Overview

overview

10

Static

static

10

meshagent6...AL.exe

windows7-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    meshagent64-UNIDADDEARCHIVOGENERAL.exe

  • Size

    2.9MB

  • Sample

    250114-zxjvnszmdx

  • MD5

    96e9516b53a7bb176775fd12b024ab07

  • SHA1

    e648531fa9f7bf84a86dd89a05588da445605d4f

  • SHA256

    3c355223bc62ba981bfd89c0cea83bf97c3922724082cdb1968611e22b032eca

  • SHA512

    c3e33fa7a963ff73db0c7f2126ad05f2d217710c98d4a2a00505087cfa3808ea3277211dffdda29bc6209b48b28d340ce2db663102de7d218472c1487692a314

  • SSDEEP

    49152:9yEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPn:9nj36pUk0TkfYiQ/n

Score
10/10
meshagentunidad de archivo generalbackdoordiscoveryevasionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

UNIDAD DE ARCHIVO GENERAL

C2

http://colibri.chuquisaca.gob.bo:443/agent.ashx

Attributes
  • mesh_id

    0x1D449E06756DEB696DFE114FE83E6D57CF893ECCCCA739CFCC58CD393236EAA06590BC34D172CD4BD10FD29D625447B2

  • server_id

    77F03DBA4A0D9B475F79044A818A18B276F59E471227825488B87E9061C6EA43888A93BB01AA5EB6E01E388DD64E83CA

  • wss

    wss://colibri.chuquisaca.gob.bo:443/agent.ashx

Targets

    • Target

      meshagent64-UNIDADDEARCHIVOGENERAL.exe

    • Size

      2.9MB

    • MD5

      96e9516b53a7bb176775fd12b024ab07

    • SHA1

      e648531fa9f7bf84a86dd89a05588da445605d4f

    • SHA256

      3c355223bc62ba981bfd89c0cea83bf97c3922724082cdb1968611e22b032eca

    • SHA512

      c3e33fa7a963ff73db0c7f2126ad05f2d217710c98d4a2a00505087cfa3808ea3277211dffdda29bc6209b48b28d340ce2db663102de7d218472c1487692a314

    • SSDEEP

      49152:9yEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPn:9nj36pUk0TkfYiQ/n

    Score
    10/10
    meshagentunidad de archivo generalbackdoordiscoveryevasionpersistenceprivilege_escalationrattrojan

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

      rattrojanbackdoormeshagent

    • Meshagent family

      meshagent

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks