meshagent | fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373.exe
Size

1.6MB
MD5

dc37d19933e5689c25bc6cce8c15d58c
SHA1

5465ed40e9ce77663bcb5213cf7deb6bded25804
SHA256

fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373
SHA512

15ca53e95a2e74d17b87778354ed7508192fb2225ca6c40db7693909c35b02726472f19b060be878c02f5d89c17f99ffaf7600289f82930fdfd28507fa1b881d
SSDEEP

24576:zadIJEV+Vz4OjRZMpM2wSZB8Q04KfA3NapQpN65NlwBy8rTx3ZmIkmu3ylHAhf8:WIii8uqMIBv09cNgHwBy8rVkUkyR+U

Score

10^/10

meshagent

Malware Config

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
static1/unpack001/leonardo-mesh.exe	family_meshagent

Meshagent family
meshagent

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

resource
fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373.exe
unpack001/leonardo-mesh.exe

Files

fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373.exe
.exe windows:4 windows x86 arch:x86

9dda1a1d1f8a1d13ae0297b47046b26e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegOpenKeyExW
RegCreateKeyExW

shell32

SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
SHFileOperationW
ShellExecuteExW

ole32

CoCreateInstance
OleUninitialize
OleInitialize
IIDFromString
CoTaskMemFree

comctl32

ImageList_Destroy
ord17
ImageList_AddMasked
ImageList_Create

user32

MessageBoxIndirectW
GetDlgItemTextW
SetDlgItemTextW
CreatePopupMenu
AppendMenuW
TrackPopupMenu
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
IsWindowVisible
CallWindowProcW
GetMessagePos
CheckDlgButton
LoadCursorW
SetCursor
GetSysColor
SetWindowPos
GetWindowLongW
IsWindowEnabled
SetClassLongW
GetSystemMenu
EnableMenuItem
GetWindowRect
ScreenToClient
EndDialog
RegisterClassW
SystemParametersInfoW
CharPrevW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
SetTimer
SetWindowTextW
PostQuitMessage
SetForegroundWindow
ShowWindow
wsprintfW
SendMessageTimeoutW
FindWindowExW
IsWindow
GetDlgItem
SetWindowLongW
LoadImageW
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndPaint
CharNextA
wsprintfA
DispatchMessageW
CreateWindowExW
PeekMessageW
GetSystemMetrics

gdi32

GetDeviceCaps
SetBkColor
SelectObject
DeleteObject
CreateBrushIndirect
CreateFontIndirectW
SetBkMode
SetTextColor

kernel32

RemoveDirectoryW
lstrcmpiA
GetTempFileNameW
CreateProcessW
CreateDirectoryW
GetLastError
CreateThread
GlobalLock
GlobalUnlock
GetDiskFreeSpaceW
WideCharToMultiByte
lstrcpynW
lstrlenW
SetErrorMode
GetVersionExW
GetCommandLineW
GetTempPathW
GetWindowsDirectoryW
SetEnvironmentVariableW
WriteFile
ExitProcess
GetCurrentProcess
GetModuleFileNameW
GetFileSize
CreateFileW
GetTickCount
Sleep
SetFileAttributesW
GetFileAttributesW
SetCurrentDirectoryW
MoveFileW
GetFullPathNameW
GetShortPathNameW
SearchPathW
CompareFileTime
SetFileTime
CloseHandle
lstrcmpiW
lstrcmpW
ExpandEnvironmentStringsW
GlobalFree
GlobalAlloc
GetModuleHandleW
LoadLibraryExW
FreeLibrary
WritePrivateProfileStringW
GetPrivateProfileStringW
lstrlenA
MultiByteToWideChar
ReadFile
SetFilePointer
FindClose
FindNextFileW
FindFirstFileW
DeleteFileW
MulDiv
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
CopyFileW

Sections

.text
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 126KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 112KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 22KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
leonardo-mesh.exe
.exe windows:6 windows x86 arch:x86

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\MeshAgent\MeshAgent\Release\MeshService.pdb

Imports

comctl32

InitCommonControlsEx

crypt32

CryptEncodeObject
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertDeleteCertificateFromStore
CryptAcquireCertificatePrivateKey
CertAddEncodedCertificateToStore
CryptMsgClose
CryptMsgUpdate
CryptExportPublicKeyInfo
CertCreateSelfSignCertificate
CertFreeCertificateContext
CryptMsgOpenToEncode
CertAddCertificateContextToStore
CryptMsgOpenToDecode
CryptMsgControl
CertStrToNameW
CertOpenStore
CryptMsgCalculateEncodedLength
CertFindCertificateInStore
CertSetCertificateContextProperty
CertGetCertificateContextProperty
CryptMsgGetParam
CertStrToNameA
CertCloseStore
CryptSignAndEncodeCertificate
PFXExportCertStore

ncrypt

NCryptCreatePersistedKey
BCryptGetProperty
BCryptOpenAlgorithmProvider
NCryptOpenStorageProvider
BCryptCreateHash
NCryptSetProperty
BCryptHashData
NCryptFreeObject
NCryptFinalizeKey
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptGenRandom

dbghelp

SymInitialize
SymFromAddr
MiniDumpWriteDump
SymGetModuleBase64
SymGetLineFromAddr64
SymFunctionTableAccess64
StackWalk64

iphlpapi

GetAdaptersAddresses
SendARP
ConvertLengthToIpv4Mask
GetAdaptersInfo

ws2_32

__WSAFDIsSet
htons
htonl
gethostname
ntohs
ntohl
WSAGetLastError
ioctlsocket
recv
send
gethostbyname
getaddrinfo
freeaddrinfo
getnameinfo
WSASetLastError
getsockname
WSASocketW
listen
closesocket
bind
accept
WSACleanup
FreeAddrInfoW
select
WSACloseEvent
WSACreateEvent
WSAStartup
WSAEventSelect
WSAResetEvent
GetAddrInfoW
WSAIoctl
shutdown
connect
recvfrom
getsockopt
sendto
socket
setsockopt

gdiplus

GdipCloneImage
GdipAlloc
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GdipLoadImageFromStreamICM
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipLoadImageFromStream
GdipGetImageEncoders

kernel32

InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
EnterCriticalSection
GetFullPathNameW
GetStdHandle
WriteFile
LoadLibraryExA
GetModuleFileNameW
GetSystemPowerStatus
OpenProcess
MultiByteToWideChar
Sleep
GetLastError
CloseHandle
GetCurrentDirectoryW
SetCurrentDirectoryW
GetProcAddress
SetEnvironmentVariableA
CreateProcessW
FreeLibrary
WideCharToMultiByte
GetCurrentThreadId
GetModuleHandleA
WaitForSingleObjectEx
CreateThread
QueueUserAPC
OpenThread
ReadFile
LoadLibraryA
SleepEx
SetSystemPowerState
GetCurrentProcess
SetThreadExecutionState
HeapFree
HeapAlloc
GetProcessHeap
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
LeaveCriticalSection
SystemTimeToTzSpecificLocalTime
QueryPerformanceCounter
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreA
CancelIo
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetFinalPathNameByHandleW
GetDriveTypeA
SetFilePointer
FindFirstVolumeA
FindClose
CreateFileW
GetVolumePathNamesForVolumeNameA
GetFileAttributesExW
ReadDirectoryChangesW
FindNextVolumeA
FindVolumeClose
GetDiskFreeSpaceExA
CreateEventA
GetModuleHandleExA
WaitForMultipleObjectsEx
CreateNamedPipeA
DisconnectNamedPipe
CreateFileA
CancelIoEx
LocalFree
ConnectNamedPipe
SetConsoleMode
GetConsoleMode
GetStartupInfoW
IsDebuggerPresent
TerminateProcess
GetTempPathW
CancelSynchronousIo
SetEvent
ResetEvent
GetThreadId
GetCurrentProcessId
GetEnvironmentStrings
FreeEnvironmentStringsA
CopyFileW
MoveFileW
RtlCaptureContext
SuspendThread
ResumeThread
DuplicateHandle
ExitThread
GetTickCount64
GetCurrentThread
DeleteFileA
GetOverlappedResult
GetThreadContext
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetEndOfFile
DeleteFileW
SetFilePointerEx
SetConsoleCtrlHandler
FreeConsole
LoadLibraryExW
SetLastError
GetFileType
GetModuleHandleW
FormatMessageW
SwitchToFiber
DeleteFiber
CreateFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExitProcess
GetModuleHandleExW
CreateProcessA
HeapValidate
GetSystemInfo
CreateDirectoryW
GetConsoleCP
MoveFileExW
SetEnvironmentVariableW
SetCurrentDirectoryA
GetCurrentDirectoryA
GetTimeZoneInformation
SetStdHandle
GetDriveTypeW
PeekNamedPipe
GetModuleFileNameA
GetCommandLineA
GetCommandLineW
GetACP
RaiseException
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetConsoleOutputCP
IsProcessorFeaturePresent
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
HeapReAlloc
HeapSize
HeapQueryInformation
GetStringTypeW
WriteConsoleW
GetCPInfo
GetFullPathNameA
OutputDebugStringA
OutputDebugStringW
FindFirstFileExA
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
EncodePointer
QueryPerformanceFrequency
DecodePointer

user32

EndDialog
SetWindowTextW
GetWindowPlacement
ShowWindow
GetDlgCtrlID
SetWindowPlacement
SetWindowTextA
IsDlgButtonChecked
GetDlgItem
CheckDlgButton
DialogBoxParamW
EnableWindow
MessageBeep
ExitWindowsEx
GetUserObjectInformationA
EnumDisplayMonitors
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
BlockInput
GetMonitorInfoA
OpenInputDesktop
GetKeyState
GetMessageA
GetWindowRect
SendMessageW
LoadCursorA
DestroyWindow
GetDC
PostMessageA
GetIconInfo
CallNextHookEx
GetCursorInfo
SetWindowsHookExA
MapVirtualKeyA
GetForegroundWindow
UnhookWindowsHookEx
DefWindowProcA
CreateWindowExA
TranslateMessage
UnregisterClassA
DrawIconEx
SetWinEventHook
RegisterClassExA
UnhookWinEvent
SetForegroundWindow
ReleaseDC
SendInput
SetProcessDPIAware
GetProcessWindowStation
GetUserObjectInformationW
DispatchMessageA
CreateWindowExW
MessageBoxW
GetMessageExtraInfo

gdi32

DeleteObject
GetDIBits
CreateCompatibleDC
SelectObject
CreateCompatibleBitmap
SetStretchBltMode
DeleteDC
StretchBlt
BitBlt
GetObjectA
CreateSolidBrush
SetBkColor
SetBkMode
SetTextColor
GetStockObject

advapi32

RegOpenKeyExA
RegCloseKey
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
StartServiceCtrlDispatcherA
QueryServiceStatus
CloseServiceHandle
AllocateAndInitializeSid
SetServiceStatus
OpenSCManagerA
RegisterServiceCtrlHandlerExA
FreeSid
CheckTokenMembership
OpenServiceA
SetTokenInformation
CreateProcessAsUserW
DuplicateTokenEx
SetSecurityDescriptorDacl
SetEntriesInAclA
InitializeSecurityDescriptor
CryptDestroyKey
RegQueryValueExA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
CryptReleaseContext
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
RegCreateKeyW
RegSetValueExA
RegDeleteKeyA
OpenProcessToken

shell32

ShellExecuteExW

ole32

CoCreateInstance
CreateStreamOnHGlobal
CoInitializeEx
CoUninitialize

oleaut32

SysAllocString
SysFreeString
SysStringLen

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 502KB - Virtual size: 502KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 579KB - Virtual size: 742KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9dda1a1d1f8a1d13ae0297b47046b26e

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

shell32

ole32

comctl32

user32

gdi32

kernel32

Sections

.text Size: 26KB - Virtual size: 25KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1KB - Virtual size: 126KB

.ndata Size: - Virtual size: 112KB

.rsrc Size: 22KB - Virtual size: 22KB

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

comctl32

crypt32

ncrypt

dbghelp

iphlpapi

ws2_32

gdiplus

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 502KB - Virtual size: 502KB

.data Size: 579KB - Virtual size: 742KB

.gfids Size: 512B - Virtual size: 372B

.rsrc Size: 136KB - Virtual size: 135KB

.reloc Size: 95KB - Virtual size: 94KB

.text
Size: 26KB - Virtual size: 25KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1KB - Virtual size: 126KB

.ndata
Size: - Virtual size: 112KB

.rsrc
Size: 22KB - Virtual size: 22KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 502KB - Virtual size: 502KB

.data
Size: 579KB - Virtual size: 742KB

.gfids
Size: 512B - Virtual size: 372B

.rsrc
Size: 136KB - Virtual size: 135KB

.reloc
Size: 95KB - Virtual size: 94KB