meshagent | e3ff81d31d57ace21b0cc50a5eff97e1[.]bin

Sharing

Copy URL Twitter E-mail

General

Target

e3ff81d31d57ace21b0cc50a5eff97e1.bin
Size

2.1MB
MD5

810c316df0ba34d41a6f090a7ebdcaab
SHA1

0f6c575fa0c83a352c7a8d6fb9c247efc76d7ab4
SHA256

44fbcb482f2efceb897eacde7bfd5fceb9421ff05dfacb06ece890b487d0e2e7
SHA512

4f35114ae7a97f68bb6f9a683257b65f733b343171185963b1bbd4388d6d3a29594ce2036e089eba3adc0668afa6955f9b4996c3fc8bcc4821bbbbb2dcd54ac5
SSDEEP

49152:M/TfnMHVMCDmJr2xfXkZv+IyAa083iN0iXhY3h0gM8OfREkC:ByCKoh8vuG8SN0iR5fZC

Score

10^/10

meshagent

Malware Config

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
static1/unpack001/e31a69254f2a8e82498b46242d073858373dbb0f8f8281ddb107d06de3038f49.exe	family_meshagent

Meshagent family
meshagent

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/e31a69254f2a8e82498b46242d073858373dbb0f8f8281ddb107d06de3038f49.exe

Files

e3ff81d31d57ace21b0cc50a5eff97e1.bin
.zip

Password: infected
e31a69254f2a8e82498b46242d073858373dbb0f8f8281ddb107d06de3038f49.exe
.exe windows:6 windows x64 arch:x64

Password: infected

5c0d041bec4d36c68c76a99955a498a2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Users\yfjvy\Downloads\MeshAgent-master\Debug\MeshService64.pdb

Imports

comctl32

InitCommonControlsEx

dbghelp

MiniDumpWriteDump
SymInitialize
SymGetLineFromAddr64
SymGetModuleBase64
SymFunctionTableAccess64
StackWalk64
SymFromAddr

iphlpapi

ConvertLengthToIpv4Mask
SendARP
GetAdaptersInfo
GetAdaptersAddresses

ws2_32

WSAResetEvent
htonl
htons
ntohl
ntohs
gethostname
__WSAFDIsSet
WSASetLastError
accept
bind
closesocket
ioctlsocket
getsockname
listen
recv
send
WSAGetLastError
WSASocketW
setsockopt
socket
connect
getsockopt
recvfrom
sendto
shutdown
WSAIoctl
select
WSAStartup
WSACleanup
WSACloseEvent
WSACreateEvent
WSAEventSelect
FreeAddrInfoW
GetAddrInfoW

crypt32

CertDuplicateCertificateContext
CertEnumCertificatesInStore
CryptEncodeObject
CryptMsgOpenToEncode
CryptMsgCalculateEncodedLength
CryptMsgOpenToDecode
CryptMsgClose
CryptMsgUpdate
CryptMsgGetParam
CryptMsgControl
CertOpenStore
CertCloseStore
CertFindCertificateInStore
CertFreeCertificateContext
CertSetCertificateContextProperty
CertAddEncodedCertificateToStore
CertAddCertificateContextToStore
CertDeleteCertificateFromStore
CryptSignAndEncodeCertificate
CryptExportPublicKeyInfo
CertGetCertificateContextProperty
CertStrToNameA
CertStrToNameW
CertCreateSelfSignCertificate
PFXExportCertStore
CryptAcquireCertificatePrivateKey

gdiplus

GdipGetImageEncodersSize
GdipGetImageEncoders
GdipSaveImageToStream
GdipDisposeImage
GdipFree
GdiplusStartup
GdiplusShutdown
GdipLoadImageFromStream
GdipCloneImage
GdipLoadImageFromStreamICM
GdipAlloc

ncrypt

NCryptOpenStorageProvider
NCryptCreatePersistedKey
NCryptSetProperty
NCryptFinalizeKey
BCryptFinishHash
NCryptFreeObject
BCryptCreateHash
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyHash
BCryptGenRandom
BCryptHashData

kernel32

VirtualQuery
InitializeSListHead
GetStartupInfoW
RtlUnwindEx
GetStdHandle
SetEnvironmentVariableA
SetCurrentDirectoryW
GetCurrentDirectoryW
GetFullPathNameW
WriteFile
CloseHandle
GetLastError
Sleep
CreateProcessW
OpenProcess
FreeLibrary
GetModuleFileNameW
GetProcAddress
LoadLibraryExA
GetSystemPowerStatus
MultiByteToWideChar
WideCharToMultiByte
WaitForSingleObjectEx
QueueUserAPC
CreateThread
GetCurrentThreadId
OpenThread
GetModuleHandleA
ReadFile
SleepEx
LoadLibraryA
GetCurrentProcess
SetThreadExecutionState
SetSystemPowerState
HeapAlloc
HeapFree
GetProcessHeap
GetSystemTime
SystemTimeToFileTime
QueryPerformanceCounter
QueryPerformanceFrequency
FileTimeToSystemTime
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreA
CreateFileW
FindClose
FindFirstFileW
FindNextFileW
FindVolumeClose
GetDiskFreeSpaceExA
GetDriveTypeA
GetFileAttributesExW
GetFinalPathNameByHandleW
RemoveDirectoryW
SetFilePointer
CancelIo
CreateEventA
ReadDirectoryChangesW
FindFirstVolumeA
FindNextVolumeA
GetVolumePathNamesForVolumeNameA
GetModuleHandleExA
WaitForMultipleObjectsEx
CreateFileA
ConnectNamedPipe
DisconnectNamedPipe
CancelIoEx
LocalFree
CreateNamedPipeA
IsDebuggerPresent
GetConsoleMode
SetConsoleMode
SetConsoleOutputCP
GetEnvironmentStrings
FreeEnvironmentStringsA
GetTempPathW
CancelSynchronousIo
SetEvent
ResetEvent
RtlLookupFunctionEntry
TerminateProcess
GetThreadId
CopyFileW
MoveFileW
RtlCaptureContext
DeleteFileA
DuplicateHandle
GetOverlappedResult
GetCurrentThread
ExitThread
SuspendThread
ResumeThread
GetThreadContext
GetTickCount64
GetExitCodeProcess
WTSGetActiveConsoleSessionId
DeleteFileW
SetEndOfFile
SetFilePointerEx
OutputDebugStringA
LoadLibraryExW
FreeConsole
SetConsoleCtrlHandler
SetLastError
GetFileType
OutputDebugStringW
GetModuleHandleW
SwitchToFiber
DeleteFiber
CreateFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
EncodePointer
RtlUnwind
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
RtlPcToFileHeader
ExitProcess
GetModuleHandleExW
HeapSize
HeapValidate
GetSystemInfo
CreateDirectoryW
MoveFileExW
GetConsoleOutputCP
SetEnvironmentVariableW
WriteConsoleW
GetTimeZoneInformation
SetStdHandle
GetDriveTypeW
GetFileInformationByHandle
PeekNamedPipe
GetCommandLineA
GetCommandLineW
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
FlushFileBuffers
GetFileSizeEx
RtlVirtualUnwind
HeapReAlloc
RaiseException
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcessId
IsProcessorFeaturePresent
HeapQueryInformation
GetCPInfo
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SystemTimeToTzSpecificLocalTime
GetStringTypeW

user32

GetDlgCtrlID
IsDlgButtonChecked
CheckDlgButton
GetDlgItem
EndDialog
DialogBoxParamW
SetWindowPlacement
GetWindowPlacement
ShowWindow
CreateWindowExW
SendMessageW
MessageBeep
ExitWindowsEx
BlockInput
EnumDisplayMonitors
GetMonitorInfoA
GetSystemMetrics
GetUserObjectInformationA
GetThreadDesktop
CloseDesktop
SetThreadDesktop
OpenInputDesktop
GetCursorInfo
UnhookWinEvent
GetWindowRect
EnableWindow
DrawIconEx
LoadCursorA
CallNextHookEx
UnhookWindowsHookEx
SetWindowsHookExA
ReleaseDC
GetDC
SetForegroundWindow
GetForegroundWindow
MapVirtualKeyA
SendInput
GetKeyState
DestroyWindow
CreateWindowExA
RegisterClassExA
UnregisterClassA
DefWindowProcA
PostMessageA
GetMessageExtraInfo
DispatchMessageA
TranslateMessage
GetMessageA
SetProcessDPIAware
GetProcessWindowStation
MessageBoxW
SetWindowTextA
GetIconInfo
SetWindowTextW
GetUserObjectInformationW
SetWinEventHook

gdi32

CreateSolidBrush
SetStretchBltMode
StretchBlt
DeleteDC
BitBlt
GetObjectA
SelectObject
GetDIBits
DeleteObject
CreateCompatibleBitmap
CreateCompatibleDC
GetStockObject
SetBkColor
SetBkMode
SetTextColor

advapi32

RegisterServiceCtrlHandlerExA
QueryServiceStatus
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
StartServiceCtrlDispatcherA
RegCloseKey
RegCreateKeyW
RegDeleteKeyA
RegSetValueExA
RegOpenKeyExA
OpenProcessToken
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
RegOpenKeyExW
RegQueryValueExA
RegQueryValueExW
RegSetValueExW
CryptReleaseContext
CryptDestroyKey
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetEntriesInAclA
CreateProcessAsUserW
DuplicateTokenEx
SetTokenInformation
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CloseServiceHandle
OpenSCManagerA
OpenServiceA
SetServiceStatus

shell32

ShellExecuteExW

ole32

CoCreateInstance
CreateStreamOnHGlobal
CoUninitialize
CoInitializeEx

oleaut32

SysStringLen
SysFreeString
SysAllocString

Sections

.text
Size: 4.1MB - Virtual size: 4.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 779KB - Virtual size: 778KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 641KB - Virtual size: 806KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 135KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 142KB - Virtual size: 141KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 25KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

5c0d041bec4d36c68c76a99955a498a2

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

comctl32

dbghelp

iphlpapi

ws2_32

crypt32

gdiplus

ncrypt

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 4.1MB - Virtual size: 4.1MB

.rdata Size: 779KB - Virtual size: 778KB

.data Size: 641KB - Virtual size: 806KB

.pdata Size: 135KB - Virtual size: 135KB

.rsrc Size: 142KB - Virtual size: 141KB

.reloc Size: 25KB - Virtual size: 24KB

.text
Size: 4.1MB - Virtual size: 4.1MB

.rdata
Size: 779KB - Virtual size: 778KB

.data
Size: 641KB - Virtual size: 806KB

.pdata
Size: 135KB - Virtual size: 135KB

.rsrc
Size: 142KB - Virtual size: 141KB

.reloc
Size: 25KB - Virtual size: 24KB