Sliver C2 Implant Analysis
In this short blog, I will analyse a sample of Sliver that I was able to identify while scanning my adversaries’ infrastructure. I will start with a static analysis with PEStudio, a dynamic analysis with ProcMon and Wireshark. I will perform some basic reverse engineering with IDA and finally analyse the Threat Actor infrastructure.
Basic information about the malware
PE32+ executable (GUI) x86–64 (stripped to external PDB), for MS Windows
File size 15.53 MB (16283648 bytes)
- MD5: 54129cad2a0de88cd94440e7663fdffb
- SHA-1: 194c402c0d3bb285cc32eb4a6f23519081c8815e
- SHA-256: 44e38bf97ce3f5cc22886a54e1e7144e2c6fbdb9515b9a8f26f025ce3eac56e4
These strings show some capabilities of the malware such as:
- can create new services
- open existing service
- getting the system information
- getting the root directory path of the current user
- it contains the functions that are used to play with sockets as creating a socket connection, closing a connection, etc.