analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sliver V4.2.2 latest_fix.zip

Full analysis: https://app.any.run/tasks/793fad7b-2696-49a2-b430-1cc12ed47eff
Verdict: Malicious activity
Analysis date: July 12, 2020, 15:56:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

1C53DA1C484A946145743A49D9E6A3FF

SHA1:

1DBFBAED2048FE2E03237851A96E99C78E96A131

SHA256:

45C1089EB56FBCFFC97F4B0CC48E0BB5BFF7DED39722D4246211A6B200B289C2

SSDEEP:

393216:pyHOwaNLsA3uK9Fsw8bK5O2i0dDB0p4hxjX/IK8pbVsyyXH:IOTFsOFsw8bsO50dqwAvbhAH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Sliver v4.2.4.exe (PID: 3940)
      • Sliver v4.2.4.exe (PID: 2928)
      • Sliver v4.2.4.exe (PID: 2108)

    • Loads dropped or rewritten executable

      • Sliver v4.2.4.exe (PID: 2928)
      • Sliver v4.2.4.exe (PID: 3940)
      • SearchProtocolHost.exe (PID: 3528)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Sliver v4.2.4.exe (PID: 3940)
      • WinRAR.exe (PID: 1820)

  • INFO

    • Manual execution by user

      • Sliver v4.2.4.exe (PID: 2928)
      • Sliver v4.2.4.exe (PID: 3940)
      • Sliver v4.2.4.exe (PID: 2108)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 1820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Sliver V4.2.2 latest_fix/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:06:29 17:57:17
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 788
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs sliver v4.2.4.exe sliver v4.2.4.exe no specs sliver v4.2.4.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3528"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3940"C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe" C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PasscodeBypass
Exit code:
1
Version:
1.0.0.0
2928"C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe" C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PasscodeBypass
Exit code:
1
Version:
1.0.0.0
2108"C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exe" C:\Users\admin\Desktop\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PasscodeBypass
Version:
1.0.0.0
Total events
674
Read events
654
Write events
0
Delete events
0

Modification events

No data
Executable files
80
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\.irecoverytext
MD5:31343081B6DC94A41E722FEFE9CA2749
SHA256:6D439CDBA4D9DD417D8560B4D29116CCB853C1BC5AE4625FA31074234FED56C5
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\bypass1binary
MD5:5CE3835FAB09AFB952F9FBBD3347C178
SHA256:F13C6301B8EEFEFDD9C12A2FD81AB49D313FF60396C896EEE86A90456234D798
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\Sliver v4.2.4.exeexecutable
MD5:3C7208EF48259ED55D7D0D80F33E342D
SHA256:595AA0AAD51D69BC7C2721402A7D35439EF13E3B991023C8377887131C899805
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\lsass.dllexecutable
MD5:B434FA5B519C1770C260E1F49C0C4970
SHA256:A0B9ABEEBBE2926AAC4AF4E02D77CD671AAFF1E4E013DAE23C9F5DAD29F8E6B7
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\getfb2.dllbinary
MD5:8109027E2E0DCA054DF8A64C0EA8505A
SHA256:6BB4BAD2CAFAAD5720ABBF3C33407D0E2C253E559CAFB9DB0B3117EECA013284
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\PasscodeBypass.exeexecutable
MD5:A1777F8FD925954A4B769B9F506ADC87
SHA256:A54023B3FE3C5B7EE394E29D1F4F8EF865566D8D158E4D53E509CE4BC01957AF
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\dmm.dlltext
MD5:1D230A5F233F232A9763E3593998BED2
SHA256:2C1F5583EE872D69D2393F0B1379E6AF524FCA9B2A66D2E3585CBBB80ADE7E6C
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\System.dllexecutable
MD5:1E66B7DC9039741F7082D5B63B24D714
SHA256:74E07A6BD6743833C1EEF7642178FA07EDB9D8D0FB7D5BB17CF0423075AC8E30
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\Renci.SshNet.dllexecutable
MD5:327BE333F0AF86CFA55DA4FD1487F04B
SHA256:ABBCE9DD7AF75331D65996E6460952A1028C057F4747CA88B7CC1915AEBDE64E
1820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1820.24676\Sliver V4.2.2 latest_fix\ref\ideviceactivation.exeexecutable
MD5:0C946132F17A9FFB2CF0177E02B86DA2
SHA256:F7364987C4583E1E2FD548657E719C53483F488DB7D4AE87505E09FD3E537AD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sliver V4.2.2 latest_fix.zip