General

  • Target

    QS1.exe

  • Size

    3.3MB

  • Sample

    240925-ja1lxasgjl

  • MD5

    407da4828b3b9126d6a0b6aa25a081c4

  • SHA1

    3aeee655ab024657da645f9a05b53d40c9456d76

  • SHA256

    a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2

  • SHA512

    6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d

  • SSDEEP

    49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qu:hlRsZ47/QXoHUOfAoj1x6u

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

QS1

C2

http://mc.kaminet.eu:443/agent.ashx

Attributes
  • mesh_id

    0xEE89D60F5CD6BC8AD4C27EB31F4E89CB92C52B0E217F715BD63BD9491D17D4F7427AB13D0C72EA406672528F6DC79861

  • server_id

    A417F6622B66C84C5A6A0F6363F7C42AB877B26FD42E54C556B38C8026CBA894EE3DA91B087D9EC0AB62208B541506F6

  • wss

    wss://mc.kaminet.eu:443/agent.ashx

Targets

    • Target

      QS1.exe

    • Size

      3.3MB

    • MD5

      407da4828b3b9126d6a0b6aa25a081c4

    • SHA1

      3aeee655ab024657da645f9a05b53d40c9456d76

    • SHA256

      a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2

    • SHA512

      6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d

    • SSDEEP

      49152:hX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qu:hlRsZ47/QXoHUOfAoj1x6u

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks