Overview

overview

10

Static

static

1

VMware-vic...56.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VMware-viclient-f0c1e456.exe

  • Size

    352.6MB

  • Sample

    250101-1y6lhaxjat

  • MD5

    4d038eee3d8223801b558874c2661717

  • SHA1

    ff34e99ce2d3e194e7cdc9e1df437cbba336b36e

  • SHA256

    1e383a0e7990c73ea2856ee1d0204f99728cd58f0b30a288e12081dc7cb3a8f1

  • SHA512

    e9a897b2157ad8e67e48ffb28faac68e85dbd8307a308eda66b9b0b80d483ec70190895dc25981aa87f7b35160508bd6dcf432c58d26831b8b4993e1d69b1a81

  • SSDEEP

    6291456:j0wIKbeufOczho93esOsFbIqh9dBL8r93/hgWa08ZSphZVzXVMZXGRAJSzhTOpFh:j2KbeoDhxsOfeR8r93HatQ/VLVMZXG27

Score
10/10
meshagenttraffic-vcbackdoordiscoveryexecutionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

traffic-vc

C2

http://162.254.38.170:443/agent.ashx

Attributes
  • mesh_id

    0xFA311D2F83B841F08B8AB48F5D2CE6C29D8454B1E03156158A557D0009BCFD55B4BC47EE76E7098D348EEAB8BF2114FC

  • server_id

    14EDFD5700E9A14A8208348E4EFFE657FCAC524B4D43E6E5C4368E57344CD6EAB8EEE832B1FF53E8D20D44AACFE918CE

  • wss

    wss://162.254.38.170:443/agent.ashx

Targets

    • Target

      VMware-viclient-f0c1e456.exe

    • Size

      352.6MB

    • MD5

      4d038eee3d8223801b558874c2661717

    • SHA1

      ff34e99ce2d3e194e7cdc9e1df437cbba336b36e

    • SHA256

      1e383a0e7990c73ea2856ee1d0204f99728cd58f0b30a288e12081dc7cb3a8f1

    • SHA512

      e9a897b2157ad8e67e48ffb28faac68e85dbd8307a308eda66b9b0b80d483ec70190895dc25981aa87f7b35160508bd6dcf432c58d26831b8b4993e1d69b1a81

    • SSDEEP

      6291456:j0wIKbeufOczho93esOsFbIqh9dBL8r93/hgWa08ZSphZVzXVMZXGRAJSzhTOpFh:j2KbeoDhxsOfeR8r93HatQ/VLVMZXG27

    Score
    10/10
    meshagenttraffic-vcbackdoordiscoveryexecutionpersistenceprivilege_escalationrattrojan

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

      rattrojanbackdoormeshagent

    • Meshagent family

      meshagent

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks