sliver | 5c3be59f85aa33ee9702c04132f7ec86317fdfecac4ca9d5f3f41d265037e164[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

5c3be59f85aa33ee9702c04132f7ec86317fdfecac4ca9d5f3f41d265037e164.zip
Size

13.2MB
MD5

41cc27972b67ab9014eb00dae9262a24
SHA1

b07dc3f99baa10dda627b7f4881180755b9d392c
SHA256

5c3be59f85aa33ee9702c04132f7ec86317fdfecac4ca9d5f3f41d265037e164
SHA512

4b0798765cef39e5edecb03fb966cbf2f2312a3577473e9421bac99b2a48369ce0ee64995bcaafb34e0124c2aad20b1c5e794e13c2023c4ea77da49d0c5edd2c
SSDEEP

393216:6rhce1tfusgHkn+ztHSv9PnF/3lO3Nsuaxer8TDW:6dcejfSHU4BkP509suDkW

Score

10^/10

sliver

Malware Config

Signatures

Sliver RAT v2 1 IoCs

Processes:

resource	yara_rule
static1/unpack001/DLL Payloads/test_shell.dll	SliverRAT_v2

Sliver family
sliver

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/DLL Payloads/AppDomainManager-Message-Box.dll
unpack001/DLL Payloads/AppDomainManager_Covenant_Test.dll
unpack001/DLL Payloads/AppDomainManager_Sliver_Test.dll
unpack001/DLL Payloads/DLL-Sideload-BinaryInjector.dll
unpack001/DLL Payloads/DLL-Sideload-Message-Box.dll
unpack001/DLL Payloads/DLL-Sideload-Sliver-HTA.dll
unpack001/DLL Payloads/UevAppMonitor.exe
unpack001/DLL Payloads/test_shell.dll

Files

5c3be59f85aa33ee9702c04132f7ec86317fdfecac4ca9d5f3f41d265037e164.zip
.zip
DLL Payloads/AppDomainManager-Message-Box.dll
.dll windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
DLL Payloads/AppDomainManager_Covenant_Test.dll
.dll windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 114KB - Virtual size: 114KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
DLL Payloads/AppDomainManager_Sliver_Test.dll
.dll windows:4 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
DLL Payloads/DLL-Sideload-BinaryInjector.dll
.dll windows:6 windows x64 arch:x64

6afceaac0fd2bbba073037c06f878e77

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_APPCONTAINER

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\User\source\repos\libcurl4\x64\Debug\libcurl4\libcurl4.pdb

Imports

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
CreateThread

api-ms-win-core-memory-l1-1-3

VirtualAllocFromApp

vcruntime140d_app

__vcrt_GetModuleHandleW
__vcrt_LoadLibraryExW
__vcrt_GetModuleFileNameW
__C_specific_handler_noexcept
__std_type_info_destroy_list
__C_specific_handler
memcpy

ucrtbased

_wsplitpath_s
_seh_filter_dll
_wmakepath_s
_initterm_e
_initterm
__stdio_common_vsprintf_s
_configure_narrow_argv
_CrtDbgReportW
_CrtDbgReport
ftell
fseek
strcpy_s
fopen
malloc
_cexit
_crt_at_quick_exit
_crt_atexit
wcscpy_s
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
strcat_s

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-winrt-l1-1-0

RoInitialize

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-memory-l1-1-0

VirtualQuery

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape

Sections

.textbss
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 512B - Virtual size: 454B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 373B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 601B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DLL Payloads/DLL-Sideload-Message-Box.dll
.dll windows:6 windows x64 arch:x64

08c9137f495c7aa3551c2c8701537da7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_APPCONTAINER

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\User\source\repos\libcurl4\x64\Debug\libcurl4\libcurl4.pdb

Imports

vcruntime140d_app

__C_specific_handler
__std_type_info_destroy_list
__C_specific_handler_noexcept
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_LoadLibraryExW
memcpy

ucrtbased

strcpy_s
strcat_s
__stdio_common_vsprintf_s
_crt_at_quick_exit
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_wmakepath_s
_wsplitpath_s
_CrtDbgReport
_configure_narrow_argv
_cexit
_seh_filter_dll
_initterm_e
wcscpy_s
_initterm
_CrtDbgReportW
system

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-winrt-l1-1-0

RoInitialize

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-memory-l1-1-0

VirtualQuery

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape

Sections

.textbss
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 512B - Virtual size: 452B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 373B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 601B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DLL Payloads/DLL-Sideload-Sliver-HTA.dll
.dll windows:6 windows x64 arch:x64

08c9137f495c7aa3551c2c8701537da7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_APPCONTAINER

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Users\User\source\repos\libcurl4\x64\Debug\libcurl4\libcurl4.pdb

Imports

vcruntime140d_app

__C_specific_handler
__std_type_info_destroy_list
__C_specific_handler_noexcept
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_LoadLibraryExW
memcpy

ucrtbased

strcpy_s
strcat_s
__stdio_common_vsprintf_s
_crt_at_quick_exit
_crt_atexit
_execute_onexit_table
_register_onexit_function
_initialize_onexit_table
_initialize_narrow_environment
_wmakepath_s
_wsplitpath_s
_CrtDbgReport
_configure_narrow_argv
_cexit
_seh_filter_dll
_initterm_e
wcscpy_s
_initterm
_CrtDbgReportW
system

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-winrt-l1-1-0

RoInitialize

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-errorhandling-l1-1-0

RaiseException
GetLastError

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-memory-l1-1-0

VirtualQuery

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
FreeLibrary

Exports

Exports

curl_easy_cleanup
curl_easy_duphandle
curl_easy_escape
curl_easy_getinfo
curl_easy_init
curl_easy_pause
curl_easy_perform
curl_easy_recv
curl_easy_reset
curl_easy_send
curl_easy_setopt
curl_easy_strerror
curl_easy_unescape

Sections

.textbss
Size: - Virtual size: 64KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.msvcjmc
Size: 512B - Virtual size: 452B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.00cfg
Size: 512B - Virtual size: 373B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 601B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DLL Payloads/GUP.exe
.exe windows:6 windows x64 arch:x64

0b43764663ba024c8202f35227fe0bff

Code Sign

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

29-04-2021 00:00

Not After

28-04-2036 23:59

Subject

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

03:aa:64:92:de:9d:96:a9:0a:4b:ca:97:be:ad:b4:4a
Certificate

Issuer

CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1,O=DigiCert\, Inc.,C=US

Not Before

13-05-2022 00:00

Not After

14-05-2025 23:59

Subject

CN=Notepad\+\+,O=Notepad\+\+,L=Saint Cloud,ST=Ile-de-France,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

Issuer

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Not Before

14-07-2023 00:00

Not After

13-10-2034 23:59

Subject

CN=DigiCert Timestamp 2023,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

Issuer

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

23-03-2022 00:00

Not After

22-03-2037 23:59

Subject

CN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

01-08-2022 00:00

Not After

09-11-2031 23:59

Subject

CN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

db:ec:50:91:fd:e6:20:f5:84:bd:3b:bd:0f:ea:82:11:28:ce:a1:d1:ee:46:95:84:e1:00:a7:e1:11:4b:4a:f9
Signer

Actual PE Digest

db:ec:50:91:fd:e6:20:f5:84:bd:3b:bd:0f:ea:82:11:28:ce:a1:d1:ee:46:95:84:e1:00:a7:e1:11:4b:4a:f9

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

libcurl

curl_easy_setopt
curl_easy_cleanup
curl_easy_init
curl_easy_perform

comctl32

InitCommonControlsEx

shlwapi

PathFileExistsA
PathFindExtensionW
PathIsDirectoryW
PathFileExistsW
PathFindFileNameW
PathRemoveFileSpecW

kernel32

CreateFileW
HeapSize
SetEndOfFile
HeapReAlloc
SetStdHandle
GetProcessHeap
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
CreateDirectoryW
lstrlenW
GetCurrentThreadId
Sleep
OutputDebugStringW
DeleteFileW
CreateThread
lstrcpyW
lstrcmpW
MulDiv
MoveFileW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
ReleaseSemaphore
InitializeCriticalSection
WriteConsoleW
CreateEventW
GetLastError
SetEvent
CloseHandle
ResetEvent
CreateSemaphoreW
GetCommandLineW
GetCommandLineA
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetTimeZoneInformation
EnumSystemLocalesW
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetConsoleOutputCP
WaitForSingleObject
FlushFileBuffers
GetFileSizeEx
HeapAlloc
HeapFree
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
InitializeSListHead
MultiByteToWideChar
WideCharToMultiByte
WakeConditionVariable
TryAcquireSRWLockExclusive
WaitForSingleObjectEx
GetExitCodeThread
RtlUnwind
InitializeCriticalSectionEx
EncodePointer
DecodePointer
GetLocaleInfoEx
LCMapStringEx
GetProcAddress
GetStringTypeW
CompareStringEx
GetCPInfo
RtlUnwindEx
RtlPcToFileHeader
RaiseException
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ReadFile
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
ExitProcess
GetModuleFileNameW
GetStdHandle
WriteFile
SetFilePointerEx
GetConsoleMode
ReadConsoleW
GetFileType

user32

CallNextHookEx
EndDialog
SetWindowTextW
SetDlgItemTextW
CreateWindowExW
MessageBoxA
UnhookWindowsHookEx
SetWindowsHookExW
GetDlgItemInt
SystemParametersInfoW
SetDlgItemInt
DialogBoxParamW
LoadImageW
ReleaseDC
MessageBoxW
SendMessageW
SetWindowPos
GetDC
GetWindowRect
FindWindowExW
GetDlgItemTextW

gdi32

GetDeviceCaps

shell32

SHGetFolderPathW
ShellExecuteW
SHFileOperationW

Sections

.text
Size: 594KB - Virtual size: 593KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 134KB - Virtual size: 134KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DLL Payloads/UevAppMonitor.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

UevAppMonitor.pdb

Imports

mscoree

_CorExeMain

Sections

.text
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DLL Payloads/UevAppMonitor.exe.config
DLL Payloads/covenant-test.bin
DLL Payloads/sliver-test.bin
DLL Payloads/test_shell.dll
.dll regsvr32 windows:6 windows x64 arch:x64

7ecc3b9e18c31c23f5275a91f6c533d1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

kernel32

AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateFileA
CreateIoCompletionPort
CreateThread
CreateWaitableTimerExW
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
ExitProcess
FreeEnvironmentStringsW
GetConsoleMode
GetEnvironmentStringsW
GetLastError
GetProcAddress
GetProcessAffinityMask
GetQueuedCompletionStatusEx
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetThreadContext
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MultiByteToWideChar
PostQueuedCompletionStatus
ResumeThread
SetConsoleCtrlHandler
SetErrorMode
SetEvent
SetProcessPriorityBoost
SetThreadContext
SetUnhandledExceptionFilter
SetWaitableTimer
Sleep
SuspendThread
SwitchToThread
TlsAlloc
TlsGetValue
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteConsoleW
WriteFile

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_beginthread
_errno
_initterm
_lock
_unlock
abort
calloc
fputc
free
fwrite
localeconv
malloc
memcpy
memset
realloc
strerror
strlen
strncmp
vfprintf
wcslen

Exports

Exports

DllInstall
DllRegisterServer
DllUnregisterServer
StartW
VoidFunc
_cgo_dummy_export

Sections

.text
Size: 5.0MB - Virtual size: 5.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 304KB - Virtual size: 303KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 5.1MB - Virtual size: 5.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 419KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 512B - Virtual size: 199B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
DLL Payloads/vcruntime140d_app.dll
.dll windows:6 windows x64 arch:x64

1609bcdc73a457adf6343faf5db7ffa0

Code Sign

33:00:00:00:e7:1a:a6:e3:0b:5e:b4:0a:54:00:00:00:00:00:e7
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2013,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-02-2023 22:33

Not After

31-01-2024 22:33

Subject

CN=Microsoft Windows Software Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:14:9d:fb:c3:1f:1f:63:c3:10:00:00:00:00:00:14
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01-05-2013 20:44

Not After

01-05-2028 20:54

Subject

CN=Microsoft Windows Third Party Component CA 2013,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:03:3e:63:3a:86:bf:41:73:d7:e0:00:00:00:00:03:3e
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16-02-2023 20:10

Not After

31-01-2024 20:10

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

98:ce:c9:06:2c:f0:15:88:91:2d:6b:38:2a:3e:f4:ba:9d:c4:29:a4:a9:43:22:0e:a3:82:f6:ae:f4:11:cf:2f
Signer

Actual PE Digest

98:ce:c9:06:2c:f0:15:88:91:2d:6b:38:2a:3e:f4:ba:9d:c4:29:a4:a9:43:22:0e:a3:82:f6:ae:f4:11:cf:2f

Digest Algorithm

sha256

PE Digest Matches

true

98:ce:c9:06:2c:f0:15:88:91:2d:6b:38:2a:3e:f4:ba:9d:c4:29:a4:a9:43:22:0e:a3:82:f6:ae:f4:11:cf:2f
Signer

Actual PE Digest

98:ce:c9:06:2c:f0:15:88:91:2d:6b:38:2a:3e:f4:ba:9d:c4:29:a4:a9:43:22:0e:a3:82:f6:ae:f4:11:cf:2f

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140d.amd64.pdb

Imports

ucrtbased

_malloc_dbg
strncmp
atol
_CrtDbgReport
__stdio_common_vsprintf_s
__stdio_common_vsprintf
_invalid_parameter
wcsncmp
_calloc_dbg
abort
_free_dbg
strlen
strcpy_s
malloc
free
_CrtDbgReportW
strcmp
terminate

kernel32

DeleteCriticalSection
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
RtlLookupFunctionEntry
RtlUnwindEx
GetModuleHandleW
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
FreeLibrary
RtlUnwind
EncodePointer
RaiseException
RtlPcToFileHeader
InterlockedPushEntrySList
InterlockedFlushSList
EnterCriticalSection
LeaveCriticalSection
TlsSetValue
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsFree

Exports

Exports

_CreateFrameInfo
_CxxThrowException
_FindAndUnlinkFrame
_IsExceptionObjectToBeDestroyed
_SetWinRTOutOfMemoryExceptionCallback
__AdjustPointer
__BuildCatchObject
__BuildCatchObjectHelper
__C_specific_handler
__C_specific_handler_noexcept
__CxxDetectRethrow
__CxxExceptionFilter
__CxxFrameHandler
__CxxFrameHandler2
__CxxFrameHandler3
__CxxQueryExceptionSize
__CxxRegisterExceptionObject
__CxxUnregisterExceptionObject
__DestructExceptionObject
__FrameUnwindFilter
__GetPlatformExceptionInfo
__NLG_Dispatch2
__NLG_Return2
__RTCastToVoid
__RTDynamicCast
__RTtypeid
__TypeMatch
__current_exception
__current_exception_context
__intrinsic_setjmp
__intrinsic_setjmpex
__processing_throw
__report_gsfailure
__std_exception_copy
__std_exception_destroy
__std_terminate
__std_type_info_compare
__std_type_info_destroy_list
__std_type_info_hash
__std_type_info_name
__telemetry_main_invoke_trigger
__telemetry_main_return_trigger
__unDName
__unDNameEx
__uncaught_exception
__uncaught_exceptions
__vcrt_GetModuleFileNameW
__vcrt_GetModuleHandleW
__vcrt_InitializeCriticalSectionEx
__vcrt_LoadLibraryExW
_get_purecall_handler
_get_unexpected
_is_exception_typeof
_local_unwind
_purecall
_set_purecall_handler
_set_se_translator
longjmp
memchr
memcmp
memcpy
memmove
memset
set_unexpected
strchr
strrchr
strstr
unexpected
wcschr
wcsrchr
wcsstr

Sections

.text
Size: 126KB - Virtual size: 125KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

fothk
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 976B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 756B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 1KB - Virtual size: 1KB

.rsrc Size: 1024B - Virtual size: 664B

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 114KB - Virtual size: 114KB

.rsrc Size: 1024B - Virtual size: 664B

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 4KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 664B

6afceaac0fd2bbba073037c06f878e77

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-memory-l1-1-3

vcruntime140d_app

ucrtbased

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

Exports

Exports

Sections

.textbss Size: - Virtual size: 64KB

.text Size: 29KB - Virtual size: 29KB

.rdata Size: 11KB - Virtual size: 11KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 8KB - Virtual size: 8KB

.idata Size: 6KB - Virtual size: 5KB

.msvcjmc Size: 512B - Virtual size: 454B

.00cfg Size: 512B - Virtual size: 373B

.reloc Size: 1024B - Virtual size: 601B

08c9137f495c7aa3551c2c8701537da7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

vcruntime140d_app

ucrtbased

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

Exports

Exports

Sections

.textbss Size: - Virtual size: 64KB

.text Size: 29KB - Virtual size: 28KB

.text
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 664B

.text
Size: 114KB - Virtual size: 114KB

.rsrc
Size: 1024B - Virtual size: 664B

.text
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 664B

.textbss
Size: - Virtual size: 64KB

.text
Size: 29KB - Virtual size: 29KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 8KB - Virtual size: 8KB

.idata
Size: 6KB - Virtual size: 5KB

.msvcjmc
Size: 512B - Virtual size: 454B

.00cfg
Size: 512B - Virtual size: 373B

.reloc
Size: 1024B - Virtual size: 601B

.textbss
Size: - Virtual size: 64KB

.text
Size: 29KB - Virtual size: 28KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 8KB - Virtual size: 8KB

.idata
Size: 5KB - Virtual size: 4KB

.msvcjmc
Size: 512B - Virtual size: 452B

.00cfg
Size: 512B - Virtual size: 373B

.reloc
Size: 1024B - Virtual size: 601B

.textbss
Size: - Virtual size: 64KB

.text
Size: 29KB - Virtual size: 28KB

.rdata
Size: 11KB - Virtual size: 11KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 8KB - Virtual size: 8KB

.idata
Size: 5KB - Virtual size: 4KB

.msvcjmc
Size: 512B - Virtual size: 452B

.00cfg
Size: 512B - Virtual size: 373B

.reloc
Size: 1024B - Virtual size: 601B

08:ad:40:b2:60:d2:9c:4c:9f:5e:cd:a9:bd:93:ae:d9
Certificate

03:aa:64:92:de:9d:96:a9:0a:4b:ca:97:be:ad:b4:4a
Certificate

05:44:af:f3:94:9d:08:39:a6:bf:db:3f:5f:e5:61:16
Certificate

07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5b
Certificate

0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5a
Certificate

db:ec:50:91:fd:e6:20:f5:84:bd:3b:bd:0f:ea:82:11:28:ce:a1:d1:ee:46:95:84:e1:00:a7:e1:11:4b:4a:f9
Signer