Sliver C2 Implant Analysis

Michael Koczwara
8 min readJan 12, 2023

Sliver C2 Implant Analysis

C2 server


In this short blog, I will analyse a sample of Sliver that I was able to identify while scanning my adversaries’ infrastructure. I will start with a static analysis with PEStudio, a dynamic analysis with ProcMon and Wireshark. I will perform some basic reverse engineering with IDA and finally analyse the Threat Actor infrastructure.

Basic information about the malware

File information

PE32+ executable (GUI) x86–64 (stripped to external PDB), for MS Windows

File size 15.53 MB (16283648 bytes)


  • MD5: 54129cad2a0de88cd94440e7663fdffb
  • SHA-1: 194c402c0d3bb285cc32eb4a6f23519081c8815e
  • SHA-256: 44e38bf97ce3f5cc22886a54e1e7144e2c6fbdb9515b9a8f26f025ce3eac56e4
VT Analysis