meshagent | 56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

f9ffbad54a868dec678f79cc583c5f95
SHA1

a5c892b1ca7feb7d82c44394dda1eac306e6f674
SHA256

56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d
SHA512

e540eaf2e0257e9be4d0e37f9b04f949d3563af30c5e63c5e332c785410aae30a3999b3b912e6cba458047e41a841b9e49d294792103620ff4c8abe967ea25d8
SSDEEP

49152:1yEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPi:1nj36pUk0TkfYiQ/i

Score

10^/10

meshagent toruń_biuro backdoor defense_evasion discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TORUŃ_BIURO

http://telbmc3t.telbridge:443/agent.ashx

Attributes

mesh_id
0x445D64B5A8329B892A143B2D5EE04236CA4980B72D4D55FA00EB4AB75F6A1DDA62A118FCA7866B8ABBEFF5BB5C7571B1
server_id
9B5005CC4067F497A7E7934F8BB2EB09848772D6E44A4FE31B5F153284A8E7DF73F7037E7326F7DF36B9841E820BFE4F
wss
wss://telbmc3t.telbridge:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0016000000018657-25.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1260	netsh.exe
2720	netsh.exe
2612	netsh.exe
2512	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-312935884-697965778-3955649944-1000\""	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe

Executes dropped EXE 2 IoCs

pid	Process
476	Process not Found
1736	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	264	wmic.exe
Token: SeSecurityPrivilege	264	wmic.exe
Token: SeTakeOwnershipPrivilege	264	wmic.exe
Token: SeLoadDriverPrivilege	264	wmic.exe
Token: SeSystemProfilePrivilege	264	wmic.exe
Token: SeSystemtimePrivilege	264	wmic.exe
Token: SeProfSingleProcessPrivilege	264	wmic.exe
Token: SeIncBasePriorityPrivilege	264	wmic.exe
Token: SeCreatePagefilePrivilege	264	wmic.exe
Token: SeBackupPrivilege	264	wmic.exe
Token: SeRestorePrivilege	264	wmic.exe
Token: SeShutdownPrivilege	264	wmic.exe
Token: SeDebugPrivilege	264	wmic.exe
Token: SeSystemEnvironmentPrivilege	264	wmic.exe
Token: SeRemoteShutdownPrivilege	264	wmic.exe
Token: SeUndockPrivilege	264	wmic.exe
Token: SeManageVolumePrivilege	264	wmic.exe
Token: 33	264	wmic.exe
Token: 34	264	wmic.exe
Token: 35	264	wmic.exe
Token: SeIncreaseQuotaPrivilege	264	wmic.exe
Token: SeSecurityPrivilege	264	wmic.exe
Token: SeTakeOwnershipPrivilege	264	wmic.exe
Token: SeLoadDriverPrivilege	264	wmic.exe
Token: SeSystemProfilePrivilege	264	wmic.exe
Token: SeSystemtimePrivilege	264	wmic.exe
Token: SeProfSingleProcessPrivilege	264	wmic.exe
Token: SeIncBasePriorityPrivilege	264	wmic.exe
Token: SeCreatePagefilePrivilege	264	wmic.exe
Token: SeBackupPrivilege	264	wmic.exe
Token: SeRestorePrivilege	264	wmic.exe
Token: SeShutdownPrivilege	264	wmic.exe
Token: SeDebugPrivilege	264	wmic.exe
Token: SeSystemEnvironmentPrivilege	264	wmic.exe
Token: SeRemoteShutdownPrivilege	264	wmic.exe
Token: SeUndockPrivilege	264	wmic.exe
Token: SeManageVolumePrivilege	264	wmic.exe
Token: 33	264	wmic.exe
Token: 34	264	wmic.exe
Token: 35	264	wmic.exe
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 264	2120	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	31
PID 2120 wrote to memory of 264	2120	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	31
PID 2120 wrote to memory of 264	2120	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	31
PID 2120 wrote to memory of 2728	2120	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	35
PID 2120 wrote to memory of 2728	2120	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	35
PID 2120 wrote to memory of 2728	2120	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	35
PID 2728 wrote to memory of 2888	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	37
PID 2728 wrote to memory of 2888	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	37
PID 2728 wrote to memory of 2888	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	37
PID 2728 wrote to memory of 2808	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	39
PID 2728 wrote to memory of 2808	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	39
PID 2728 wrote to memory of 2808	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	39
PID 2808 wrote to memory of 2720	2808	cmd.exe	41
PID 2808 wrote to memory of 2720	2808	cmd.exe	41
PID 2808 wrote to memory of 2720	2808	cmd.exe	41
PID 2728 wrote to memory of 2664	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	42
PID 2728 wrote to memory of 2664	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	42
PID 2728 wrote to memory of 2664	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	42
PID 2664 wrote to memory of 2612	2664	cmd.exe	44
PID 2664 wrote to memory of 2612	2664	cmd.exe	44
PID 2664 wrote to memory of 2612	2664	cmd.exe	44
PID 2728 wrote to memory of 2300	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	45
PID 2728 wrote to memory of 2300	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	45
PID 2728 wrote to memory of 2300	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	45
PID 2300 wrote to memory of 2512	2300	cmd.exe	47
PID 2300 wrote to memory of 2512	2300	cmd.exe	47
PID 2300 wrote to memory of 2512	2300	cmd.exe	47
PID 2728 wrote to memory of 1856	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	48
PID 2728 wrote to memory of 1856	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	48
PID 2728 wrote to memory of 1856	2728	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	48
PID 1856 wrote to memory of 1260	1856	cmd.exe	50
PID 1856 wrote to memory of 1260	1856	cmd.exe	50
PID 1856 wrote to memory of 1260	1856	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {34ab46cd-12b0-4395-76ef-438ea13c5832}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-1) {34ab46cd-12b0-4395-76ef-438ea13c5832}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2720
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {2118b078-9bc4-4b80-f52b-23f662cef29c}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Management Traffic (TCP-2) {2118b078-9bc4-4b80-f52b-23f662cef29c}" action=allow description="Mesh Central Agent Management Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=TCP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2612
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {dc4b7489-e789-4691-ca6d-50b4313013d9}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-1) {dc4b7489-e789-4691-ca6d-50b4313013d9}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16990
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2512
- - C:\Windows\System32\cmd.exe
    /C "netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {cf54fbc1-8201-4d8c-d269-f77452414cf8}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="Mesh Agent Peer-to-Peer Traffic (UDP-2) {cf54fbc1-8201-4d8c-d269-f77452414cf8}" action=allow description="Mesh Central Agent Peer-to-Peer Traffic" dir=in program="C:\Program Files\Mesh Agent\MeshAgent.exe" protocol=UDP profile="public,private,domain" interfacetype=any edge=yes localport=16991
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1260

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-312935884-697965778-3955649944-1000"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
f9ffbad54a868dec678f79cc583c5f95

SHA1
a5c892b1ca7feb7d82c44394dda1eac306e6f674

SHA256
56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d

SHA512
e540eaf2e0257e9be4d0e37f9b04f949d3563af30c5e63c5e332c785410aae30a3999b3b912e6cba458047e41a841b9e49d294792103620ff4c8abe967ea25d8

Download Submit
memory/2888-6-0x000000001B830000-0x000000001BB12000-memory.dmp

Filesize
2.9MB

Download
memory/2888-7-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download