General

  • Target

    2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver

  • Size

    2.9MB

  • Sample

    241012-w4l2tsvbqg

  • MD5

    31c7fa68b69d8d229a6e9daa2949d895

  • SHA1

    2f5593e25a34cbb303901bce8942a8505ba2a38f

  • SHA256

    5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f

  • SHA512

    7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37

  • SSDEEP

    49152:JyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPp:Jnj36pUk0TkfYiQ/p

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

Home

C2

http://control.tautolo.gy:443/agent.ashx

Attributes
  • mesh_id

    0x18936942A3E5AE65DF8836B6EEFA3FD5DD375127CA3DA1852C2EC2DBA43786A498AA27456851B49C48A8683629B450EB

  • server_id

    08C4CDB1491A60BC30D0136004508FDDA3818CAB78A02628E44948AE98F2E0A2B4D87C34CBD4C18D959886F9B49EB33A

  • wss

    wss://control.tautolo.gy:443/agent.ashx

Targets

    • Target

      2024-10-12_31c7fa68b69d8d229a6e9daa2949d895_ryuk_sliver

    • Size

      2.9MB

    • MD5

      31c7fa68b69d8d229a6e9daa2949d895

    • SHA1

      2f5593e25a34cbb303901bce8942a8505ba2a38f

    • SHA256

      5036a62e5049d149c98856687b229e522f01c0db515a05e650b9ab40ca840e6f

    • SHA512

      7fc7bff771c3bcc75ad95eafc762f344c06b5373f70eb7c43c81125b40cb2f3f952036c89a6bccb4aa53481f3f23f401eb9d7a56d9d0b1eaa48c3597fe2f7c37

    • SSDEEP

      49152:JyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPp:Jnj36pUk0TkfYiQ/p

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks