meshagent | d04f66d478b6abd76cc1b5ebb6cad16b79e1549bd90ca628947b0b61e45d1eda[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

d04f66d478b6abd76cc1b5ebb6cad16b79e1549bd90ca628947b0b61e45d1eda.exe
Size

3.7MB
MD5

198f7f57807a2ed03695dfdf7ccfecef
SHA1

3849d4cfaa17bb8f7d382e1b521b05b2509a644b
SHA256

d04f66d478b6abd76cc1b5ebb6cad16b79e1549bd90ca628947b0b61e45d1eda
SHA512

b4518434580502065a838b822f226b01d5b00b773ee7769bc52c11282d71a8d1a1f130aae4dc3b8db50c1bd1ef1f6eedfa60d4f9e6a97e543bc9d4ca09a7a707
SSDEEP

49152:k8o8bZjyJVD0s9Mr3XIfRviWkgEOaxfCbCMcXGtSgvZPOQ5Qm:k8o8VOUs9joRbMc2tSW6m

Score

10^/10

1c meshagent

Malware Config

Extracted

Family

meshagent

Version

Botnet

http://techsupport.myftp.org:443/agent.ashx

Attributes

mesh_id
0xE79DFA6385DB8C0A61E725103709E16E6583682A2969663E5F84D92142BBC08899A1BE33A92CCA67B5E719BA831081ED
server_id
A5D0014DC4EDF37515379D28C8FA94CF07B7E21E122A1EC1CF8EC599571CA6527C3C23F8EDB99AD0C14EBB3BE704B0ED
wss
wss://techsupport.myftp.org:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
sample	family_meshagent

Meshagent family
meshagent

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d04f66d478b6abd76cc1b5ebb6cad16b79e1549bd90ca628947b0b61e45d1eda.exe

Files

d04f66d478b6abd76cc1b5ebb6cad16b79e1549bd90ca628947b0b61e45d1eda.exe
.exe windows:6 windows x86 arch:x86

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\MeshAgent\MeshAgent\Release\MeshService.pdb

Imports

comctl32

InitCommonControlsEx

crypt32

CryptEncodeObject
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertDeleteCertificateFromStore
CryptAcquireCertificatePrivateKey
CertAddEncodedCertificateToStore
CryptMsgClose
CryptMsgUpdate
CryptExportPublicKeyInfo
CertCreateSelfSignCertificate
CertFreeCertificateContext
CryptMsgOpenToEncode
CertAddCertificateContextToStore
CryptMsgOpenToDecode
CryptMsgControl
CertStrToNameW
CertOpenStore
CryptMsgCalculateEncodedLength
CertFindCertificateInStore
CertSetCertificateContextProperty
CertGetCertificateContextProperty
CryptMsgGetParam
CertStrToNameA
CertCloseStore
CryptSignAndEncodeCertificate
PFXExportCertStore

ncrypt

NCryptCreatePersistedKey
BCryptGetProperty
BCryptOpenAlgorithmProvider
NCryptOpenStorageProvider
BCryptCreateHash
NCryptSetProperty
BCryptHashData
NCryptFreeObject
NCryptFinalizeKey
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptGenRandom

dbghelp

SymInitialize
SymFromAddr
MiniDumpWriteDump
SymGetModuleBase64
SymGetLineFromAddr64
SymFunctionTableAccess64
StackWalk64

iphlpapi

GetAdaptersAddresses
SendARP
ConvertLengthToIpv4Mask
GetAdaptersInfo

ws2_32

__WSAFDIsSet
htons
htonl
gethostname
ntohs
ntohl
WSAGetLastError
ioctlsocket
recv
send
gethostbyname
getaddrinfo
freeaddrinfo
getnameinfo
WSASetLastError
getsockname
WSASocketW
listen
closesocket
bind
accept
WSACleanup
FreeAddrInfoW
select
WSACloseEvent
WSACreateEvent
WSAStartup
WSAEventSelect
WSAResetEvent
GetAddrInfoW
WSAIoctl
shutdown
connect
recvfrom
getsockopt
sendto
socket
setsockopt

gdiplus

GdipCloneImage
GdipAlloc
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GdipLoadImageFromStreamICM
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipLoadImageFromStream
GdipGetImageEncoders

kernel32

InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
EnterCriticalSection
GetFullPathNameW
GetStdHandle
WriteFile
LoadLibraryExA
GetModuleFileNameW
GetSystemPowerStatus
OpenProcess
MultiByteToWideChar
Sleep
GetLastError
CloseHandle
GetCurrentDirectoryW
SetCurrentDirectoryW
GetProcAddress
SetEnvironmentVariableA
CreateProcessW
FreeLibrary
WideCharToMultiByte
GetCurrentThreadId
GetModuleHandleA
WaitForSingleObjectEx
CreateThread
QueueUserAPC
OpenThread
ReadFile
LoadLibraryA
SleepEx
SetSystemPowerState
GetCurrentProcess
SetThreadExecutionState
HeapFree
HeapAlloc
GetProcessHeap
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
LeaveCriticalSection
SystemTimeToTzSpecificLocalTime
QueryPerformanceCounter
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreA
CancelIo
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetFinalPathNameByHandleW
GetDriveTypeA
SetFilePointer
FindFirstVolumeA
FindClose
CreateFileW
GetVolumePathNamesForVolumeNameA
GetFileAttributesExW
ReadDirectoryChangesW
FindNextVolumeA
FindVolumeClose
GetDiskFreeSpaceExA
CreateEventA
GetModuleHandleExA
WaitForMultipleObjectsEx
CreateNamedPipeA
DisconnectNamedPipe
CreateFileA
CancelIoEx
LocalFree
ConnectNamedPipe
SetConsoleMode
GetConsoleMode
GetStartupInfoW
IsDebuggerPresent
TerminateProcess
GetTempPathW
CancelSynchronousIo
SetEvent
ResetEvent
GetThreadId
GetCurrentProcessId
GetEnvironmentStrings
FreeEnvironmentStringsA
CopyFileW
MoveFileW
RtlCaptureContext
SuspendThread
ResumeThread
DuplicateHandle
ExitThread
GetTickCount64
GetCurrentThread
DeleteFileA
GetOverlappedResult
GetThreadContext
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetEndOfFile
DeleteFileW
SetFilePointerEx
SetConsoleCtrlHandler
FreeConsole
LoadLibraryExW
SetLastError
GetFileType
GetModuleHandleW
FormatMessageW
SwitchToFiber
DeleteFiber
CreateFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExitProcess
GetModuleHandleExW
CreateProcessA
HeapValidate
GetSystemInfo
CreateDirectoryW
GetConsoleCP
MoveFileExW
SetEnvironmentVariableW
SetCurrentDirectoryA
GetCurrentDirectoryA
GetTimeZoneInformation
SetStdHandle
GetDriveTypeW
PeekNamedPipe
GetModuleFileNameA
GetCommandLineA
GetCommandLineW
GetACP
RaiseException
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetConsoleOutputCP
IsProcessorFeaturePresent
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
HeapReAlloc
HeapSize
HeapQueryInformation
GetStringTypeW
WriteConsoleW
GetCPInfo
GetFullPathNameA
OutputDebugStringA
OutputDebugStringW
FindFirstFileExA
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
EncodePointer
QueryPerformanceFrequency
DecodePointer

user32

EndDialog
SetWindowTextW
GetWindowPlacement
ShowWindow
GetDlgCtrlID
SetWindowPlacement
SetWindowTextA
IsDlgButtonChecked
GetDlgItem
CheckDlgButton
DialogBoxParamW
EnableWindow
MessageBeep
ExitWindowsEx
GetUserObjectInformationA
EnumDisplayMonitors
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
BlockInput
GetMonitorInfoA
OpenInputDesktop
GetKeyState
GetMessageA
GetWindowRect
SendMessageW
LoadCursorA
DestroyWindow
GetDC
PostMessageA
GetIconInfo
CallNextHookEx
GetCursorInfo
SetWindowsHookExA
MapVirtualKeyA
GetForegroundWindow
UnhookWindowsHookEx
DefWindowProcA
CreateWindowExA
TranslateMessage
UnregisterClassA
DrawIconEx
SetWinEventHook
RegisterClassExA
UnhookWinEvent
SetForegroundWindow
ReleaseDC
SendInput
SetProcessDPIAware
GetProcessWindowStation
GetUserObjectInformationW
DispatchMessageA
CreateWindowExW
MessageBoxW
GetMessageExtraInfo

gdi32

DeleteObject
GetDIBits
CreateCompatibleDC
SelectObject
CreateCompatibleBitmap
SetStretchBltMode
DeleteDC
StretchBlt
BitBlt
GetObjectA
CreateSolidBrush
SetBkColor
SetBkMode
SetTextColor
GetStockObject

advapi32

RegOpenKeyExA
RegCloseKey
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
StartServiceCtrlDispatcherA
QueryServiceStatus
CloseServiceHandle
AllocateAndInitializeSid
SetServiceStatus
OpenSCManagerA
RegisterServiceCtrlHandlerExA
FreeSid
CheckTokenMembership
OpenServiceA
SetTokenInformation
CreateProcessAsUserW
DuplicateTokenEx
SetSecurityDescriptorDacl
SetEntriesInAclA
InitializeSecurityDescriptor
CryptDestroyKey
RegQueryValueExA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
CryptReleaseContext
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
RegCreateKeyW
RegSetValueExA
RegDeleteKeyA
OpenProcessToken

shell32

ShellExecuteExW

ole32

CoCreateInstance
CreateStreamOnHGlobal
CoInitializeEx
CoUninitialize

oleaut32

SysAllocString
SysFreeString
SysStringLen

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 502KB - Virtual size: 502KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 579KB - Virtual size: 742KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

comctl32

crypt32

ncrypt

dbghelp

iphlpapi

ws2_32

gdiplus

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 502KB - Virtual size: 502KB

.data Size: 579KB - Virtual size: 742KB

.gfids Size: 512B - Virtual size: 372B

.rsrc Size: 136KB - Virtual size: 135KB

.reloc Size: 95KB - Virtual size: 94KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 502KB - Virtual size: 502KB

.data
Size: 579KB - Virtual size: 742KB

.gfids
Size: 512B - Virtual size: 372B

.rsrc
Size: 136KB - Virtual size: 135KB

.reloc
Size: 95KB - Virtual size: 94KB