SLICKSHOES
The SLICKSHOES threat is a hacking tool that belongs to the arsenal of the infamous HIDDEN COBRA APT (Advanced Persistent Threat). The HIDDEN COBRA group also is known under the alias Lazarus. This hacking group originates from North Korea and is likely state-sponsored.
The SLICKSHOES malware is a tool that is likely used as a first-stage payload, as it does not attempt to gain persistence on the compromised system. This means that once the users shut down their computers, the SLICKSHOES malware will not run again unless executed manually. The SLICKSHOES threat is likely used for short-term attacks or as a backdoor that would allow the HIDDEN COBRA APT to plant additional threats on the infected system.
When the SLICKSHOE threat compromises a system, it drops and executes its payload named 'taskenc.exe.' Next, the SLICKSHOE threat would establish a connection with HIDDEN COBRA's C&C (Command & Control) server. The SLICKSHOE threat is not one that has an impressive list of features. However, even with the fairly limited number of tasks it can carry out, the SLICKSHOE malware can be threatening. This threat can:
- Change the working directory.
- List files and the directories they belong to.
- Execute remote commands.
- Acquire and execute files sent by the attackers.
- Take screenshots of the desktop and active windows over regular intervals.
- Terminate itself from the system and wipe out all files associated with its threatening activity.
The HIDDEN COBRA APT is one of the most well-known North Korean hacking groups, and their arsenal of tools is admirable. The good news for regular users is that they tend to only go after foreign government officials or large corporations in operating in prominent industries.
Table of Contents
File Details:
Sample: fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac
Name CCA9FBB11C194FC53015185B741887A8
Size 3133440 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cca9fbb11c194fc53015185b741887a8
SHA1 9e7bf03a607558dafe146907db28d77fda81be22
SHA256 fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac
SHA512 a1d1747dbc96c14b45f345679c0f7ba38186458f4992eecf382dd0af6391b4224c1b487431d681f5ffd052839f2901bc6203ea81c3235efcd82061d60eb10618
ssdeep 49152:bbcROoCHuumCvGyQwNr6Ljvhg1J/4fxcBhmdSP8sWNRy8kLn3o1Dn:jVHaaGyQG6npcJ4xcD5d2Ry8kDo
Entropy 7.968879
Aliases
15 security vendors flagged this file as malicious.
| Anti-Virus Software | Detection |
|---|---|
| - | Trojan.Themida.Win32.3185 |
| - | Trojan.Wacatac |
| Symantec | Trojan Horse |
| Sophos | Troj/Agent-BCXR |
| - | Trojan.Win32.TPM.ggaakh |
| Microsoft | Trojan:Win32/Emotet |
| McAfee | Trojan-Themida |
| K7AntiVirus | Trojan ( 0040f4ef1 ) |
| Ikarus | Trojan.Win32.Themida |
| - | Gen:Variant.Barys.1619 (B) |
| - | Win32/Packed.Themida.AOO trojan variant |
| - | W32/Trojan.QBAU-3559 |
| ClamAV | Win.Trojan.Agent-7376504-0 |
| BitDefender | Gen:Variant.Barys.1619 |
| AntiVir | TR/Crypt.TPM.Gen |
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac | cca9fbb11c194fc53015185b741887a8 |
