meshagent | e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f | Triage

Sharing

Copy URL Twitter E-mail

General

Target

e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe
Size

62.7MB
Sample

241014-cjnkdawblc
MD5

2ffafb44b3efdc58f229ffbce7b12796
SHA1

3ce9d89c6af5059f455de63a7cf13e6bad4733a0
SHA256

e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f
SHA512

d9ec7de46f28764d36cf7d33413b49de92d532547333876394a93771aaf87e983f64e69afd26d89f9db3b3158df1c0b163b7ea6731d923ece0c7f4bb2f130963
SSDEEP

1572864:u8OZCu66ERkqhn7gcc2qV3TdRdmJRHAUmi24Wrt0:mZCu90UFTdwRHjT2Xt0

Score

10^/10

meshagent backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://46.8.227.16/uploads/meshagent32-mesh.png

Targets

- Target
  
  e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe
- Size
  
  62.7MB
- MD5
  
  2ffafb44b3efdc58f229ffbce7b12796
- SHA1
  
  3ce9d89c6af5059f455de63a7cf13e6bad4733a0
- SHA256
  
  e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f
- SHA512
  
  d9ec7de46f28764d36cf7d33413b49de92d532547333876394a93771aaf87e983f64e69afd26d89f9db3b3158df1c0b163b7ea6731d923ece0c7f4bb2f130963
- SSDEEP
  
  1572864:u8OZCu66ERkqhn7gcc2qV3TdRdmJRHAUmi24Wrt0:mZCu90UFTdwRHjT2Xt0
Score

10^/10

discovery meshagent backdoor execution persistence rat trojan
- Detects MeshAgent payload
- MeshAgent
  MeshAgent is an open source remote access trojan written in C++.
  rat trojan backdoor meshagent
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

meshagentbackdoordiscoveryexecutionpersistencerattrojan