General

  • Target

    2025-03-13_11289ca0777a07eea4318195692ac62b_coinminer_ismagent_ryuk_sliver

  • Size

    2.9MB

  • Sample

    250313-ct89ts1xbx

  • MD5

    11289ca0777a07eea4318195692ac62b

  • SHA1

    280261c7a1ffeb90a7a2cc2a7aa2167b276244fa

  • SHA256

    d1ed04c7f0f29fcc50698ccf0d193a2a56d51bc9506c49b0e489e742fb97ae67

  • SHA512

    92d40b8bc9385ff971f6055285ac3dc4d4ca69c26b2ae26a8f2abfbf542b3a00ca8f2894423ca481265ada7a08512da50bbe65e131c9c85cf76d507ea91a9b6a

  • SSDEEP

    49152:kZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3I:jl7i86hR+fWMeP43I

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

CS Support

C2

http://mc.roxum.com:443/agent.ashx

Attributes
  • mesh_id

    0x471029FF4162C1F6F5828C84121E52E92A3F92F52CE6BDEBFD1A9ABCF2A9BBE0EDB32DAF22C344886A3D24BAB542F2DD

  • server_id

    E320066240433B1B2A60F1886AE8554CEC7DC8FD708731245DA3D324F0722A1BC4794DC1E7883A2AFB0D3C9794067B09

  • wss

    wss://mc.roxum.com:443/agent.ashx

Targets

    • Target

      2025-03-13_11289ca0777a07eea4318195692ac62b_coinminer_ismagent_ryuk_sliver

    • Size

      2.9MB

    • MD5

      11289ca0777a07eea4318195692ac62b

    • SHA1

      280261c7a1ffeb90a7a2cc2a7aa2167b276244fa

    • SHA256

      d1ed04c7f0f29fcc50698ccf0d193a2a56d51bc9506c49b0e489e742fb97ae67

    • SHA512

      92d40b8bc9385ff971f6055285ac3dc4d4ca69c26b2ae26a8f2abfbf542b3a00ca8f2894423ca481265ada7a08512da50bbe65e131c9c85cf76d507ea91a9b6a

    • SSDEEP

      49152:kZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn3I:jl7i86hR+fWMeP43I

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks