meshagent | 373c358f76f9e06ee29b40cce578cb8899f89df53f6e39be93d3e55b059a77db

Sharing

Copy URL

Twitter E-mail

General

Target

373c358f76f9e06ee29b40cce578cb8899f89df53f6e39be93d3e55b059a77db
Size

4.1MB
MD5

e8dfb5a1d7c8f4198dbbc7ae46e1438e
SHA1

8afaeaebfd023bf17ee2bb9542c2cd341ade1876
SHA256

373c358f76f9e06ee29b40cce578cb8899f89df53f6e39be93d3e55b059a77db
SHA512

9a547a61a869b488ace295cb74d43423d4e88367206e28784109b354d67935eed425399b4ae3030169f3377d047a842c702a45d617b375efefbd7c5bb5404a1a
SSDEEP

49152:yx2si8Wng6LhECjTNa7OQ8gN/QgE5NLBXLFjr8vX1lEAcHpalhDOdznwajnRcX:yATThTQXczjIapMO9wa7RcX

Score

10^/10

meshagent

Malware Config

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
sample	family_meshagent

Meshagent family
meshagent

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
373c358f76f9e06ee29b40cce578cb8899f89df53f6e39be93d3e55b059a77db

Files

373c358f76f9e06ee29b40cce578cb8899f89df53f6e39be93d3e55b059a77db
.exe windows:6 windows x64 arch:x64

73315d1268244e8ea111b3df61c70691

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

C:\Github-Runner\intel-innersource\001\_work\agentTempBuild_10392617803\Agent\MeshManageability\x64\Release\MeshService.pdb

Imports

dbghelp

StackWalk64
SymInitialize
SymGetModuleBase64
SymFunctionTableAccess64
SymGetLineFromAddr64
SymSetOptions
SymFromAddr

iphlpapi

GetAdaptersAddresses
GetAdaptersInfo
SendARP

ws2_32

htons
htonl
ntohs
ntohl
WSAGetLastError
freeaddrinfo
inet_ntop
gethostname
gethostbyaddr
WSAStartup
WSAIoctl
WSACleanup
getservbyport
inet_ntoa
getservbyname
inet_addr
shutdown
send
gethostbyname
select
WSASetLastError
inet_pton
getaddrinfo
setsockopt
ioctlsocket
getsockname
listen
closesocket
bind
accept
__WSAFDIsSet
sendto
getsockopt
recv
recvfrom
WSASocketW
connect
socket

setupapi

SetupDiSetClassInstallParamsW
SetupDiCallClassInstaller
SetupDiEnumDeviceInfo
CM_Reenumerate_DevNode_Ex
SetupDiClassNameFromGuidExW
SetupDiGetClassDevsA
SetupDiOpenDevRegKey
CM_Reenumerate_DevNode
CM_Locate_DevNode_ExW
SetupCopyOEMInfA
SetupDiGetDeviceRegistryPropertyA
SetupDiRemoveDevice
CM_Get_DevNode_Status_Ex
CM_Enumerate_Classes
SetupDiGetClassDevsExW
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
CM_Locate_DevNodeW
CM_Get_Device_ID_ExW
SetupDiGetDeviceRegistryPropertyW
SetupDiGetClassDescriptionExW

crypt32

PFXExportCertStore
CryptSignAndEncodeCertificate
CertCloseStore
CryptMsgGetParam
CryptEncodeObject
CertAddCertificateContextToStore
CryptMsgOpenToDecode
CryptMsgCalculateEncodedLength
CertOpenStore
CertStrToNameW
CertDuplicateCertificateContext
CertGetCertificateContextProperty
CryptAcquireCertificatePrivateKey
CertAddEncodedCertificateToStore
CertFindCertificateInStore
CryptMsgControl
CryptMsgClose
CryptMsgUpdate
CryptExportPublicKeyInfo
CertCreateSelfSignCertificate
CertFreeCertificateContext
CryptMsgOpenToEncode
CertEnumCertificatesInStore
CertSetCertificateContextProperty
CertDeleteCertificateFromStore

wintrust

WTHelperGetProvCertFromChain
WTHelperProvDataFromStateData
WTHelperGetProvSignerFromChain
WinVerifyTrust

version

VerQueryValueA
GetFileVersionInfoW

wtsapi32

WTSFreeMemory
WTSEnumerateSessionsW
WTSQueryUserToken
WTSDisconnectSession
WTSSendMessageW

kernel32

GetStartupInfoW
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
EncodePointer
InitializeCriticalSectionAndSpinCount
LoadLibraryExW
FreeLibraryAndExitThread
SetStdHandle
GetDriveTypeW
GetFileInformationByHandle
PeekNamedPipe
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SetConsoleCtrlHandler
GetCommandLineA
GetCommandLineW
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
WaitForSingleObject
GetLastError
CloseHandle
CreateProcessW
VerSetConditionMask
VerifyVersionInfoW
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
GetModuleFileNameA
SetPriorityClass
GetCurrentProcess
LocalAlloc
SetCurrentDirectoryA
Sleep
LocalFree
CreateProcessA
FormatMessageA
TerminateProcess
OpenProcess
GetTimeZoneInformation
K32GetModuleBaseNameA
K32EnumProcesses
K32EnumProcessModules
GetComputerNameExW
MultiByteToWideChar
CopyFileA
LoadLibraryW
GetProcAddress
ExitProcess
FreeLibrary
CopyFileW
WideCharToMultiByte
MoveFileW
AreFileApisANSI
ReadFile
TryEnterCriticalSection
HeapCreate
HeapFree
GetFullPathNameW
WriteFile
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
SetFilePointer
GetFullPathNameA
SetEndOfFile
UnlockFileEx
CreateMutexW
CreateFileW
GetFileAttributesW
GetCurrentThreadId
UnmapViewOfFile
HeapValidate
HeapSize
GetTempPathA
FormatMessageW
GetDiskFreeSpaceA
GetFileAttributesA
GetFileAttributesExW
OutputDebugStringW
FlushViewOfFile
CreateFileA
LoadLibraryA
WaitForSingleObjectEx
DeleteFileA
DeleteFileW
HeapReAlloc
RaiseException
GetSystemInfo
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
LockFileEx
GetFileSize
GetCurrentProcessId
GetProcessHeap
SystemTimeToFileTime
GetSystemTimeAsFileTime
GetSystemTime
CreateFileMappingW
MapViewOfFile
QueryPerformanceCounter
GetTickCount
SetUnhandledExceptionFilter
GetStdHandle
CreateThread
RtlCaptureContext
DuplicateHandle
ExitThread
SetEvent
GetCurrentThread
GetSystemDirectoryA
QueueUserAPC
GetModuleHandleW
SleepEx
OpenThread
IsDebuggerPresent
WaitNamedPipeA
CreateNamedPipeA
WaitForMultipleObjectsEx
GetEnvironmentVariableA
CreateEventW
CancelIoEx
ResetEvent
GetOverlappedResult
WTSGetActiveConsoleSessionId
GetExitCodeProcess
DeviceIoControl
GetConsoleScreenBufferInfo
SetConsoleScreenBufferSize
Wow64DisableWow64FsRedirection
SetConsoleWindowInfo
GetSystemDirectoryW
Wow64RevertWow64FsRedirection
FillConsoleOutputCharacterW
ReadConsoleOutputW
TerminateThread
FreeConsole
WriteConsoleInputW
FillConsoleOutputAttribute
GetConsoleWindow
SetConsoleCursorPosition
AllocConsole
CreateDirectoryW
FindFirstFileExW
SetSystemPowerState
FindNextFileW
RemoveDirectoryW
FindClose
GetVolumeInformationA
GetLogicalDriveStringsA
SetThreadExecutionState
InitializeCriticalSectionEx
CreateToolhelp32Snapshot
Process32NextW
K32GetModuleBaseNameW
K32GetProcessMemoryInfo
Process32FirstW
GetPriorityClass
WaitForMultipleObjects
GetCommTimeouts
GetCurrentDirectoryA
WaitCommEvent
GetCommState
CreateDirectoryA
SetCommTimeouts
SetCommState
GetModuleHandleA
SizeofResource
GetModuleFileNameW
LockResource
GlobalFree
LoadResource
FindResourceW
RemoveDirectoryA
SetLastError
InitializeSRWLock
ReleaseSRWLockExclusive
ReleaseSRWLockShared
AcquireSRWLockExclusive
AcquireSRWLockShared
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
VirtualFree
SwitchToFiber
DeleteFiber
CreateFiberEx
GetModuleHandleExW
FindFirstFileW
GetFileType
GetEnvironmentVariableW
GetACP
ConvertFiberToThread
ConvertThreadToFiberEx
GetConsoleMode
SetConsoleMode
ReadConsoleA
ReadConsoleW
SetFilePointerEx
GetConsoleCP
GetFileSizeEx
GetCPInfo
GetCurrentDirectoryW
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlVirtualUnwind
FlushFileBuffers
IsValidCodePage
RtlLookupFunctionEntry
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetStringTypeW
WriteConsoleW
GetTempPathW
SetCommMask

user32

MapVirtualKeyW
OpenDesktopW
SetForegroundWindow
SendInput
FindWindowW
OpenInputDesktop
SetProcessWindowStation
GetMonitorInfoW
CloseDesktop
GetThreadDesktop
SetThreadDesktop
GetSystemMetrics
SendMessageW
EnumDisplayMonitors
CloseWindowStation
GetUserObjectInformationA
ReleaseDC
GetDC
GetUserObjectInformationW
GetProcessWindowStation
MessageBoxW
EndDialog
SetWindowTextA
GetDlgItem
DialogBoxParamW
EnableWindow
GetMessageA
DispatchMessageA
PostMessageA
MessageBoxA
DefWindowProcA
CreateWindowExA
GetWindowLongPtrA
SetWindowLongPtrA
RegisterClassExA
LoadImageW
GetActiveWindow
UnhookWinEvent
MessageBeep
ExitWindowsEx
GetMessageW
ShowWindow
OpenWindowStationW
DispatchMessageW
VkKeyScanW
TranslateMessage
PostThreadMessageW
SetWinEventHook
GetForegroundWindow

gdi32

SetStretchBltMode
CreateCompatibleBitmap
SelectObject
CreateCompatibleDC
StretchBlt
GetDIBits
DeleteDC
DeleteObject

comdlg32

GetSaveFileNameW

advapi32

StartServiceW
ControlService
RegisterServiceCtrlHandlerW
DeleteService
ChangeServiceConfig2W
SetServiceStatus
AllocateAndInitializeSid
RegDeleteKeyW
QueryServiceStatus
OpenServiceW
QueryServiceConfigW
RegCreateKeyW
RegSetValueExA
OpenSCManagerW
CloseServiceHandle
RegCloseKey
RegDeleteValueW
RegOpenKeyExW
RegQueryValueExA
CreateServiceW
RegGetValueW
CryptReleaseContext
RegSetValueExW
CryptDestroyKey
DuplicateTokenEx
OpenProcessToken
SetTokenInformation
CreateProcessAsUserA
AdjustTokenPrivileges
InitiateSystemShutdownW
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
CheckTokenMembership
DeregisterEventSource
RegisterEventSourceW
ReportEventW
FreeSid
CryptAcquireContextW
CryptSetHashParam
CryptGetProvParam
CryptGetUserKey
CryptExportKey
CryptDecrypt
CryptCreateHash
CryptDestroyHash
CryptSignHashW
CryptEnumProvidersW

shell32

SHGetSpecialFolderPathA
SHFileOperationW
SHFileOperationA
SHGetFolderPathA
SHGetFolderPathW
Shell_NotifyIconA

ole32

CoTaskMemFree
CoInitializeEx
CoUninitialize
CLSIDFromString
CoSetProxyBlanket
CoInitializeSecurity
CLSIDFromProgID
StringFromGUID2
CreateStreamOnHGlobal
CoCreateInstance

oleaut32

SysFreeString
SysAllocString
SafeArrayDestroy
SafeArrayGetUBound
SysStringLen
SysAllocStringLen
VariantClear

gdiplus

GdipLoadImageFromStream
GdipSaveImageToStream
GdipGetImageEncodersSize
GdipFree
GdipDisposeImage
GdipCloneImage
GdipGetImageEncoders
GdiplusShutdown
GdiplusStartup
GdipAlloc

winhttp

WinHttpSendRequest
WinHttpConnect
WinHttpCloseHandle
WinHttpOpen
WinHttpReadData
WinHttpOpenRequest
WinHttpReceiveResponse
WinHttpGetIEProxyConfigForCurrentUser

ncrypt

BCryptOpenAlgorithmProvider
BCryptGetProperty
NCryptOpenStorageProvider
BCryptGenRandom
BCryptFinishHash
BCryptCloseAlgorithmProvider
NCryptFinalizeKey
BCryptDestroyHash
NCryptCreatePersistedKey
NCryptFreeObject
BCryptHashData
NCryptSetProperty
BCryptCreateHash

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

propsys

PSGetPropertyDescriptionByName

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 938KB - Virtual size: 937KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 59KB - Virtual size: 146KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 140KB - Virtual size: 139KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 171KB - Virtual size: 171KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

73315d1268244e8ea111b3df61c70691

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dbghelp

iphlpapi

ws2_32

setupapi

crypt32

wintrust

version

wtsapi32

kernel32

user32

gdi32

comdlg32

advapi32

shell32

ole32

oleaut32

gdiplus

winhttp

ncrypt

userenv

propsys

Sections

.text Size: 2.8MB - Virtual size: 2.8MB

.rdata Size: 938KB - Virtual size: 937KB

.data Size: 59KB - Virtual size: 146KB

.pdata Size: 140KB - Virtual size: 139KB

_RDATA Size: 512B - Virtual size: 512B

.rsrc Size: 171KB - Virtual size: 171KB

.reloc Size: 38KB - Virtual size: 37KB

.text
Size: 2.8MB - Virtual size: 2.8MB

.rdata
Size: 938KB - Virtual size: 937KB

.data
Size: 59KB - Virtual size: 146KB

.pdata
Size: 140KB - Virtual size: 139KB

_RDATA
Size: 512B - Virtual size: 512B

.rsrc
Size: 171KB - Virtual size: 171KB

.reloc
Size: 38KB - Virtual size: 37KB