General

  • Target

    7zS.sfx.exe

  • Size

    352.6MB

  • Sample

    250401-w2whgswny4

  • MD5

    e48e5b2645ef2ad3e9a5220f0208e478

  • SHA1

    1e4c27affc493f14917c6380f5b7688a125f4ad1

  • SHA256

    cdb4e4b35b002bd64e701f3c1e8b147b96cb0907bcc88ead92521777781ca2d1

  • SHA512

    527d6b998ccf5750ad6add37d9afdeeb3251de3e2a4cda560f33378ce1231e5c6b970d474a075c91b5fc8bb0287b61d43d261a3b5a4b95a85ee2572c7cc3ef48

  • SSDEEP

    6291456:RtuQC+T/4kVX12ZnNwS3EQfliyDRq/TIPYnprfaqdDYq75WeDkjEqMDqfBwqH+1d:RtuJU/4kz2Zn64EQflRUbIPypzabq5b7

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

traffic-vc

C2

http://162.0.213.235:443/agent.ashx

Attributes
  • mesh_id

    0xB1C45FED5569BA8EA2AEFA5B7F96E1A369A830758052E01439318F7DAE34EBD045AAD08F3074DE3C397578EC21921DF7

  • server_id

    95C565B94BE035CFD4E742F10753279C58CBB5157492F1027BF26CC76012FFBC368A221A2F25DD47FF0F6918F98A0482

  • wss

    wss://162.0.213.235:443/agent.ashx

Targets

    • Target

      7zS.sfx.exe

    • Size

      352.6MB

    • MD5

      e48e5b2645ef2ad3e9a5220f0208e478

    • SHA1

      1e4c27affc493f14917c6380f5b7688a125f4ad1

    • SHA256

      cdb4e4b35b002bd64e701f3c1e8b147b96cb0907bcc88ead92521777781ca2d1

    • SHA512

      527d6b998ccf5750ad6add37d9afdeeb3251de3e2a4cda560f33378ce1231e5c6b970d474a075c91b5fc8bb0287b61d43d261a3b5a4b95a85ee2572c7cc3ef48

    • SSDEEP

      6291456:RtuQC+T/4kVX12ZnNwS3EQfliyDRq/TIPYnprfaqdDYq75WeDkjEqMDqfBwqH+1d:RtuJU/4kz2Zn64EQflRUbIPypzabq5b7

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks