2AA897274D448758D665695F31A5.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.10.25028.0 built by: VCTOOLSD15RTM Modules
| |||||||||||||||
| 3996 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\nmowda5m.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | — | SilverRat.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
Total events
5 079
Read events
5 029
Write events
47
Delete events
3
Modification events
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (564) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (2928) SilverRat.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
Executable files
16
Suspicious files
24
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\Profiles\Builder.xml | html | |
MD5:3FCD4AC4720FEBAE7ED0B81913DAAF1C | SHA256:B4B7D0F7878A60E5D641443A7D4720E178568E6FEBBB38A243D3B9FB8A30842B | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\Plugins\OptionsForm.dll.config | xml | |
MD5:A78FA19B73BAA4B9BB1D29D22DFBEA83 | SHA256:C53F33A5C3A7DFA005F62BC9D81AE8D6E5EB019463BD2986C32CA00CE9404F1A | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\Bunifu.Licensing.dll | executable | |
MD5:C18A9E44E200C7315A1868CAAB894293 | SHA256:661A5BE944DC9FB2E0EBA01C3C0584FEB3ECCA44877D77F54D0F409CE801AF22 | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\stub.cs | text | |
MD5:255787B7316051D866D8A8A384102C9A | SHA256:1FFEF5D31A2D6DBC01177FCF7835C9D9EEB4334BD39B20EC76EB2BE1BA429F3F | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\Plugins\Chat.dll | binary | |
MD5:736292DD81AD93BFF84C28CE5DE02385 | SHA256:0C83898F29762A4E3650FC5F5A8A3C3114D06DA8F6A3FB2FA8B990A36716D6BD | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\cgeoip.dll | executable | |
MD5:6D6E172E7965D1250A4A6F8A0513AA9F | SHA256:D1DDD15E9C727A5ECF78D3918C17AEE0512F5B181AD44952686BEB89146E6BD0 | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\bunifu.ui.winforms.dll | executable | |
MD5:686833FCCD95B4F5C8D7695A2D45955D | SHA256:578CBCFB7A01234907FB6314918EFD23A502882C79D0EE3C2E7D4AE0CF63EBC2 | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\bunifu.ui.winforms.1.5.3.dll | executable | |
MD5:C1D51A0E747C9D6156410CB3C5B97A60 | SHA256:6937052B86BC251BE510B110E08FC5089D3BD687CE2333A85EA6D5C2C09B437A | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\guna.ui2.dll | executable | |
MD5:ACEC68D05E0B9B6C34A24DA530DC07B2 | SHA256:BF72939922AFA2CD17071F5170B4A82D05BCEB1FC33CE29CDFBC68DBB97F0277 | |||
| 564 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb564.15881\Silver Rat [Re Lab]\Plugins\Camera.dll | binary | |
MD5:E9E0B5FC7B1ED6F01D08D981D1CD761F | SHA256:2C82773466F72756D8152E4D5DC24D2EC954BFE5A6E7CAE587D2E1D316EF43D0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
868 | svchost.exe | 23.35.228.137:80 | — | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
868 | svchost.exe | 23.218.208.137:80 | armmf.adobe.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
armmf.adobe.com |
| whitelisted |
dns.msftncsi.com |
| shared |
Threats
Process | Message |
|---|---|
SilverRat.exe | Animation started.
|
SilverRat.exe | Animation stopped.
|
SilverRat.exe | Wait timer started.
|
SilverRat.exe | Animation started.
|
SilverRat.exe | Wait timer elapsed.
|
SilverRat.exe | Animation stopped.
|
SilverRat.exe | Animation started.
|
SilverRat.exe | Animation stopped.
|
SilverRat.exe | Wait timer started.
|
SilverRat.exe | Wait timer elapsed.
|