General

  • Target

    2025-03-30_d92b6a4cf8e650e71ee93b187957cffe_black-basta_coinminer_ryuk_sliver

  • Size

    2.9MB

  • Sample

    250330-mnlxfsyq12

  • MD5

    d92b6a4cf8e650e71ee93b187957cffe

  • SHA1

    6c3666d283cac020ee6eafe52b99bbf2c1d861dd

  • SHA256

    8714961aa348a4e6d8374952e797ba42ec7e378ab8ad24137947de0b7105f0f2

  • SHA512

    391b67ef330877a67e52730e4e8a98be8cd49661b9910e97ff7750685d8f92f14d3b718d8e7b1bcb459b8f5932423b47cd3c4a1530232ce35415f447a8bfb0b1

  • SSDEEP

    49152:DiQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iI4:mg7hRdj9iMlHBSFBWo

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

AWS

C2

http://192.46.210.125:443/agent.ashx

Attributes
  • mesh_id

    0x17BCF4CFE0FB6F752503B1D8E8959E7262111B808967FF1608539486EC85E06DB726AE0F09281F9BBA22AEEDAB20DD72

  • server_id

    2E34D36C9A88748D96D811E6C535A88A1892E87F0108F89CDBB38191941C926BE4A273B1648710E7DCA28AC79E20F2D5

  • wss

    wss://192.46.210.125:443/agent.ashx

Targets

    • Target

      2025-03-30_d92b6a4cf8e650e71ee93b187957cffe_black-basta_coinminer_ryuk_sliver

    • Size

      2.9MB

    • MD5

      d92b6a4cf8e650e71ee93b187957cffe

    • SHA1

      6c3666d283cac020ee6eafe52b99bbf2c1d861dd

    • SHA256

      8714961aa348a4e6d8374952e797ba42ec7e378ab8ad24137947de0b7105f0f2

    • SHA512

      391b67ef330877a67e52730e4e8a98be8cd49661b9910e97ff7750685d8f92f14d3b718d8e7b1bcb459b8f5932423b47cd3c4a1530232ce35415f447a8bfb0b1

    • SSDEEP

      49152:DiQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iI4:mg7hRdj9iMlHBSFBWo

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks