MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MeshAgent

Vendor detections: 13

Intelligence 13 IOCs YARA 17 File information Comments

SHA256 hash:	6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043
SHA3-384 hash:	12e19cda036dfc7b909ec375b4dd5e9cce755018c18ec75c3bef65d9a9bffad80554d4cd95a71b02e23b1ed0c53441bb
SHA1 hash:	c7e02cf4a5acc6a766a5d09d951b3e2e1ed5180e
MD5 hash:	067df7cf197945f6aac5413e722d5398
humanhash:	zebra-indigo-maryland-salami
File name:	meshagent32-Access.exe
Download:	download sample
Signature	MeshAgent Create hunting rule
File size:	3'856'520 bytes
First seen:	2026-03-03 09:37:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7aa58492bf5691114c98568704d048cd (10 x MeshAgent)
ssdeep	49152:hfEV3ugKeuWoAkf6bRexQlNIdwB0pJCWJ0+1NaZPwq+5bWZPaK:hfEYnnfKthWq+1jJWZPaK
Threatray	33 similar samples on MalwareBazaar
TLSH	T1A906AEC3BB834471F8A736B411AB53BE9D7D69530728D4C393D428A949316D0AE3B39B
TrID	29.5% (.EXE) Win64 Executable (generic) (6522/11/2) 22.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	BlinkzSec
Tags:	141-11-107-134 exe MeshAgent signed

Code Signing Certificate

Organisation:	az.lsa.az-a8c865
Issuer:	MeshCentralRoot-c03815
Algorithm:	sha384WithRSAEncryption
Valid from:	2018-01-01T06:00:00Z
Valid to:	2049-12-31T06:00:00Z
Serial number:	0932331534
Thumbprint Algorithm:	SHA256
Thumbprint:	70311f7b9792fd42e144a8b0471d2fcb11a30e2a9b00354795c12fcdc31aadf0
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

134

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

meshagent32-Access.exe

Verdict:

Malicious activity

Analysis date:

2026-03-03 09:39:51 UTC

Tags:

meshagent rmm-tool

Link:

https://app.any.run/tasks/16f4bc10-ef1b-4e17-9fa6-a483b24ddc70

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/55358/

Detection(s):

SecuriteInfo.com.Program.MeshAgent.6.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a6acd5e1f958bf668311b4

Tags:

injection emotet agent virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 cmd crypto fingerprint hacktool keylogger lolbin microsoft_visual_cc overlay signed

Link:

https://www.filescan.io/uploads/69a6abcbcd25bfe1dfdef8e9/reports/98fa53de-be0d-4043-96d4-6c315e6dec4b/overview

Verdict:

Malicious

Labled as:

RiskWare[RemoteAdmin]/MeshAgent

Link:

https://www.hybrid-analysis.com/sample/6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043

Result

Gathering data

Malware family:

MeshCentral Agent

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/61243477-d480-48f5-812d-9a2d568af161

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/067df7cf197945f6aac5413e722d5398

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043/

Verdict:

Malicious

Threat:

Family.MESHAGENT

Link:

https://tip.neiki.dev/file/6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mvc3ccpfoxgduygybzyvljff64gxocw35fuwls36ikrnmlfigbbq._file

Verdict:

malicious

Label(s):

meshagent

MeshAgent

22087deb8a6e7de42d07bb2a81488da74401726243a32df627fa3b3806294cdf

MeshAgent

51b4207ed9ef06a4c50808e933fc01ad1eb30613bd65702427bbeddac4c5dc25

MeshAgent

b3394d237e9c5558b33b5cfb7da7178e625a4ef1a126c0b0d1b13ac2f2d73ceb

MeshAgent

ba25f8ebac2b55cc744c226010fa3c4422dd77d8aeee495d203715abe8553b27

MeshAgent

d04f66d478b6abd76cc1b5ebb6cad16b79e1549bd90ca628947b0b61e45d1eda

MeshAgent

error

MeshAgent

+ 23 additional samples on MalwareBazaar

Result

Malware family:

meshagent

Score:

10/10

Tags:

family:meshagent botnet:access discovery

Link:

https://tria.ge/reports/260303-lllcgaby4e/

Behaviour

System Location Discovery: System Language Discovery

Malware Config

C2 Extraction:

http://az.lsa.az:444/agent.ashx

Unpacked files

SH256 hash:

6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043

MD5 hash:

067df7cf197945f6aac5413e722d5398

SHA1 hash:

c7e02cf4a5acc6a766a5d09d951b3e2e1ed5180e

Link:

https://www.unpac.me/results/4429dc0a-1de6-43c4-a400-7267fa2ac82e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Indicator_MiniDumpWriteDump Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references

Rule name:	INDICATOR_RMM_MeshAgent Create hunting rule
Author:	ditekSHen
Description:	Detects MeshAgent. Review RMM Inventory

Rule name:	INDICATOR_RMM_MeshAgent_CERT Create hunting rule
Author:	ditekSHen
Description:	Detects Mesh Agent by (default) certificate. Review RMM Inventory

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

Rule name:	WIN_WebSocket_Base64_C2_20250726 Create hunting rule
Author:	dogsafetyforeverone
Description:	Detects configuration strings used by malware to specify WebSocket command-and-control endpoints inside Base64-encoded data. It looks for prefixes such as '#ws://' or '#wss://' that were found in QuasarRAT configuration data.