Overview

overview

10

Static

static

1

xdr.bat

windows10-1703-x64

10

xdr.bat

windows7-x64

10

xdr.bat

windows10-2004-x64

10

xdr.bat

windows10-ltsc 2021-x64

10

xdr.bat

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    xdr.bat

  • Size

    4KB

  • Sample

    241024-v887gszann

  • MD5

    9e779d369e3ca17fdc894d13c4fd797a

  • SHA1

    bf7e34e0da33a587177e66cfcec51f3aa75b4a87

  • SHA256

    15dd389f66e269ea795710fa580b7e403d628f281c71ebf4d845dbc7d0bdf394

  • SHA512

    ab290641c94cd7d3270a236af9f1e849ea056fddcf3120afc3dbad61afd63453eca3732093799cc6b82f2275da74d374c453a324fa9e465d931d2dff71b351b1

  • SSDEEP

    96:IQ356afgPZCo/r+ab5iGp8HRI3h8UfpTsbUdGD:Iw56afgQHRq8UfGbdD

Score
10/10
meshagenthawlatbackdoordefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/ngrok.yml

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/ngrok.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://152.89.239.119/x222.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/WindowsUpdate.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/auto-install-hrdp.bat

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/hrdp/hrdp.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/hrdp/update.zip

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.139.196.250/hrdp/autoupdate.zip

Extracted

Family

meshagent

Version

2

Botnet

hawlat

C2

http://45.139.196.71:443/agent.ashx

Attributes
  • mesh_id

    0x2C8478969E4CFA9513F19039B18062AD421F4DAF221C1152A30999ADFFCB13924EE4197808C0B50EB8A4890383CFE71E

  • server_id

    71C17FDD46B31764650F2D1D58C0308252130889EAD2CB51F652D3D44DDA6687355E5D788FD7CFD214D97F8E3D42DDAB

  • wss

    wss://45.139.196.71:443/agent.ashx

Targets

    • Target

      xdr.bat

    • Size

      4KB

    • MD5

      9e779d369e3ca17fdc894d13c4fd797a

    • SHA1

      bf7e34e0da33a587177e66cfcec51f3aa75b4a87

    • SHA256

      15dd389f66e269ea795710fa580b7e403d628f281c71ebf4d845dbc7d0bdf394

    • SHA512

      ab290641c94cd7d3270a236af9f1e849ea056fddcf3120afc3dbad61afd63453eca3732093799cc6b82f2275da74d374c453a324fa9e465d931d2dff71b351b1

    • SSDEEP

      96:IQ356afgPZCo/r+ab5iGp8HRI3h8UfpTsbUdGD:Iw56afgQHRq8UfGbdD

    Score
    10/10
    meshagenthawlatbackdoordefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationrattrojan

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

      rattrojanbackdoormeshagent

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Server Software Component: Terminal Services DLL

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Users

      defense_evasion
    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

4
T1059

PowerShell

4
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

3
T1564

Hidden Files and Directories

2
T1564.001

Hidden Users

1
T1564.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks