meshagent | 0b0d9c1903a01a53de9a650226d2c2047cbe2d3e28378f2b7ae0647cbf57f190

Analysis

max time kernel
27s
max time network
28s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/03/2025, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meshagent64-test.exe
Size

3.3MB
MD5

d47cb95c80fcf6c6059fcfae49577cef
SHA1

4a591e9763f51b0b8f69c69d91100ddc19a71cb8
SHA256

0b0d9c1903a01a53de9a650226d2c2047cbe2d3e28378f2b7ae0647cbf57f190
SHA512

451ec3b2d6d3c4567c888d11e18eeeb43268b7316e1d9b6f169f049b32a3d0858f83648dbf452e1f8db71ad3b4371736a30a15cdddb2ed6b56396770ac9eb4e9
SSDEEP

49152:9dZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5bq:/HvfGfZvZj1/N/z/owJq

Score

10^/10

meshagent test backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

test

Attributes

mesh_id
0xBAAC9AE409F4814112B0BCB6CEC1BB2060FF988AAC5B1EBC37305F946B7DD19682DAA25FE0EA403C76A50EC593316E5F
server_id
6BCD039A3454760E09EE7BFA6EB2A0F65A5F903D90EBA25FEA531F167630DF6B89F39F9E1CEF9D75CAD4B57AC61E0644
wss
localhost

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d0e-1.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-test.exe

Executes dropped EXE 2 IoCs

pid	Process
476	Process not Found
2888	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-test.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MeshAgent.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2768	2616	meshagent64-test.exe	32
PID 2616 wrote to memory of 2768	2616	meshagent64-test.exe	32
PID 2616 wrote to memory of 2768	2616	meshagent64-test.exe	32

C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe
"C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe
  "C:\Users\Admin\AppData\Local\Temp\meshagent64-test.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:2768

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
d47cb95c80fcf6c6059fcfae49577cef

SHA1
4a591e9763f51b0b8f69c69d91100ddc19a71cb8

SHA256
0b0d9c1903a01a53de9a650226d2c2047cbe2d3e28378f2b7ae0647cbf57f190

SHA512
451ec3b2d6d3c4567c888d11e18eeeb43268b7316e1d9b6f169f049b32a3d0858f83648dbf452e1f8db71ad3b4371736a30a15cdddb2ed6b56396770ac9eb4e9

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads