sliver | bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e | Triage

Submit
Reports

Overview

overview

Static

static

8

bdaa3237db...3e.xls

windows7-x64

bdaa3237db...3e.xls

windows10-2004-x64

Sharing

General

Target

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e
Size

46KB
Sample

241111-1t3daaxfjn
MD5

f0a405d9dfad843cd65fb032fcdc179f
SHA1

2ef5c97897837e42dded3e2770dee4f8545d613d
SHA256

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e
SHA512

5a13aa94717114759d3a962c653b1a0edbc8db3c94fa937c470f761bb980f02da51d2995b18e31fe29b45e062ddc753b7a9a80e95a950e3326d543c716459d51
SSDEEP

768:C4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:xSFsv66g3KnF439NKC54kkGfn+cL2Xd+

Score

10^/10

sliver backdoor discovery execution macro macro_on_action trojan

Static task

static1

macro macro_on_action

1 signatures

Behavioral task

behavioral1

Sample

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e.xls

Resource

win7-20241010-en

sliver backdoor discovery execution trojan

windows7-x64

14 signatures

60 seconds

Behavioral task

behavioral2

Sample

bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e.xls

Resource

win10v2004-20241007-en

sliver backdoor execution trojan

windows10-2004-x64

13 signatures

60 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://194.182.164.149:8080/fontawesome.woff

Targets

- Target
  
  bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e
- Size
  
  46KB
- MD5
  
  f0a405d9dfad843cd65fb032fcdc179f
- SHA1
  
  2ef5c97897837e42dded3e2770dee4f8545d613d
- SHA256
  
  bdaa3237dbb1a891bd347be0aabc60405ad3e15f0b2aad4a8be00e376cbf653e
- SHA512
  
  5a13aa94717114759d3a962c653b1a0edbc8db3c94fa937c470f761bb980f02da51d2995b18e31fe29b45e062ddc753b7a9a80e95a950e3326d543c716459d51
- SSDEEP
  
  768:C4SFsv66g3KnF439NKC54kkGfn+cL2XdA8YRtukODXwXqt7sNAQYzKEm8ZRu9Uzp:xSFsv66g3KnF439NKC54kkGfn+cL2Xd+
Score

10^/10

sliver backdoor discovery execution trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Sliver RAT v2
- Sliver family
  sliver
- SliverRAT
  SliverRAT is an open source Adversary Emulation Framework.
  trojan backdoor sliver
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

sliverbackdoordiscoveryexecutiontrojan

behavioral2

sliverbackdoorexecutiontrojan

© 2018-2024

Terms | Privacy