meshagent | 608e93d78b34e786888b0f73a85ebaed108278109ec89dcb9daec8668ff27481 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

2024-10-06_20650a6de9acf259a50b76c504a51cd3_poet-rat_snatch
Size

5.0MB
Sample

241006-qqh55a1ajd
MD5

20650a6de9acf259a50b76c504a51cd3
SHA1

bb94f63713567408613c2ba3e1a3ae5ae14230e7
SHA256

608e93d78b34e786888b0f73a85ebaed108278109ec89dcb9daec8668ff27481
SHA512

d54b568b10d43c36ffc5d7f9786bfb753aa78599b5cd8079c9b014eea37b3c456b258f76ac4ccf1ebaeff8ae4074fdd4fdd04a55a8fdf8c6a677446f30499e47
SSDEEP

49152:DgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGdJS5Be:s4e4uPpVW6gTVegO7DfEK+ef

Score

10^/10

meshagent tacticalrmm backdoor discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.andvo.ru:443/agent.ashx

Attributes

mesh_id
0xC93CDE7423C55427714D263B0B0CC3176FDB334DFCA7F58A0B33765B64875A270EE2805A5E7F9E6194223A23EA8E9B47
server_id
EDC986ED5C53E7CCCEE429DB2E65EFB490B25080611AD2B4555F70D7122ACA718915C496B90BBFEBCDFF7187ABDF2A07
wss
wss://mesh.andvo.ru:443/agent.ashx

Targets

- Target
  
  2024-10-06_20650a6de9acf259a50b76c504a51cd3_poet-rat_snatch
- Size
  
  5.0MB
- MD5
  
  20650a6de9acf259a50b76c504a51cd3
- SHA1
  
  bb94f63713567408613c2ba3e1a3ae5ae14230e7
- SHA256
  
  608e93d78b34e786888b0f73a85ebaed108278109ec89dcb9daec8668ff27481
- SHA512
  
  d54b568b10d43c36ffc5d7f9786bfb753aa78599b5cd8079c9b014eea37b3c456b258f76ac4ccf1ebaeff8ae4074fdd4fdd04a55a8fdf8c6a677446f30499e47
- SSDEEP
  
  49152:DgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGdJS5Be:s4e4uPpVW6gTVegO7DfEK+ef
Score

10^/10

meshagent tacticalrmm backdoor discovery evasion execution persistence rat trojan
- Detects MeshAgent payload
- MeshAgent
  MeshAgent is an open source remote access trojan written in C++.
  rat trojan backdoor meshagent
- Blocklisted process makes network request
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

Remote System Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

behavioral2

meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojan