Edit tour
Windows
Analysis Report
5cPRapVOx6.dll
Overview
General Information
Sample name: | 5cPRapVOx6.dllrenamed because original name is a hash value |
Original sample name: | c994bb9982dd689598c6c261090a40cb.dll |
Analysis ID: | 1520451 |
MD5: | c994bb9982dd689598c6c261090a40cb |
SHA1: | 484932042beb27bec5ab6d96df21ec1418c428a6 |
SHA256: | fbce9fc010fdfb67da5ff95cc5a5d1dbb0c07950522f130b031e55831f81b060 |
Tags: | dlluser-abuse_ch |
Infos: | |
Detection
Sliver
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Sliver Implants
AI detected suspicious sample
Found Tor onion address
Machine Learning detection for sample
Uses known network protocols on non-standard ports
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- loaddll32.exe (PID: 7336 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\5cP RapVOx6.dl l" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 7352 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 7456 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\5cP RapVOx6.dl l",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 7480 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\5cPR apVOx6.dll ",#1 MD5: 889B99C52A60DD49227C5E485A016679) - regsvr32.exe (PID: 7472 cmdline:
regsvr32.e xe /i /s C :\Users\us er\Desktop \5cPRapVOx 6.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - rundll32.exe (PID: 7488 cmdline:
rundll32.e xe C:\User s\user\Des ktop\5cPRa pVOx6.dll, DllInstall MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7624 cmdline:
rundll32.e xe C:\User s\user\Des ktop\5cPRa pVOx6.dll, DllRegiste rServer MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7664 cmdline:
rundll32.e xe C:\User s\user\Des ktop\5cPRa pVOx6.dll, DllUnregis terServer MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Sliver | According to VK9 Seecurity, Sliver is a Command and Control (C2) system made for penetration testers, red teams, and advanced persistent threats. It generates implants (slivers) that can run on virtually every architecture out there, and securely manage these connections through a central server. Sliver supports multiple callback protocols including DNS, TCP, and HTTP(S) to make egress simple, even when those pesky blue teams block your domains. You can even have multiple operators (players) simultaneously commanding your sliver army. | No Attribution |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
JoeSecurity_Sliver | Yara detected Sliver Implants | Joe Security | ||
Click to see the 24 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
| |
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
INDICATOR_TOOL_Sliver | Detects Sliver implant cross-platform adversary emulation/red team | ditekSHen |
| |
Multi_Trojan_Bishopsliver_42298c4a | unknown | unknown |
| |
Click to see the 7 entries |
System Summary |
---|
Source: | Author: Dmitriy Lifanov, oscd.community: |
Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
---|---|---|---|---|---|---|---|---|
2024-09-27T11:20:30.598642+0200 | 2852655 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49746 | 203.204.217.190 | 8092 | TCP |
2024-09-27T11:20:30.688055+0200 | 2852655 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49747 | 203.204.217.190 | 8092 | TCP |
2024-09-27T11:20:36.250198+0200 | 2852655 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49752 | 203.204.217.190 | 8092 | TCP |
2024-09-27T11:22:43.596272+0200 | 2852655 | 1 | Malware Command and Control Activity Detected | 192.168.2.4 | 49772 | 203.204.217.190 | 8092 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: | ||
Source: | Suricata IDS: |
Source: | Network Connect: | Jump to behavior |
Source: | String found in binary or memory: |