meshagent | 36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c | Triage

Sharing

General

Target

MeshAgent.exe
Size

3.3MB
Sample

250320-txlflsyq18
MD5

5c716fd89b27969847a91d7048ac9d31
SHA1

081586960b6b6093fa0473413b4c8584e081e0b9
SHA256

36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c
SHA512

76bcb99cddb92c1fd8966f3499eb514e3e3e34f4771791cc4497a3eebcac5ef4b6786084f272ad6a717e5f4bc53a9159985d2dec752dda8c147b63926edbe72d
SSDEEP

49152:ldZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5bg:XHvfGfZvZj1/N/z/owJg

Score

10^/10

meshagent test backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

test

C2

http://81.199.130.130:443/agent.ashx

Attributes

mesh_id
0x47DDDC52FC2F31C47AD1DB7EB4B7C5D38C64AAD2FC943360B44270FE0EA5E8B1A96E47D75411E0868F92FE77C2BFBAD0
server_id
C3CEF30878AE341001284FF387E3BB7A7922403931F7265230ABB853B779EF5C3E73D0B368F566EC7B73BFB88E64D995
wss
wss://81.199.130.130:443/agent.ashx

Targets

- Target
  
  MeshAgent.exe
- Size
  
  3.3MB
- MD5
  
  5c716fd89b27969847a91d7048ac9d31
- SHA1
  
  081586960b6b6093fa0473413b4c8584e081e0b9
- SHA256
  
  36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c
- SHA512
  
  76bcb99cddb92c1fd8966f3499eb514e3e3e34f4771791cc4497a3eebcac5ef4b6786084f272ad6a717e5f4bc53a9159985d2dec752dda8c147b63926edbe72d
- SSDEEP
  
  49152:ldZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5bg:XHvfGfZvZj1/N/z/owJg
Score

10^/10

meshagent test backdoor discovery execution persistence rat trojan
- Detects MeshAgent payload
- MeshAgent
  MeshAgent is an open source remote access trojan written in C++.
  rat trojan backdoor meshagent
- Meshagent family
  meshagent
- Sets service image path in registry
  persistence
- Executes dropped EXE
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

meshagenttestbackdoordiscoveryexecutionpersistencerattrojan