Overview

overview

10

Static

static

10

meshagent6...1).exe

windows7-x64

10

meshagent6...1).exe

windows10-2004-x64

1

Analysis

  • max time kernel
    17s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    19/03/2025, 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    meshagent64-test (1).exe

  • Size

    3.3MB

  • MD5

    36dd1f52808bc6c95b104ca4b74c8e6a

  • SHA1

    9814398ab1fa76d18952c3e591bc173deb397e9f

  • SHA256

    f93fda1b2b185a95ee069081e42a58f6cc8d105c0b859696b67db00967a835f7

  • SHA512

    a2f765f34a610059e741faa296ff9699b2b87af23df90824eacf2af337e26b80883c2bf6080bfaad3b4eb5f2a58bce765832d1c09064f042ce21d05677c41ba9

  • SSDEEP

    49152:YdZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5bo:cHvfGfZvZj1/N/z/owJo

Score
10/10
meshagenttestbackdoordiscoverypersistencerattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

test

Attributes
  • mesh_id

    0xBAAC9AE409F4814112B0BCB6CEC1BB2060FF988AAC5B1EBC37305F946B7DD19682DAA25FE0EA403C76A50EC593316E5F

  • server_id

    6BCD039A3454760E09EE7BFA6EB2A0F65A5F903D90EBA25FEA531F167630DF6B89F39F9E1CEF9D75CAD4B57AC61E0644

  • wss

    localhost

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

    rattrojanbackdoormeshagent
  • Meshagent family
    meshagent
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\meshagent64-test (1).exe
    "C:\Users\Admin\AppData\Local\Temp\meshagent64-test (1).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2592
    • C:\Users\Admin\AppData\Local\Temp\meshagent64-test (1).exe
      "C:\Users\Admin\AppData\Local\Temp\meshagent64-test (1).exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Drops file in Program Files directory
      PID:1272
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Mesh Agent\MeshAgent.exe
    Filesize

    3.3MB

    MD5

    36dd1f52808bc6c95b104ca4b74c8e6a

    SHA1

    9814398ab1fa76d18952c3e591bc173deb397e9f

    SHA256

    f93fda1b2b185a95ee069081e42a58f6cc8d105c0b859696b67db00967a835f7

    SHA512

    a2f765f34a610059e741faa296ff9699b2b87af23df90824eacf2af337e26b80883c2bf6080bfaad3b4eb5f2a58bce765832d1c09064f042ce21d05677c41ba9

    Download Submit