Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2025-01-28...er.exe

windows7-x64

10

2025-01-28...er.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-01-28_8cd4a310e3c4f2ce52250eca4f2c630f_ismagent_ryuk_sliver

  • Size

    2.9MB

  • Sample

    250128-rv7vqavkam

  • MD5

    8cd4a310e3c4f2ce52250eca4f2c630f

  • SHA1

    2af4e53f40b5b28613d35c82b9768bc78d2fad56

  • SHA256

    aa89ac89659bffee9a9e8125f67df0c41ded196e282bcd9aa40bb703637a2527

  • SHA512

    3dcae80f39b429085d4b44aad6b3108e665a6d25e74694ef6730d171866abff60c55e7b4cb31f9520f8d825b041ddc7648aeac2977027bf4d4eb482567ef10d8

  • SSDEEP

    49152:kZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3l:jl7i86hR+fWMeP43l

Score
10/10
meshagent050 lisboa - zonesoftbackdoordefense_evasiondiscoverypersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

050 Lisboa - Zonesoft

C2

http://fs1.suporte.com.pt:8943/agent.ashx

Attributes
  • mesh_id

    0x313CE7C3BD97BA4DE25768478CFB01C142A538B329BAAB8F6B3AB4F4FFEEC83BF0EBE45A831A8A61950A237224143E83

  • server_id

    0481CF775C2137A6BF13FF516D4E688220F467FB031867C5FBA7771274EA8996A04DF952EDD29FAA3F8190D6B3985533

  • wss

    wss://fs1.suporte.com.pt:8943/agent.ashx

Targets

    • Target

      2025-01-28_8cd4a310e3c4f2ce52250eca4f2c630f_ismagent_ryuk_sliver

    • Size

      2.9MB

    • MD5

      8cd4a310e3c4f2ce52250eca4f2c630f

    • SHA1

      2af4e53f40b5b28613d35c82b9768bc78d2fad56

    • SHA256

      aa89ac89659bffee9a9e8125f67df0c41ded196e282bcd9aa40bb703637a2527

    • SHA512

      3dcae80f39b429085d4b44aad6b3108e665a6d25e74694ef6730d171866abff60c55e7b4cb31f9520f8d825b041ddc7648aeac2977027bf4d4eb482567ef10d8

    • SSDEEP

      49152:kZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3l:jl7i86hR+fWMeP43l

    Score
    10/10
    meshagent050 lisboa - zonesoftbackdoordefense_evasiondiscoverypersistenceprivilege_escalationrattrojan

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

      rattrojanbackdoormeshagent

    • Meshagent family

      meshagent

    • Modifies Windows Firewall

      defense_evasion

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks