meshagent | d3cd75e8fe17280f8813f00c2e18e4999787e2c6ccf43e20a450d018999e8f0b[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

d3cd75e8fe17280f8813f00c2e18e4999787e2c6ccf43e20a450d018999e8f0b.exe
Size

3.7MB
MD5

ab7f39826e8fa9efd5e429bf45df882e
SHA1

6df2fdf734a59b35326a2e882e1e8f25a4fd499b
SHA256

d3cd75e8fe17280f8813f00c2e18e4999787e2c6ccf43e20a450d018999e8f0b
SHA512

9280bf61d38808f322dd33e58c19b7a6d13d569d16e47289ad193a31f0609fbb1946acf6ad127502f938357af1e597c9c7b328531c2fa446466e15f2e373b6e2
SSDEEP

49152:l8o8bZjyJVD0s9Mr3XIfRviWkgEOaxfCbCMcXGtSgvZPOQ5QR:l8o8VOUs9joRbMc2tSW6R

Score

10^/10

new connections meshagent

Malware Config

Extracted

Family

meshagent

Version

Botnet

New Connections

http://manage.clientdesk.help:443/agent.ashx

Attributes

mesh_id
0x0F91CC5981A9BC9502B9FA550F16A64F6C15510D08D851AB9EEB2F733095BC1B43BC9B4CFDF0DB7DAF321BCCADE081B1
server_id
ABC4BD96D548708CD5C2CC82CC0015B75413E36B395BC41D9B732EBF80E01A5EBB1EC45D3834796F9B1B93CE12C5F8CB
wss
wss://manage.clientdesk.help:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
sample	family_meshagent

Meshagent family
meshagent

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
d3cd75e8fe17280f8813f00c2e18e4999787e2c6ccf43e20a450d018999e8f0b.exe

Files

d3cd75e8fe17280f8813f00c2e18e4999787e2c6ccf43e20a450d018999e8f0b.exe
.exe windows:6 windows x86 arch:x86

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\MeshAgent\MeshAgent\Release\MeshService.pdb

Imports

comctl32

InitCommonControlsEx

crypt32

CryptEncodeObject
CertDuplicateCertificateContext
CertEnumCertificatesInStore
CertDeleteCertificateFromStore
CryptAcquireCertificatePrivateKey
CertAddEncodedCertificateToStore
CryptMsgClose
CryptMsgUpdate
CryptExportPublicKeyInfo
CertCreateSelfSignCertificate
CertFreeCertificateContext
CryptMsgOpenToEncode
CertAddCertificateContextToStore
CryptMsgOpenToDecode
CryptMsgControl
CertStrToNameW
CertOpenStore
CryptMsgCalculateEncodedLength
CertFindCertificateInStore
CertSetCertificateContextProperty
CertGetCertificateContextProperty
CryptMsgGetParam
CertStrToNameA
CertCloseStore
CryptSignAndEncodeCertificate
PFXExportCertStore

ncrypt

NCryptCreatePersistedKey
BCryptGetProperty
BCryptOpenAlgorithmProvider
NCryptOpenStorageProvider
BCryptCreateHash
NCryptSetProperty
BCryptHashData
NCryptFreeObject
NCryptFinalizeKey
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptGenRandom

dbghelp

SymInitialize
SymFromAddr
MiniDumpWriteDump
SymGetModuleBase64
SymGetLineFromAddr64
SymFunctionTableAccess64
StackWalk64

iphlpapi

GetAdaptersAddresses
SendARP
ConvertLengthToIpv4Mask
GetAdaptersInfo

ws2_32

__WSAFDIsSet
htons
htonl
gethostname
ntohs
ntohl
WSAGetLastError
ioctlsocket
recv
send
gethostbyname
getaddrinfo
freeaddrinfo
getnameinfo
WSASetLastError
getsockname
WSASocketW
listen
closesocket
bind
accept
WSACleanup
FreeAddrInfoW
select
WSACloseEvent
WSACreateEvent
WSAStartup
WSAEventSelect
WSAResetEvent
GetAddrInfoW
WSAIoctl
shutdown
connect
recvfrom
getsockopt
sendto
socket
setsockopt

gdiplus

GdipCloneImage
GdipAlloc
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GdipLoadImageFromStreamICM
GdipFree
GdipGetImageEncodersSize
GdipSaveImageToStream
GdipLoadImageFromStream
GdipGetImageEncoders

kernel32

InterlockedPushEntrySList
InterlockedFlushSList
RtlUnwind
EnterCriticalSection
GetFullPathNameW
GetStdHandle
WriteFile
LoadLibraryExA
GetModuleFileNameW
GetSystemPowerStatus
OpenProcess
MultiByteToWideChar
Sleep
GetLastError
CloseHandle
GetCurrentDirectoryW
SetCurrentDirectoryW
GetProcAddress
SetEnvironmentVariableA
CreateProcessW
FreeLibrary
WideCharToMultiByte
GetCurrentThreadId
GetModuleHandleA
WaitForSingleObjectEx
CreateThread
QueueUserAPC
OpenThread
ReadFile
LoadLibraryA
SleepEx
SetSystemPowerState
GetCurrentProcess
SetThreadExecutionState
HeapFree
HeapAlloc
GetProcessHeap
SystemTimeToFileTime
GetSystemTime
FileTimeToSystemTime
LeaveCriticalSection
SystemTimeToTzSpecificLocalTime
QueryPerformanceCounter
ReleaseSemaphore
WaitForSingleObject
CreateSemaphoreA
CancelIo
FindFirstFileW
FindNextFileW
RemoveDirectoryW
GetFinalPathNameByHandleW
GetDriveTypeA
SetFilePointer
FindFirstVolumeA
FindClose
CreateFileW
GetVolumePathNamesForVolumeNameA
GetFileAttributesExW
ReadDirectoryChangesW
FindNextVolumeA
FindVolumeClose
GetDiskFreeSpaceExA
CreateEventA
GetModuleHandleExA
WaitForMultipleObjectsEx
CreateNamedPipeA
DisconnectNamedPipe
CreateFileA
CancelIoEx
LocalFree
ConnectNamedPipe
SetConsoleMode
GetConsoleMode
GetStartupInfoW
IsDebuggerPresent
TerminateProcess
GetTempPathW
CancelSynchronousIo
SetEvent
ResetEvent
GetThreadId
GetCurrentProcessId
GetEnvironmentStrings
FreeEnvironmentStringsA
CopyFileW
MoveFileW
RtlCaptureContext
SuspendThread
ResumeThread
DuplicateHandle
ExitThread
GetTickCount64
GetCurrentThread
DeleteFileA
GetOverlappedResult
GetThreadContext
WTSGetActiveConsoleSessionId
GetExitCodeProcess
SetEndOfFile
DeleteFileW
SetFilePointerEx
SetConsoleCtrlHandler
FreeConsole
LoadLibraryExW
SetLastError
GetFileType
GetModuleHandleW
FormatMessageW
SwitchToFiber
DeleteFiber
CreateFiber
GetSystemTimeAsFileTime
ConvertFiberToThread
ConvertThreadToFiber
GetEnvironmentVariableW
ReadConsoleA
ReadConsoleW
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
ExitProcess
GetModuleHandleExW
CreateProcessA
HeapValidate
GetSystemInfo
CreateDirectoryW
GetConsoleCP
MoveFileExW
SetEnvironmentVariableW
SetCurrentDirectoryA
GetCurrentDirectoryA
GetTimeZoneInformation
SetStdHandle
GetDriveTypeW
PeekNamedPipe
GetModuleFileNameA
GetCommandLineA
GetCommandLineW
GetACP
RaiseException
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
InitializeSListHead
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetConsoleOutputCP
IsProcessorFeaturePresent
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
HeapReAlloc
HeapSize
HeapQueryInformation
GetStringTypeW
WriteConsoleW
GetCPInfo
GetFullPathNameA
OutputDebugStringA
OutputDebugStringW
FindFirstFileExA
FindFirstFileExW
FindNextFileA
IsValidCodePage
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
EncodePointer
QueryPerformanceFrequency
DecodePointer

user32

EndDialog
SetWindowTextW
GetWindowPlacement
ShowWindow
GetDlgCtrlID
SetWindowPlacement
SetWindowTextA
IsDlgButtonChecked
GetDlgItem
CheckDlgButton
DialogBoxParamW
EnableWindow
MessageBeep
ExitWindowsEx
GetUserObjectInformationA
EnumDisplayMonitors
GetSystemMetrics
SetThreadDesktop
GetThreadDesktop
CloseDesktop
BlockInput
GetMonitorInfoA
OpenInputDesktop
GetKeyState
GetMessageA
GetWindowRect
SendMessageW
LoadCursorA
DestroyWindow
GetDC
PostMessageA
GetIconInfo
CallNextHookEx
GetCursorInfo
SetWindowsHookExA
MapVirtualKeyA
GetForegroundWindow
UnhookWindowsHookEx
DefWindowProcA
CreateWindowExA
TranslateMessage
UnregisterClassA
DrawIconEx
SetWinEventHook
RegisterClassExA
UnhookWinEvent
SetForegroundWindow
ReleaseDC
SendInput
SetProcessDPIAware
GetProcessWindowStation
GetUserObjectInformationW
DispatchMessageA
CreateWindowExW
MessageBoxW
GetMessageExtraInfo

gdi32

DeleteObject
GetDIBits
CreateCompatibleDC
SelectObject
CreateCompatibleBitmap
SetStretchBltMode
DeleteDC
StretchBlt
BitBlt
GetObjectA
CreateSolidBrush
SetBkColor
SetBkMode
SetTextColor
GetStockObject

advapi32

RegOpenKeyExA
RegCloseKey
CryptEnumProvidersW
CryptSignHashW
CryptDestroyHash
CryptCreateHash
CryptDecrypt
CryptExportKey
CryptGetUserKey
CryptGetProvParam
CryptSetHashParam
CryptAcquireContextW
ReportEventW
RegisterEventSourceW
DeregisterEventSource
StartServiceCtrlDispatcherA
QueryServiceStatus
CloseServiceHandle
AllocateAndInitializeSid
SetServiceStatus
OpenSCManagerA
RegisterServiceCtrlHandlerExA
FreeSid
CheckTokenMembership
OpenServiceA
SetTokenInformation
CreateProcessAsUserW
DuplicateTokenEx
SetSecurityDescriptorDacl
SetEntriesInAclA
InitializeSecurityDescriptor
CryptDestroyKey
RegQueryValueExA
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
CryptReleaseContext
AdjustTokenPrivileges
LookupPrivilegeValueA
InitiateSystemShutdownA
RegCreateKeyW
RegSetValueExA
RegDeleteKeyA
OpenProcessToken

shell32

ShellExecuteExW

ole32

CoCreateInstance
CreateStreamOnHGlobal
CoInitializeEx
CoUninitialize

oleaut32

SysAllocString
SysFreeString
SysStringLen

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 502KB - Virtual size: 502KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 579KB - Virtual size: 742KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 136KB - Virtual size: 135KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

7aa58492bf5691114c98568704d048cd

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

comctl32

crypt32

ncrypt

dbghelp

iphlpapi

ws2_32

gdiplus

kernel32

user32

gdi32

advapi32

shell32

ole32

oleaut32

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 502KB - Virtual size: 502KB

.data Size: 579KB - Virtual size: 742KB

.gfids Size: 512B - Virtual size: 372B

.rsrc Size: 136KB - Virtual size: 135KB

.reloc Size: 95KB - Virtual size: 94KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 502KB - Virtual size: 502KB

.data
Size: 579KB - Virtual size: 742KB

.gfids
Size: 512B - Virtual size: 372B

.rsrc
Size: 136KB - Virtual size: 135KB

.reloc
Size: 95KB - Virtual size: 94KB