meshagent | 048c1d253ea91dac38e701c6fdcb083a3979681fd01e2b04c2a82fc0c9e4a988 | Triage

Sharing

General

Target

2025-03-07_38700b6ebb30b54827ce7d266dbe5791_ismagent_ryuk_sliver
Size

2.9MB
Sample

250307-ey9ghavky7
MD5

38700b6ebb30b54827ce7d266dbe5791
SHA1

14f3f6d8fab9e6cca292d97b50c0c1738c4105b5
SHA256

048c1d253ea91dac38e701c6fdcb083a3979681fd01e2b04c2a82fc0c9e4a988
SHA512

310d177a3842ef54b1cff6e751d889904d90c3382b43a1f1ef7424cea9dbc5444a653e2c390d297894760503df6d48cc5fcdb0619ced8d7bad71b76ed2a62a22
SSDEEP

49152:xZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3P:el7i86hR+fWMeP43P

Score

10^/10

meshagent tacticalrmm backdoor defense_evasion discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.evolan.us:443/agent.ashx

Attributes

mesh_id
0x8F4DD982CA0E5619E60FD7174BFC8805724AF24D73BA969AEF628DD1541D7B61D77A44A7FB9C8502A25ED53BECAECA1C
server_id
4416B46D92A24DC210328C5179BFEEBDA756E4B03F67E69DCD1F4922A0090DAD385BBF4396DDA306329BF271DEC448BB
wss
wss://mesh.evolan.us:443/agent.ashx

Targets

- Target
  
  2025-03-07_38700b6ebb30b54827ce7d266dbe5791_ismagent_ryuk_sliver
- Size
  
  2.9MB
- MD5
  
  38700b6ebb30b54827ce7d266dbe5791
- SHA1
  
  14f3f6d8fab9e6cca292d97b50c0c1738c4105b5
- SHA256
  
  048c1d253ea91dac38e701c6fdcb083a3979681fd01e2b04c2a82fc0c9e4a988
- SHA512
  
  310d177a3842ef54b1cff6e751d889904d90c3382b43a1f1ef7424cea9dbc5444a653e2c390d297894760503df6d48cc5fcdb0619ced8d7bad71b76ed2a62a22
- SSDEEP
  
  49152:xZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3P:el7i86hR+fWMeP43P
Score

10^/10

meshagent tacticalrmm backdoor defense_evasion discovery persistence privilege_escalation rat trojan
- Detects MeshAgent payload
- MeshAgent
  MeshAgent is an open source remote access trojan written in C++.
  rat trojan backdoor meshagent
- Meshagent family
  meshagent
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

tacticalrmmmeshagent

behavioral1

meshagenttacticalrmmbackdoordefense_evasiondiscoverypersistenceprivilege_escalationrattrojan

behavioral2

meshagenttacticalrmmbackdoordiscoverypersistencerattrojan