Sliver Backdoor Impersonates Syslog Utility


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-10-27 10:19:53 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
2025-09-15_00c8aec6cc596825fa8cf98bc7e34291_cobalt-strike_dosia_frostygoop_luca-stealer_poet-rat_quasar-rat_sliver_snatch
Type
Win64 Executable (generic)
SHA‑1
969357d7107567cc45afabacd52d42b2130bc949
MD5
00c8aec6cc596825fa8cf98bc7e34291
First Seen
2025-09-14 15:51:50.311759
Last Analysis
2025-09-15 07:15:23.500698
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 15+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-14 11:32:30 UTC First VirusTotal submission
2025-09-19 06:46:03 UTC Latest analysis snapshot 4 days, 19 hours, 13 minutes
2025-10-27 10:19:53 UTC Report generation time 42 days, 22 hours, 47 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.

Detected Vendors

  • Xcitium
  • +55 additional vendors (names not provided)

List includes Xcitium plus an additional 55 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • google_safebrowsing
  • Jiangmin
  • Kingsoft
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • ViRobot
  • Webroot
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (63.21% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 134 63.21%
File System 39 18.40%
Network 22 10.38%
Process 8 3.77%
Device 5 2.36%
Threading 3 1.42%
Misc 1 0.47%

MITRE ATT&CK Mapping

  • T1071 – Reads data out of its own binary image
  • T1071 – Attempts to connect to a dead IP:Port
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1016 – Queries a host’s domain name
  • T1027.002 – Resolves API functions dynamically
  • T1095 – Connects to remote host
  • T1095 – Sets up server that accepts incoming connections
  • T1497.001 – Tries to detect application sandbox
  • T1497.003 – Delays execution
  • T1571 – Tries to connect using an uncommon port
  • T1622 – Tries to detect debugger
  • T1056 – Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook
  • T1056 – Installs a raw input device (often for capturing keystrokes)
  • T1082 – Sample reads itself and does not show any behavior, likely it performs some host environment checks and compares to an embedded key
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1571 – Detected TCP or UDP traffic on non-standard ports

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.18 United States Akamai Technologies, Inc.
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
194.195.208.43 Germany Akamai Technologies

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
194.195.208.43 Germany Akamai Technologies

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 50 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.2497339248657227 udp
192.168.56.13 224.0.0.252 49311 5355 5.774864912033081 udp
192.168.56.13 224.0.0.252 55150 5355 3.1817469596862793 udp
192.168.56.13 224.0.0.252 60010 5355 5.184056997299194 udp
192.168.56.13 224.0.0.252 62406 5355 3.187696933746338 udp
192.168.56.13 224.0.0.252 63527 5355 4.864988088607788 udp
192.168.56.13 239.255.255.250 52252 3702 3.226902961730957 udp
192.168.56.13 8.8.4.4 50554 53 145.69899702072144 udp
192.168.56.13 8.8.4.4 53518 53 239.6356658935547 udp
192.168.56.13 8.8.4.4 53985 53 358.29135298728943 udp
192.168.56.13 8.8.4.4 54879 53 7.745047092437744 udp
192.168.56.13 8.8.4.4 54881 53 7.432431936264038 udp
192.168.56.13 8.8.4.4 55551 53 174.41633009910583 udp
192.168.56.13 8.8.4.4 55743 53 343.9322409629822 udp
192.168.56.13 8.8.4.4 56086 53 315.3231339454651 udp
192.168.56.13 8.8.4.4 56197 53 160.0571129322052 udp
192.168.56.13 8.8.4.4 57065 53 253.9948148727417 udp
192.168.56.13 8.8.4.4 57310 53 66.10381007194519 udp
192.168.56.13 8.8.4.4 57415 53 80.46374487876892 udp
192.168.56.13 8.8.4.4 58697 53 22.792099952697754 udp
192.168.56.13 8.8.4.4 58920 53 98.72907710075378 udp
192.168.56.13 8.8.4.4 59610 53 286.60371804237366 udp
192.168.56.13 8.8.4.4 60543 53 221.38585090637207 udp
192.168.56.13 8.8.4.4 60780 53 300.96389293670654 udp
192.168.56.13 8.8.4.4 60910 53 113.0885500907898 udp
192.168.56.13 8.8.4.4 61004 53 192.66641998291016 udp
192.168.56.13 8.8.4.4 61800 53 329.5728759765625 udp
192.168.56.13 8.8.4.4 62493 53 51.74486994743347 udp
192.168.56.13 8.8.4.4 62849 53 37.151100873947144 udp
192.168.56.13 8.8.4.4 64533 53 207.02596592903137 udp
192.168.56.13 8.8.4.4 64801 53 127.44805192947388 udp
192.168.56.13 8.8.4.4 64886 53 268.3544499874115 udp
192.168.56.13 8.8.8.8 50554 53 144.69837594032288 udp
192.168.56.13 8.8.8.8 53518 53 238.63575196266174 udp
192.168.56.13 8.8.8.8 53985 53 357.2922649383545 udp
192.168.56.13 8.8.8.8 54879 53 8.7448570728302 udp
192.168.56.13 8.8.8.8 54881 53 8.432395935058594 udp
192.168.56.13 8.8.8.8 55551 53 173.41748690605164 udp
192.168.56.13 8.8.8.8 55743 53 342.9324059486389 udp
192.168.56.13 8.8.8.8 56086 53 314.32313895225525 udp
192.168.56.13 8.8.8.8 56197 53 159.0577518939972 udp
192.168.56.13 8.8.8.8 57065 53 252.9953489303589 udp
192.168.56.13 8.8.8.8 57310 53 65.10490202903748 udp
192.168.56.13 8.8.8.8 57415 53 79.46418595314026 udp
192.168.56.13 8.8.8.8 58697 53 21.792481899261475 udp
192.168.56.13 8.8.8.8 58920 53 97.7297010421753 udp
192.168.56.13 8.8.8.8 59610 53 285.60438799858093 udp
192.168.56.13 8.8.8.8 60543 53 220.38606309890747 udp
192.168.56.13 8.8.8.8 60780 53 299.96355509757996 udp
192.168.56.13 8.8.8.8 60910 53 112.08915996551514 udp
192.168.56.13 8.8.8.8 61004 53 191.6681809425354 udp
192.168.56.13 8.8.8.8 61800 53 328.57398796081543 udp
192.168.56.13 8.8.8.8 62493 53 50.74542307853699 udp
192.168.56.13 8.8.8.8 62849 53 36.15148901939392 udp
192.168.56.13 8.8.8.8 64533 53 206.02664494514465 udp
192.168.56.13 8.8.8.8 64801 53 126.44848203659058 udp
192.168.56.13 8.8.8.8 64886 53 267.35470509529114 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

31

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\LastConfig
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syslog.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
Show all (31 total)

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top