General

  • Target

    2025-06-05_b7a5aff86fd4ae4c92e1f3784cb27918_black-basta_coinminer_ryuk_sliver

  • Size

    2.9MB

  • Sample

    250605-by5lrsy1av

  • MD5

    b7a5aff86fd4ae4c92e1f3784cb27918

  • SHA1

    b793124ba29e324695470abd57ab26fae7f8eef6

  • SHA256

    2615999ec606782b9a0c1d1fcfcf60013afa4323622e8cbf27a24e651c03472f

  • SHA512

    fd6197c2a5335c905e17d99a02594af2daa981725c7dfe7ef70d19501c7fe15238991b8acc4c76df952e8185ae5763fca7db4cce013ac5319232fffcf948ba40

  • SSDEEP

    49152:8ZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn35:bl7i86hR+fWMeP435

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

GSMcall_office

C2

http://remote.gsmcall.com:443/agent.ashx

Attributes
  • mesh_id

    0x9E49FAEBD79F4A1677EC60F1BC4601409D86A8F6C5F61BD4F987E15D088B6DCBA3C790D0627883F5FBA97ED21355025F

  • server_id

    EA3EA170484E6CD82E59CCCF3DA2EED1EAC7188A9B046929FF95ED90EFFE6C4C85DCB4AF173E396738D4E0C2E251DED9

  • wss

    wss://remote.gsmcall.com:443/agent.ashx

Targets

    • Target

      2025-06-05_b7a5aff86fd4ae4c92e1f3784cb27918_black-basta_coinminer_ryuk_sliver

    • Size

      2.9MB

    • MD5

      b7a5aff86fd4ae4c92e1f3784cb27918

    • SHA1

      b793124ba29e324695470abd57ab26fae7f8eef6

    • SHA256

      2615999ec606782b9a0c1d1fcfcf60013afa4323622e8cbf27a24e651c03472f

    • SHA512

      fd6197c2a5335c905e17d99a02594af2daa981725c7dfe7ef70d19501c7fe15238991b8acc4c76df952e8185ae5763fca7db4cce013ac5319232fffcf948ba40

    • SSDEEP

      49152:8ZFIlmhRYg1OziGQGRCv6da/KMvxZdAMBwQoxXXujOl4MPMFvfldPSFrXxn35:bl7i86hR+fWMeP435

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks