General
-
Target
2025-03-13_11289ca0777a07eea4318195692ac62b_coinminer_ismagent_ryuk_sliver
-
Size
2.9MB
-
Sample
250313-ct89ts1xbx
-
MD5
11289ca0777a07eea4318195692ac62b
-
SHA1
280261c7a1ffeb90a7a2cc2a7aa2167b276244fa
-
SHA256
d1ed04c7f0f29fcc50698ccf0d193a2a56d51bc9506c49b0e489e742fb97ae67
-
SHA512
92d40b8bc9385ff971f6055285ac3dc4d4ca69c26b2ae26a8f2abfbf542b3a00ca8f2894423ca481265ada7a08512da50bbe65e131c9c85cf76d507ea91a9b6a
-
SSDEEP
49152:kZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3I:jl7i86hR+fWMeP43I
Behavioral task
behavioral1
Sample
2025-03-13_11289ca0777a07eea4318195692ac62b_coinminer_ismagent_ryuk_sliver.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
2025-03-13_11289ca0777a07eea4318195692ac62b_coinminer_ismagent_ryuk_sliver.exe
Resource
win10v2004-20250217-en
Malware Config
Extracted
meshagent
2
CS Support
http://mc.roxum.com:443/agent.ashx
-
mesh_id
0x471029FF4162C1F6F5828C84121E52E92A3F92F52CE6BDEBFD1A9ABCF2A9BBE0EDB32DAF22C344886A3D24BAB542F2DD
-
server_id
E320066240433B1B2A60F1886AE8554CEC7DC8FD708731245DA3D324F0722A1BC4794DC1E7883A2AFB0D3C9794067B09
-
wss
wss://mc.roxum.com:443/agent.ashx
Targets
-
-
Target
2025-03-13_11289ca0777a07eea4318195692ac62b_coinminer_ismagent_ryuk_sliver
-
Size
2.9MB
-
MD5
11289ca0777a07eea4318195692ac62b
-
SHA1
280261c7a1ffeb90a7a2cc2a7aa2167b276244fa
-
SHA256
d1ed04c7f0f29fcc50698ccf0d193a2a56d51bc9506c49b0e489e742fb97ae67
-
SHA512
92d40b8bc9385ff971f6055285ac3dc4d4ca69c26b2ae26a8f2abfbf542b3a00ca8f2894423ca481265ada7a08512da50bbe65e131c9c85cf76d507ea91a9b6a
-
SSDEEP
49152:kZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3I:jl7i86hR+fWMeP43I
-
Detects MeshAgent payload
-
Meshagent family
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1