hxxps://mega[.]nz/folder/5fNUhBgA#YJaxqOWN9H2LgK7Af3Hnbw/folder/gOk1jCBB

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/5fNUhBgA#YJaxqOWN9H2LgK7Af3Hnbw/folder/gOk1jCBB

Score

9^/10

agilenet evasion persistence themida

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SilverRAT.exeSilverRAT.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SilverRAT.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SilverRAT.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SilverRAT.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SilverRAT.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SilverRAT.exeSilverRAT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SilverRAT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SilverRAT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SilverRAT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SilverRAT.exe

Loads dropped DLL 2 IoCs

Processes:

SilverRAT.exeSilverRAT.exe

pid process

5532 SilverRAT.exe
5936 SilverRAT.exe
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

C:\Users\Admin\Downloads\Silver Rat [Re Lab]-.zip agile_net

pid	process
5532	SilverRAT.exe
5936	SilverRAT.exe

resource	yara_rule
C:\Users\Admin\Downloads\Silver Rat [Re Lab]-.zip	agile_net

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\c6c6a3e9-c361-49e8-8bfb-89d8d97e2f31\AgileDotNetRT64.dll	themida
behavioral1/memory/5532-240-0x00007FFD86070000-0x00007FFD86822000-memory.dmp	themida
behavioral1/memory/5532-242-0x00007FFD86070000-0x00007FFD86822000-memory.dmp	themida
behavioral1/memory/5532-254-0x00007FFD86070000-0x00007FFD86822000-memory.dmp	themida
behavioral1/memory/5936-259-0x00007FFD86070000-0x00007FFD86822000-memory.dmp	themida
behavioral1/memory/5936-260-0x00007FFD86070000-0x00007FFD86822000-memory.dmp	themida
behavioral1/memory/5936-264-0x00007FFD86070000-0x00007FFD86822000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SilverRAT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefnotaRAT = "C:\\Users\\Admin\\AppData\\Roaming\\DefnotaRAT.exe"	SilverRAT.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

160 ip-api.com

flow	ioc
160	ip-api.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings msedge.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeSilverRAT.exe

pid process

4552 msedge.exe
4552 msedge.exe
1652 msedge.exe
1652 msedge.exe
4968 identity_helper.exe
4968 identity_helper.exe
5648 msedge.exe
5648 msedge.exe
5532 SilverRAT.exe
5532 SilverRAT.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1652 msedge.exe
1652 msedge.exe
1652 msedge.exe
1652 msedge.exe
1652 msedge.exe
1652 msedge.exe
1652 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SilverRAT.exeSilverRAT.exe

description pid process

Token: SeDebugPrivilege 5532 SilverRAT.exe
Token: SeDebugPrivilege 5532 SilverRAT.exe
Token: SeDebugPrivilege 5936 SilverRAT.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	msedge.exe

pid	process
4552	msedge.exe
4552	msedge.exe
1652	msedge.exe
1652	msedge.exe
4968	identity_helper.exe
4968	identity_helper.exe
5648	msedge.exe
5648	msedge.exe
5532	SilverRAT.exe
5532	SilverRAT.exe

description	pid	process
Token: SeDebugPrivilege	5532	SilverRAT.exe
Token: SeDebugPrivilege	5532	SilverRAT.exe
Token: SeDebugPrivilege	5936	SilverRAT.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

msedge.exe

pid	process
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe
1652	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SilverRAT.exe

pid process

5532 SilverRAT.exe

pid	process
5532	SilverRAT.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1652 wrote to memory of 4400	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4400	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4712	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4552	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 4552	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe
PID 1652 wrote to memory of 3440	1652	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/5fNUhBgA#YJaxqOWN9H2LgK7Af3Hnbw/folder/gOk1jCBB
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdabb846f8,0x7ffdabb84708,0x7ffdabb84718
2⤵
PID:4400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
2⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
2⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4744 /prefetch:8
2⤵
PID:1456

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
2⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
2⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
2⤵
PID:5352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
2⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17242251515245873417,15290165675592500277,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x4f0
1⤵
PID:1816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5932

C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe
"C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe
"C:\Users\Admin\Downloads\Silver Rat [Re Lab]-\Silver Rat [Re Lab]-\Silver Rat [Re Lab]\SilverRAT.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5936

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
477462b6ad8eaaf8d38f5e3a4daf17b0

SHA1
86174e670c44767c08a39cc2a53c09c318326201

SHA256
e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d

SHA512
a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b704c9ca0493bd4548ac9c69dc4a4f27

SHA1
a3e5e54e630dabe55ca18a798d9f5681e0620ba7

SHA256
2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411

SHA512
69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023
Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
9e422cfa5ca72c6ffee4d47a3f78ca9f

SHA1
a5c4c501417389294cf1136aaa1ba18fd5fa92f4

SHA256
ac1aedec672acdcf2993633774498155918afbe74795f119603b10b25a5018a4

SHA512
a03323dcaa5734311c959c0ec7dd1e4a3e7adec8a9609fc7e6691a3bef4b1c0179d526d011f43fd385221695862104f2e5e54ca0a8a0fab1213f7084a54410e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e9f88688ec349728daef50e2b086ce9f

SHA1
5ec55ddd8fe7fed1e57c2af435e1895fedc16f68

SHA256
f408bf9f99f47a2b232a688457b98ca946c37e27f0e320f148f0a7c79a24bb2b

SHA512
484c18a9ca79767dbdc4021f19c4f821c3495238c573804c1257758e8bc24c280a6ffd2cd83d6344c6fb79f3c2f20c5bd7ee4a99881c98e7212adde0d6194b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
87361664c1d915d817e954c8ac5caf18

SHA1
49ed31ec777005b1ecc30bc17c1fe2123c64d9dd

SHA256
380c7303966c4afffeb58b41368afb6f8ed907b86efeb387b900055b1b2c887b

SHA512
e614cbd8506fecf360f96f59dc835e44df09fde43ac62e396ea3c80ed37f74795370b68c07b9e10cf08fef84187746700296783d981ca95176984ff58a8c75a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f34a8176a4a3cf2020182fe45ce821f8

SHA1
8be27a760c8c1baf9a63d2b3a208393f42248a32

SHA256
bd00d6b411e44be255b505c55353c3762093746f232c51224763859d5a5dcca7

SHA512
b0b0a25c40ac17626b6886b2a1380f6660922c782cca4dbd6e6001d4279ada156e99bc62aa1d427e8a7fd24759f6945a4f4c15ad85d4f6274b57a5009b12360c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
6435b75083d49f9f7f31d49186e9a251

SHA1
c753efbb6150e53c3725cea75ce483423e78e3a8

SHA256
9117e7cb052e8df9bd5c3e160408d910c9e6d863c0be7af0ee9eb47b30d009dc

SHA512
b5d3ee8cb31f059cba35d160f252f289a0e5a331943766f0b22e91285908b5303b208533336ce5729befa1635a7f4713d6a065888c8c759a236a48559c5a8205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57952b.TMP
Filesize
48B

MD5
6b29c52f7bf332183c0d71faa8257b57

SHA1
396ee771e130e15578bee9093238b2be7c967a50

SHA256
f0c0cf14c447e42232494b321426a9a957e36af7a9a923fa638966281b36e630

SHA512
26fe909940b5ff4b1f6472341787be51afc48d8826b5aa8f0eacdecd88013a07896d45f3f991f30f7300cc06ae83a7c77be436cbafb7efe0d56a70fe3260a66f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3c260a241b63f8f3779bc7aa8c4b4e29

SHA1
2bb7aa35cdb23761ac4cb80f9a5b4f06c791e47c

SHA256
f560ebf3e4b364f0579b258aacbb383dcdae5c6ab8546d59c6a741e18c25d85e

SHA512
fbce2af31ea24b1765439aeeb4895a92088ac2abdd0b6accdae1bb683b0f79bd54a38f3bd5f11992f21ebeb265e8fd62540a7ea327e7399b487eb18b049a2755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
edeff0ea818d751a605756ca618527a5

SHA1
8735c1b711569a67c7682115db3c4195399a8993

SHA256
b2a5a40f1523542ba27957ca23b050508e225190e7d361e91a5278ca963b91e6

SHA512
8a774b46876eff38fa187a5b943686ac0c5c69468c6a4c6a8909cf6f844eebd3db80292ee56b87a2e364a23140fa53800bddf4d48558c624ade1cbd2cbf01dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6c6a3e9-c361-49e8-8bfb-89d8d97e2f31\AgileDotNetRT64.dll
Filesize
2.9MB

MD5
9bb6ed08af544d3738e60200d2804180

SHA1
5a40b484ca56b1ce59add4ec283e21d60070be02

SHA256
86d49f3894cc3de038abcde03803de8b6f239c237f34930ce5c41ab725c26cb7

SHA512
63e6b90457c3e3e6e419e30fe57e35c66e08059611fbe4ffb60d28acd6ee8d9f0ccfa31d7b27e9af44ab13512490f3b7b7f5130df947c5de50a937dcee0a91a5

Download Submit
C:\Users\Admin\Downloads\Silver Rat [Re Lab]-.zip
Filesize
16.7MB

MD5
790edc2abea74d4643863c2649be613b

SHA1
6c3d2abda3d903632de8fea72119115a1e3b58bb

SHA256
a136241887ee84bdc283c3235d375109c3b215d0d2315921d8f101d671077928

SHA512
d66066430e9b46faaa76be19794df4c5022f2d694b42b127b531ff4537652afa9f5a6b925c6ab8b1bed80c178c526a2227c4ac74c0dead3fd62fd23d851a831a

Download Submit
\??\pipe\LOCAL\crashpad_1652_UXWFYXEOEJZKIMQT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5532-232-0x0000000000D70000-0x00000000012AC000-memory.dmp

Filesize
5.2MB

Download
memory/5532-240-0x00007FFD86070000-0x00007FFD86822000-memory.dmp

Filesize
7.7MB

Download
memory/5532-242-0x00007FFD86070000-0x00007FFD86822000-memory.dmp

Filesize
7.7MB

Download
memory/5532-243-0x00007FFD97EA0000-0x00007FFD97FEE000-memory.dmp

Filesize
1.3MB

Download
memory/5532-254-0x00007FFD86070000-0x00007FFD86822000-memory.dmp

Filesize
7.7MB

Download
memory/5936-259-0x00007FFD86070000-0x00007FFD86822000-memory.dmp

Filesize
7.7MB

Download
memory/5936-260-0x00007FFD86070000-0x00007FFD86822000-memory.dmp

Filesize
7.7MB

Download
memory/5936-261-0x00007FFD97EA0000-0x00007FFD97FEE000-memory.dmp

Filesize
1.3MB

Download
memory/5936-264-0x00007FFD86070000-0x00007FFD86822000-memory.dmp

Filesize
7.7MB

Download