Edit tour
Windows
Analysis Report
FQElDjFG5t.exe
Overview
General Information
Detection
Sliver
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Sliver Implants
Potentially malicious time measurement code found
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Classification
- System is w10x64
- FQElDjFG5t.exe (PID: 616 cmdline:
C:\Users\u ser\Deskto p\FQElDjFG 5t.exe MD5: 6B44D99B258C275EE7FCF230DA177F3E)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Sliver | According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
| |
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
|
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Static PE information: |
Source: | Code function: | 0_2_00237120 | |
Source: | Code function: | 0_2_00237EC0 |
Source: | TCP traffic: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Binary or memory string: | memstr_4b7d096d-5 |
System Summary |
---|