meshagent | 6a313284fe5ee24afd20fdca09dc1cba93cb4277ee20b331a96162302409f369

Analysis

max time kernel
121s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-02-2025 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

0ba08e83f23bdf195ecb6e0d681715db
SHA1

4ffa63849860be780e8b36cb9d02cee5e180b910
SHA256

6a313284fe5ee24afd20fdca09dc1cba93cb4277ee20b331a96162302409f369
SHA512

2e305fc2284bcbde1cd07605f7355091fe2b9869fd33bf00963ae45db055049474bd8fb2f72c27ba58acd459cfe7bbc904a48ad2bd0d2e2992f50dd3e073c4b0
SSDEEP

49152:hyEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPN:hnj36pUk0TkfYiQ/N

Score

10^/10

meshagent sports & imports backdoor defense_evasion discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

Sports & Imports

http://98.187.161.247:443/agent.ashx

Attributes

mesh_id
0x5982E46AAA9F472859A5D4B8797C454B63141A8A669BF3C8A5BF92591AAAB614D4942ABE505C5CB9CCA851A5C024E8F6
server_id
9FCE958DB8A0A03D0881F53B35F97C67DA857CA4B2CD1231F92046A2A9727EB27BE1F081E4C9B7AA8AB4D4E455DCC97D
wss
wss://98.187.161.247:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000173fb-25.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2152	netsh.exe
2804	netsh.exe
1872	netsh.exe
1812	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-3290804112-2823094203-3137964600-1000\""	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe

Executes dropped EXE 2 IoCs

pid	Process
472	Process not Found
1948	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2880	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2420	wmic.exe
Token: SeSecurityPrivilege	2420	wmic.exe
Token: SeTakeOwnershipPrivilege	2420	wmic.exe
Token: SeLoadDriverPrivilege	2420	wmic.exe
Token: SeSystemProfilePrivilege	2420	wmic.exe
Token: SeSystemtimePrivilege	2420	wmic.exe
Token: SeProfSingleProcessPrivilege	2420	wmic.exe
Token: SeIncBasePriorityPrivilege	2420	wmic.exe
Token: SeCreatePagefilePrivilege	2420	wmic.exe
Token: SeBackupPrivilege	2420	wmic.exe
Token: SeRestorePrivilege	2420	wmic.exe
Token: SeShutdownPrivilege	2420	wmic.exe
Token: SeDebugPrivilege	2420	wmic.exe
Token: SeSystemEnvironmentPrivilege	2420	wmic.exe
Token: SeRemoteShutdownPrivilege	2420	wmic.exe
Token: SeUndockPrivilege	2420	wmic.exe
Token: SeManageVolumePrivilege	2420	wmic.exe
Token: 33	2420	wmic.exe
Token: 34	2420	wmic.exe
Token: 35	2420	wmic.exe
Token: SeIncreaseQuotaPrivilege	2420	wmic.exe
Token: SeSecurityPrivilege	2420	wmic.exe
Token: SeTakeOwnershipPrivilege	2420	wmic.exe
Token: SeLoadDriverPrivilege	2420	wmic.exe
Token: SeSystemProfilePrivilege	2420	wmic.exe
Token: SeSystemtimePrivilege	2420	wmic.exe
Token: SeProfSingleProcessPrivilege	2420	wmic.exe
Token: SeIncBasePriorityPrivilege	2420	wmic.exe
Token: SeCreatePagefilePrivilege	2420	wmic.exe
Token: SeBackupPrivilege	2420	wmic.exe
Token: SeRestorePrivilege	2420	wmic.exe
Token: SeShutdownPrivilege	2420	wmic.exe
Token: SeDebugPrivilege	2420	wmic.exe
Token: SeSystemEnvironmentPrivilege	2420	wmic.exe
Token: SeRemoteShutdownPrivilege	2420	wmic.exe
Token: SeUndockPrivilege	2420	wmic.exe
Token: SeManageVolumePrivilege	2420	wmic.exe
Token: 33	2420	wmic.exe
Token: 34	2420	wmic.exe
Token: 35	2420	wmic.exe
Token: SeDebugPrivilege	2880	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2420	3012	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	31
PID 3012 wrote to memory of 2420	3012	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	31
PID 3012 wrote to memory of 2420	3012	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	31
PID 3012 wrote to memory of 2724	3012	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	34
PID 3012 wrote to memory of 2724	3012	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	34
PID 3012 wrote to memory of 2724	3012	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	34
PID 2724 wrote to memory of 2880	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	36
PID 2724 wrote to memory of 2880	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	36
PID 2724 wrote to memory of 2880	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	36
PID 2724 wrote to memory of 2828	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	38
PID 2724 wrote to memory of 2828	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	38
PID 2724 wrote to memory of 2828	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	38
PID 2828 wrote to memory of 2152	2828	cmd.exe	40
PID 2828 wrote to memory of 2152	2828	cmd.exe	40
PID 2828 wrote to memory of 2152	2828	cmd.exe	40
PID 2724 wrote to memory of 2680	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	41
PID 2724 wrote to memory of 2680	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	41
PID 2724 wrote to memory of 2680	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	41
PID 2680 wrote to memory of 2804	2680	cmd.exe	43
PID 2680 wrote to memory of 2804	2680	cmd.exe	43
PID 2680 wrote to memory of 2804	2680	cmd.exe	43
PID 2724 wrote to memory of 2708	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	44
PID 2724 wrote to memory of 2708	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	44
PID 2724 wrote to memory of 2708	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	44
PID 2708 wrote to memory of 1872	2708	cmd.exe	46
PID 2708 wrote to memory of 1872	2708	cmd.exe	46
PID 2708 wrote to memory of 1872	2708	cmd.exe	46
PID 2724 wrote to memory of 2852	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	47
PID 2724 wrote to memory of 2852	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	47
PID 2724 wrote to memory of 2852	2724	2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe	47
PID 2852 wrote to memory of 1812	2852	cmd.exe	49
PID 2852 wrote to memory of 1812	2852	cmd.exe	49
PID 2852 wrote to memory of 1812	2852	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-02-14_0ba08e83f23bdf195ecb6e0d681715db_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {61135c2a-2f69-4c98-df7c-a7b74d7d8b35}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {61135c2a-2f69-4c98-df7c-a7b74d7d8b35}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2152
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {7535f1d0-8f8e-4586-1f9e-bb45a0f54744}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {7535f1d0-8f8e-4586-1f9e-bb45a0f54744}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2804
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {d2048db7-448e-4b91-d042-1dad7624ee01}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {d2048db7-448e-4b91-d042-1dad7624ee01}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1872
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {aeec8e0b-32e8-4887-2b69-63e928630ec3}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {aeec8e0b-32e8-4887-2b69-63e928630ec3}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1812

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-3290804112-2823094203-3137964600-1000"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
0ba08e83f23bdf195ecb6e0d681715db

SHA1
4ffa63849860be780e8b36cb9d02cee5e180b910

SHA256
6a313284fe5ee24afd20fdca09dc1cba93cb4277ee20b331a96162302409f369

SHA512
2e305fc2284bcbde1cd07605f7355091fe2b9869fd33bf00963ae45db055049474bd8fb2f72c27ba58acd459cfe7bbc904a48ad2bd0d2e2992f50dd3e073c4b0

Download Submit
memory/2880-6-0x000000001B8A0000-0x000000001BB82000-memory.dmp

Filesize
2.9MB

Download
memory/2880-7-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download