meshagent | 56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d | Triage

Sharing

General

Target

2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver
Size

2.9MB
Sample

250301-l7ertaxze1
MD5

f9ffbad54a868dec678f79cc583c5f95
SHA1

a5c892b1ca7feb7d82c44394dda1eac306e6f674
SHA256

56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d
SHA512

e540eaf2e0257e9be4d0e37f9b04f949d3563af30c5e63c5e332c785410aae30a3999b3b912e6cba458047e41a841b9e49d294792103620ff4c8abe967ea25d8
SSDEEP

49152:1yEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPi:1nj36pUk0TkfYiQ/i

Score

10^/10

meshagent toruń_biuro backdoor defense_evasion discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TORUŃ_BIURO

C2

http://telbmc3t.telbridge:443/agent.ashx

Attributes

mesh_id
0x445D64B5A8329B892A143B2D5EE04236CA4980B72D4D55FA00EB4AB75F6A1DDA62A118FCA7866B8ABBEFF5BB5C7571B1
server_id
9B5005CC4067F497A7E7934F8BB2EB09848772D6E44A4FE31B5F153284A8E7DF73F7037E7326F7DF36B9841E820BFE4F
wss
wss://telbmc3t.telbridge:443/agent.ashx

Targets

- Target
  
  2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver
- Size
  
  2.9MB
- MD5
  
  f9ffbad54a868dec678f79cc583c5f95
- SHA1
  
  a5c892b1ca7feb7d82c44394dda1eac306e6f674
- SHA256
  
  56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d
- SHA512
  
  e540eaf2e0257e9be4d0e37f9b04f949d3563af30c5e63c5e332c785410aae30a3999b3b912e6cba458047e41a841b9e49d294792103620ff4c8abe967ea25d8
- SSDEEP
  
  49152:1yEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPi:1nj36pUk0TkfYiQ/i
Score

10^/10

meshagent toruń_biuro backdoor defense_evasion discovery persistence privilege_escalation rat trojan
- Detects MeshAgent payload
- MeshAgent
  MeshAgent is an open source remote access trojan written in C++.
  rat trojan backdoor meshagent
- Meshagent family
  meshagent
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

toruń_biuromeshagent

behavioral1

meshagenttoruń_biurobackdoordefense_evasiondiscoverypersistenceprivilege_escalationrattrojan

behavioral2

meshagenttoruń_biurobackdoordiscoverypersistencerattrojan