sliver | spoolvs[.]exe | Triage

Resubmissions

21/10/2023, 23:57

231021-3zr6lscf7s 10

21/10/2023, 23:43

231021-3qz5vsee29 10

21/10/2023, 23:35

231021-3lhd9acf2w 10

Sharing

General

Target

spoolvs.exe
Size

5.3MB
MD5

c71e70cb49be83f7e9729e8ca7b978f6
SHA1

cf54bdb3f17012ed2b32cc59328956d38d5939f6
SHA256

00662fcd5afb4dcec928b3b59404f17dc73893590c2b5382fc40db494eb76fc9
SHA512

f6290d7d98650d20ab434965baa0e63df5e6db7b9bc7cea7fcc491fc2dc6d941f2fe9cc862c1827f4c070878a3ce4923c14afc9d5dd34f4ae5d65f011c3e077e
SSDEEP

49152:c8oEC5DdueB6EWjVV3I9Lwh7Gn8+xdia57lnSiVTLQqm2+CsRk/6Ajdx:jgDduwkVc8zyiaWi2P2psRkx

Score

10^/10

sliver

Malware Config

Signatures

Sliver RAT 1 IoCs

resource	yara_rule
sample	sliverRAT

Sliver family
sliver

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
spoolvs.exe

Files

spoolvs.exe
.exe windows:4 windows x64

f0070935b15a909b9dc00be7997e6112

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

WriteFile
WriteConsoleW
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
SwitchToThread
SetWaitableTimer
SetUnhandledExceptionFilter
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
LoadLibraryA
LoadLibraryW
GetSystemInfo
GetSystemDirectoryA
GetStdHandle
GetQueuedCompletionStatus
GetProcessAffinityMask
GetProcAddress
GetEnvironmentStringsW
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateThread
CreateIoCompletionPort
CreateEventA
CloseHandle
AddVectoredExceptionHandler

Sections

.text
Size: 2.4MB - Virtual size: 2.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 117KB - Virtual size: 247KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1024B - Virtual size: 914B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.symtab
Size: 512B - Virtual size: 4B

IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ