meshagent | 8c050551019cbd3388affebbc0cd9c69ab565ca4c88d4388185e7baff2c6f3e4 | Triage

Submit
Reports

Overview

overview

Static

static

2025-02-17...er.exe

windows7-x64

1

2025-02-17...er.exe

windows10-2004-x64

8

Sharing

General

Target

2025-02-17_ef0e6cca86d589f1f58eebeec2389dc7_ismagent_ryuk_sliver
Size

3.3MB
Sample

250217-njh6fazks8
MD5

ef0e6cca86d589f1f58eebeec2389dc7
SHA1

6794f4d169f9ffed8e5f0e516e4f4bd046314e8e
SHA256

8c050551019cbd3388affebbc0cd9c69ab565ca4c88d4388185e7baff2c6f3e4
SHA512

46388a50b93ada414884eefb437bc7ab2f771afd3d91c73c3a683962a5b89aa722bf6456422bbea1cb5426572299b2039583751b4430abf2e9ed0752ff14bfd1
SSDEEP

49152:FX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qt:FlRsZ47/QXoHUOfAoj1x6t

Score

10^/10

meshagent home adware discovery persistence privilege_escalation stealer

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

2025-02-17_ef0e6cca86d589f1f58eebeec2389dc7_ismagent_ryuk_sliver.exe

Resource

win7-20241010-en

windows7-x64

2 signatures

150 seconds

Behavioral task

behavioral2

Sample

2025-02-17_ef0e6cca86d589f1f58eebeec2389dc7_ismagent_ryuk_sliver.exe

Resource

win10v2004-20250207-en

adware discovery persistence privilege_escalation stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

HOME

C2

http://itdobro.ru:443/agent.ashx

Attributes

mesh_id
0x0B45FC580E0DF57C7B6F01B5A7D0F6ADF80265C93CA213C57F625CD28D30AE9F09978EAF4FB573A6BA56E34356188719
server_id
790FFF105FCF9D4DA0A56EA117C7C6BF3DF2FCF0E0FA67C7B77C741E21538E85E6B431F13C8E9C558C855A607F929FBA
wss
wss://itdobro.ru:443/agent.ashx

Targets

- Target
  
  2025-02-17_ef0e6cca86d589f1f58eebeec2389dc7_ismagent_ryuk_sliver
- Size
  
  3.3MB
- MD5
  
  ef0e6cca86d589f1f58eebeec2389dc7
- SHA1
  
  6794f4d169f9ffed8e5f0e516e4f4bd046314e8e
- SHA256
  
  8c050551019cbd3388affebbc0cd9c69ab565ca4c88d4388185e7baff2c6f3e4
- SHA512
  
  46388a50b93ada414884eefb437bc7ab2f771afd3d91c73c3a683962a5b89aa722bf6456422bbea1cb5426572299b2039583751b4430abf2e9ed0752ff14bfd1
- SSDEEP
  
  49152:FX3YnLOQYsZfQ74C6SkgSbXP31+frjUYuHi7nT8poTMFvfuJ1kZ7NrjHQe85Qt:FlRsZ47/QXoHUOfAoj1x6t
Score

8^/10

adware discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Browser Extensions

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

adwarediscoverypersistenceprivilege_escalationstealer

© 2018-2025

Terms | Privacy