meshagent | c[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

c.exe
Size

3.7MB
MD5

34bacef5e0b44c55a9b293d0cc67220b
SHA1

c898260acb34f3dd2e7212109282154e15776091
SHA256

915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962
SHA512

61a60ab79a50dd7b13ba5c8ca6886fb8501e5ca1de3185d8ccf33e95da3c5422a741c093edf722d5d9d5ac67094313c454182e158203f3a0df68325381b62fea
SSDEEP

49152:F8o8bZjyJVD0s9Mr3XIfRviWkgEOaxfCbCMcXGtSgvZPOQ5Qo:F8o8VOUs9joRbMc2tSW6o

Score

10^/10

china-work meshagent

Malware Config

Extracted

Family

meshagent

Version

Botnet

China-work

http://al3b.duckdns.org:443/agent.ashx

Attributes

mesh_id
0xAFF136F060360F28769D7B7498B6137CD4DEC82BEBABA4F01BA003C8AF4327C230B79ECCDEEBADF978820C981A5FB410
server_id
15AC5E4AEE801455641A960026D6C5E6B5C9E400BE3783B5AF0693C185066487AE520043247FB4EE420B2A74648A3BCA
wss
wss://al3b.duckdns.org:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
sample	family_meshagent

Meshagent family
meshagent

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
c.exe

Files

c.exe
.exe windows:6 windows x86 arch:x86

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\MeshAgent\MeshAgent\Release\MeshService.pdb

Imports

comctl32

InitCommonControlsEx

crypt32

CryptEncodeObject
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertDeleteCertificateFromStore
CryptAcquireCertificatePrivateKey
CertAddEncodedCertificateToStore
CryptMsgClose
CryptMsgUpdate
CryptExportPublicKeyInfo
CertCreateSelfSignCertificate
CertFreeCertificateContext
CryptMsgOpenToEncode
CertAddCertificateContextToStore
CryptMsgOpenToDecode
CryptMsgControl
CertStrToNameW
CertOpenStore
CryptMsgCalculateEncodedLength
CertFindCertificateInStore
CertSetCertificateContextProperty
CertGetCertificateContextProperty
CryptMsgGetParam
CertStrToNameA
CertCloseStore
CryptSignAndEncodeCertificate
PFXExportCertStore

ncrypt

NCryptCreatePersistedKey
BCryptGetProperty
BCryptOpenAlgorithmProvider
NCryptOpenStorageProvider
BCryptCreateHash
NCryptSetProperty
BCryptHashData
NCryptFreeObject
NCryptFinalizeKey
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptGenRandom

dbghelp

SymInitialize
SymFromAddr
MiniDumpWriteDump
SymGetModuleBase64
SymGetLineFromAddr64
SymFunctionTableAccess64
StackWalk64

iphlpapi

GetAdaptersAddresses
SendARP
ConvertLengthToIpv4Mask
GetAdaptersInfo

ws2_32

__WSAFDIsSet
htons
htonl
gethostname
ntohs
ntohl
WSAGetLastError
ioctlsocket
recv
send
gethostbyname
getaddrinfo
freeaddrinfo
getnameinfo
WSASetLastError
getsockname
WSASocketW
listen
closesocket
bind
accept
WSACleanup
FreeAddrInfoW
select
WSACloseEvent
WSACreateEvent
WSAStartup
WSAEventSelect
WSAResetEvent
GetAddrInfoW
WSAIoctl
shutdown
connect
recvfrom
getsockopt
sendto
socket
setsockopt

gdiplus

GdipCloneImage
GdipAlloc
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GdipLoadImageFromStreamICM
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipLoadImageFromStream
GdipGetImageEncoders

kernel32

InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
EnterCriticalSection
GetFullPathNameW
GetStdHandle
WriteFile
LoadLibraryExA
GetModuleFileNameW
GetSystemPowerStatus
OpenProcess
MultiByteToWideChar
Sleep
GetLastError
CloseHandle
GetCurrentDirectoryW
SetCurrentDirectoryW
GetProcAddress
SetEnvironmentVariableA
CreateProcessW
FreeLibrary
WideCharToMultiByte
GetCurrentThreadId
GetModuleHandleA
WaitForSingleObjectEx
CreateThread
QueueUserAPC
OpenThread
ReadFile
LoadLibraryA
SleepEx
SetSystemPowerState
GetCurrentProcess
SetThreadExecutionState
HeapFree
HeapAlloc
GetProcessHeap
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
LeaveCriticalSection
SystemTimeToTzSpecificLocalTime
QueryPerformanceCounter
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreA
CancelIo
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetFinalPathNameByHandleW
GetDriveTypeA
SetFilePointer
FindFirstVolumeA
FindClose
CreateFileW
GetVolumePathNamesForVolumeNameA
GetFileAttributesExW
ReadDirectoryChangesW
FindNextVolumeA
FindVolumeClose
GetDiskFreeSpaceExA
CreateEventA
GetModuleHandleExA
WaitForMultipleObjectsEx
CreateNamedPipeA
DisconnectNamedPipe
CreateFileA
CancelIoEx
LocalFree
ConnectNamedPipe
SetConsoleMode
GetConsoleMode
GetStartupInfoW
IsDebuggerPresent
TerminateProcess
GetTempPathW
CancelSynchronousIo
SetEvent
ResetEvent
GetThreadId
GetCurrentProcessId
GetEnvironmentStrings
FreeEnvironmentStringsA
CopyFileW
MoveFileW
RtlCaptureContext
SuspendThread
ResumeThread
DuplicateHandle
ExitThread
GetTickCount64
GetCurrentThread
DeleteFileA
GetOverlappedResult
GetThreadContext
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetEndOfFile
DeleteFileW
SetFilePointerEx
SetConsoleCtrlHandler
FreeConsole
LoadLibraryExW
SetLastError
GetFileType
GetModuleHandleW
FormatMessageW
SwitchToFiber
DeleteFiber
CreateFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExitProcess
GetModuleHandleExW
CreateProcessA
HeapValidate
GetSystemInfo
CreateDirectoryW
GetConsoleCP
MoveFileExW
SetEnvironmentVariableW
SetCurrentDirectoryA
GetCurrentDirectoryA
GetTimeZoneInformation
SetStdHandle
GetDriveTypeW
PeekNamedPipe
GetModuleFileNameA
GetCommandLineA
GetCommandLineW
GetACP
RaiseException
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetConsoleOutputCP
IsProcessorFeaturePresent
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
HeapReAlloc
HeapSize
HeapQueryInformation
GetStringTypeW
WriteConsoleW
GetCPInfo
GetFullPathNameA
OutputDebugStringA
OutputDebugStringW
FindFirstFileExA
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
EncodePointer
QueryPerformanceFrequency
DecodePointer

user32

EndDialog
SetWindowTextW
GetWindowPlacement
ShowWindow
GetDlgCtrlID
SetWindowPlacement
SetWindowTextA
IsDlgButtonChecked
GetDlgItem
CheckDlgButton
DialogBoxParamW
EnableWindow
MessageBeep
ExitWindowsEx
GetUserObjectInformationA
EnumDisplayMonitors
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
BlockInput
GetMonitorInfoA
OpenInputDesktop
GetKeyState
GetMessageA
GetWindowRect
SendMessageW
LoadCursorA
DestroyWindow
GetDC
PostMessageA
GetIconInfo
CallNextHookEx
GetCursorInfo
SetWindowsHookExA
MapVirtualKeyA
GetForegroundWindow
UnhookWindowsHookEx
DefWindowProcA
CreateWindowExA
TranslateMessage
UnregisterClassA
DrawIconEx
SetWinEventHook
RegisterClassExA
UnhookWinEvent
SetForegroundWindow
ReleaseDC
SendInput
SetProcessDPIAware
GetProcessWindowStation
GetUserObjectInformationW
DispatchMessageA
CreateWindowExW
MessageBoxW
GetMessageExtraInfo

gdi32

DeleteObject
GetDIBits
CreateCompatibleDC
SelectObject
CreateCompatibleBitmap
SetStretchBltMode
DeleteDC
StretchBlt
BitBlt
GetObjectA
CreateSolidBrush
SetBkColor
SetBkMode
SetTextColor
GetStockObject

advapi32

RegOpenKeyExA
RegCloseKey
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
StartServiceCtrlDispatcherA
QueryServiceStatus
CloseServiceHandle
AllocateAndInitializeSid
SetServiceStatus
OpenSCManagerA
RegisterServiceCtrlHandlerExA
FreeSid
CheckTokenMembership
OpenServiceA
SetTokenInformation
CreateProcessAsUserW
DuplicateTokenEx
SetSecurityDescriptorDacl
SetEntriesInAclA
InitializeSecurityDescriptor
CryptDestroyKey
RegQueryValueExA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
CryptReleaseContext
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
RegCreateKeyW
RegSetValueExA
RegDeleteKeyA
OpenProcessToken

shell32

ShellExecuteExW

ole32

CoCreateInstance
CreateStreamOnHGlobal
CoInitializeEx
CoUninitialize

oleaut32

SysAllocString
SysFreeString
SysStringLen

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 502KB - Virtual size: 502KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 579KB - Virtual size: 742KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

comctl32

crypt32

ncrypt

dbghelp

iphlpapi

ws2_32

gdiplus

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 502KB - Virtual size: 502KB

.data Size: 579KB - Virtual size: 742KB

.gfids Size: 512B - Virtual size: 372B

.rsrc Size: 136KB - Virtual size: 135KB

.reloc Size: 95KB - Virtual size: 94KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 502KB - Virtual size: 502KB

.data
Size: 579KB - Virtual size: 742KB

.gfids
Size: 512B - Virtual size: 372B

.rsrc
Size: 136KB - Virtual size: 135KB

.reloc
Size: 95KB - Virtual size: 94KB