MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90de6b93f296541a5c245597349f2cd569472985cecbc14a1b0ccdb0951f5f13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MeshAgent


Vendor detections: 7


Intelligence 7 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90de6b93f296541a5c245597349f2cd569472985cecbc14a1b0ccdb0951f5f13
SHA3-384 hash: 1e0a64928d47b1d093803af37f06b10cd4848128f6221161a7694cb62eb5b873cbca70c3d7b78bddcd72bf7cd852555d
SHA1 hash: 437c46661611a6dd5a599e22cff3c0ff6641d9d5
MD5 hash: a99bdd7091de5c9bda4ea4f00ee8f38e
humanhash: nineteen-uranus-aspen-paris
File name:tpn6534.exe
Download: download sample
Signature MeshAgent
Create hunting rule
File size:3'458'352 bytes
First seen:2023-09-18 04:17:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a0a18b5f8dacc89ca9f4ffe03d5091ea (2 x MeshAgent)
ssdeep 49152:dkoeNVsd0YDx6+NtWfonoC22yRCoXne+p5LSIHLm7iyeMFvf6zCDvZ76ful/m4Mt:kKF6MMaKCoXeKeiy/DtMNH
Threatray 2 similar samples on MalwareBazaar
TLSH T179F58CD2A7A600E8E977F23CC9568517E7F1B81753709BCF25A44A660F236D12B3E702
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 989a92d8d8daf2c0 (23 x MeshAgent)
Reporter JAMESWT_WT
Tags:2-155-18-40-9000 exe MeshAgent signed

Code Signing Certificate

Organisation:un-configured-1f7de8
Issuer:MeshCentralRoot-f37134
Algorithm:sha384WithRSAEncryption
Valid from:2017-12-31T23:00:00Z
Valid to:2049-12-30T23:00:00Z
Serial number: 2016516926
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 860c9e7421925d91510eb9c00773172cf8befaa71e825fce9661bbd8f237a4bd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/449235/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Searching for the window
Creating a window
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control crypto greyware keylogger lolbin overlay remote
Link:
https://www.filescan.io/uploads/6507cf7c33582f234efa5af4/reports/9fb0bbb5-770d-481d-9cbf-adec909d89e7/overview
Verdict:
Suspicious
Labled as:
Tool.MeshAgent
Link:
https://www.hybrid-analysis.com/sample/90de6b93f296541a5c245597349f2cd569472985cecbc14a1b0ccdb0951f5f13
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2d418de4-bd9d-4a38-a41e-2f671f01c825
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1309757
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Creates files in the system32 config directory
Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1309757 Sample: tpn6534.exe Startdate: 18/09/2023 Architecture: WINDOWS Score: 96 63 tse1.mm.bing.net 2->63 69 Multi AV Scanner detection for submitted file 2->69 71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->71 73 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 2->73 75 4 other signatures 2->75 8 MeshAgent.exe 2->8         started        12 MeshAgent.exe 7 12 2->12         started        15 tpn6534.exe 2 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 83 Query firmware table information (likely to detect VMs) 8->83 19 powershell.exe 8->19         started        37 6 other processes 8->37 65 serrapirate2121.duckdns.org 2.155.18.40, 23768, 49710, 49713 VODAFONE_ESES Spain 12->65 59 C:\...\MeshAgent.update.exe_unzipped, PE32+ 12->59 dropped 61 C:\Program Files\...\MeshAgent.update.exe, PE32+ 12->61 dropped 85 Creates files in the system32 config directory 12->85 22 cmd.exe 12->22         started        24 WMIC.exe 1 12->24         started        26 WMIC.exe 1 12->26         started        28 WMIC.exe 12->28         started        30 WMIC.exe 1 15->30         started        32 tpn6534.exe 10 3 15->32         started        35 conhost.exe 15->35         started        67 127.0.0.1 unknown unknown 17->67 87 Changes security center settings (notifications, updates, antivirus, firewall) 17->87 file6 signatures7 process8 file9 77 Creates files in the system32 config directory 19->77 39 conhost.exe 19->39         started        79 Early bird code injection technique detected 22->79 41 conhost.exe 22->41         started        53 3 other processes 22->53 43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 conhost.exe 28->47         started        81 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 30->81 49 conhost.exe 30->49         started        57 C:\Program Files\Mesh Agent\MeshAgent.exe, PE32+ 32->57 dropped 51 conhost.exe 32->51         started        55 6 other processes 37->55 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90de6b93f296541a5c245597349f2cd569472985cecbc14a1b0ccdb0951f5f13/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdpgxe7sszkbuxbekwltjhzm2vuuokmfz3f4csq3btg3bfi7l4jq._file
Verdict:
unknown
Similar samples:
112a0ff26e12fdd7fd499eec86d2050fa12eb5d9a74ec9f5cfc820c676f88409
MeshAgent
8d0b0169b48d4a7e1d642a24401538a08f6214a0acb9fd9819c923082a60c557
MeshAgent
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230918-ewyxzseh8x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
90de6b93f296541a5c245597349f2cd569472985cecbc14a1b0ccdb0951f5f13
MD5 hash:
a99bdd7091de5c9bda4ea4f00ee8f38e
SHA1 hash:
437c46661611a6dd5a599e22cff3c0ff6641d9d5
Link:
https://www.unpac.me/results/b662d223-470d-43a5-b2f2-4bdc6948c78a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90de6b93f296541a5c245597349f2cd569472985cecbc14a1b0ccdb0951f5f13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_RMM_MeshAgent
Create hunting rule
Author:ditekSHen
Description:Detects MeshAgent. Review RMM Inventory
Rule name:INDICATOR_RMM_MeshAgent_CERT
Create hunting rule
Author:ditekSHen
Description:Detects Mesh Agent by (default) certificate. Review RMM Inventory
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/449235/

Comments