Malicious DLL Analysis

Michael Koczwara
9 min readFeb 20, 2023

Static/Dynamic Analysis and Reversing

I will be back soon

Intro

Right so again I will keep this intro very short. I have scanned (again) malicious infrastructure (maybe Threat Actors, maybe Red Teams, or maybe …)

and I was able to find out (again) an open directory with a bunch of interesting files (malicious DLLs and Sliver implants).

opendir 172.86.122.4
opendir and sliver implants

Malicious IP 172.86.122.4 hosting Sliver implants and DLLs.

opendir 172.86.122.4

Obviously, I dumped all the files into VT

VT analysis
VT analysis

After VT analysis I was able to find out that C2 server IP 64.44.102.212 (was resolved to pezimap[.]com. Now looks like the domain is not active anymore).

pezimap.com — we will be back soon
Sliver C2 31337

Malicious DLL Analysis

--

--