Sliver C2 Implant Analysis

Michael Koczwara
8 min readJan 12, 2023

Sliver C2 Implant Analysis

C2 server

Intro

In this short blog, I will analyse a sample of Sliver that I was able to identify while scanning my adversaries’ infrastructure. I will start with a static analysis with PEStudio, a dynamic analysis with ProcMon and Wireshark. I will perform some basic reverse engineering with IDA and finally analyse the Threat Actor infrastructure.

Basic information about the malware

File information

PE32+ executable (GUI) x86–64 (stripped to external PDB), for MS Windows

File size 15.53 MB (16283648 bytes)

Hashes/IoC

  • MD5: 54129cad2a0de88cd94440e7663fdffb
  • SHA-1: 194c402c0d3bb285cc32eb4a6f23519081c8815e
  • SHA-256: 44e38bf97ce3f5cc22886a54e1e7144e2c6fbdb9515b9a8f26f025ce3eac56e4
VT Analysis
VT Analysis
VT Analysis

Static Analysis

These strings show some capabilities of the malware such as:

  • can create new services
  • open existing service
  • getting the system information
  • getting the root directory path of the current user
  • it contains the functions that are used to play with sockets as creating a socket connection, closing a connection, etc.

--

--