meshagent | b38f5abfa480b45c46d3eed7e8a6b4859888921358e57bd7649a70c4a3be5f90

Analysis

max time kernel
135s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/10/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meshagent64-Agents.exe
Size

3.3MB
MD5

5f2673342f7b252551dd063118bad41f
SHA1

c64c1f88c9f1a526c6d09d62a253252c139fa644
SHA256

b38f5abfa480b45c46d3eed7e8a6b4859888921358e57bd7649a70c4a3be5f90
SHA512

35ce5b6d8a3376452d2ec4409e2b3f79e7f4a0b28d04cccb1f2a5cf2391d7b791909e0ddff0c8290e0889908973384408ed1f2a21605f65a6d89a061bafe6a67
SSDEEP

49152:/X3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Q7:/lRsZ47/QXoHUOfAoj1x67

Score

10^/10

meshagent agents backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

Agents

http://192.168.120.103:443/agent.ashx

Attributes

mesh_id
0xBB1227C2C5DBF5D22F9A9FAD3E22FA627FA00027B1498C77028683DDE4F7C266D262698C3E2580C2E6717E6DA0EDDDFE
server_id
0ECE9AA53A3AFECFCE435ABEE5D9E9F8224B00636C0CCC9F39E61F4BB30B1023F087634BEFB9D852CD99E86B5BA50B8E
wss
wss://192.168.120.103:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000016d3f-2.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-Agents.exe

Executes dropped EXE 2 IoCs

pid	Process
464	Process not Found
3028	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-Agents.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MeshAgent.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2484	wmic.exe
Token: SeSecurityPrivilege	2484	wmic.exe
Token: SeTakeOwnershipPrivilege	2484	wmic.exe
Token: SeLoadDriverPrivilege	2484	wmic.exe
Token: SeSystemProfilePrivilege	2484	wmic.exe
Token: SeSystemtimePrivilege	2484	wmic.exe
Token: SeProfSingleProcessPrivilege	2484	wmic.exe
Token: SeIncBasePriorityPrivilege	2484	wmic.exe
Token: SeCreatePagefilePrivilege	2484	wmic.exe
Token: SeBackupPrivilege	2484	wmic.exe
Token: SeRestorePrivilege	2484	wmic.exe
Token: SeShutdownPrivilege	2484	wmic.exe
Token: SeDebugPrivilege	2484	wmic.exe
Token: SeSystemEnvironmentPrivilege	2484	wmic.exe
Token: SeRemoteShutdownPrivilege	2484	wmic.exe
Token: SeUndockPrivilege	2484	wmic.exe
Token: SeManageVolumePrivilege	2484	wmic.exe
Token: 33	2484	wmic.exe
Token: 34	2484	wmic.exe
Token: 35	2484	wmic.exe
Token: SeIncreaseQuotaPrivilege	2484	wmic.exe
Token: SeSecurityPrivilege	2484	wmic.exe
Token: SeTakeOwnershipPrivilege	2484	wmic.exe
Token: SeLoadDriverPrivilege	2484	wmic.exe
Token: SeSystemProfilePrivilege	2484	wmic.exe
Token: SeSystemtimePrivilege	2484	wmic.exe
Token: SeProfSingleProcessPrivilege	2484	wmic.exe
Token: SeIncBasePriorityPrivilege	2484	wmic.exe
Token: SeCreatePagefilePrivilege	2484	wmic.exe
Token: SeBackupPrivilege	2484	wmic.exe
Token: SeRestorePrivilege	2484	wmic.exe
Token: SeShutdownPrivilege	2484	wmic.exe
Token: SeDebugPrivilege	2484	wmic.exe
Token: SeSystemEnvironmentPrivilege	2484	wmic.exe
Token: SeRemoteShutdownPrivilege	2484	wmic.exe
Token: SeUndockPrivilege	2484	wmic.exe
Token: SeManageVolumePrivilege	2484	wmic.exe
Token: 33	2484	wmic.exe
Token: 34	2484	wmic.exe
Token: 35	2484	wmic.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2484	3016	meshagent64-Agents.exe	30
PID 3016 wrote to memory of 2484	3016	meshagent64-Agents.exe	30
PID 3016 wrote to memory of 2484	3016	meshagent64-Agents.exe	30
PID 3016 wrote to memory of 2132	3016	meshagent64-Agents.exe	33
PID 3016 wrote to memory of 2132	3016	meshagent64-Agents.exe	33
PID 3016 wrote to memory of 2132	3016	meshagent64-Agents.exe	33

C:\Users\Admin\AppData\Local\Temp\meshagent64-Agents.exe
"C:\Users\Admin\AppData\Local\Temp\meshagent64-Agents.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\meshagent64-Agents.exe
  "C:\Users\Admin\AppData\Local\Temp\meshagent64-Agents.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:2132

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
5f2673342f7b252551dd063118bad41f

SHA1
c64c1f88c9f1a526c6d09d62a253252c139fa644

SHA256
b38f5abfa480b45c46d3eed7e8a6b4859888921358e57bd7649a70c4a3be5f90

SHA512
35ce5b6d8a3376452d2ec4409e2b3f79e7f4a0b28d04cccb1f2a5cf2391d7b791909e0ddff0c8290e0889908973384408ed1f2a21605f65a6d89a061bafe6a67

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads