MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MeshAgent


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea
SHA3-384 hash: b054604b432e56000314ffa665f7ee63c5978ceb018fabe4e5c388ef401c89d1b64f458fdf9458e8b2d92655188bdf35
SHA1 hash: add984abbad7beaa20f8246b6a8ee45867054cbd
MD5 hash: d55c29190fc88872c096a3dad1a12a47
humanhash: mars-tennis-pizza-football
File name:setup.ps1
Download: download sample
Signature MeshAgent
Create hunting rule
File size:10'662 bytes
First seen:2026-04-15 13:13:08 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 192:zRXuJelAEjRUyqAojLS+DvUCcjeD0SwmvR02wJWsQuu9ze30Gp3e:Z8URUyxoPjDMF9mvR02X7
Threatray 38 similar samples on MalwareBazaar
TLSH T1E322A64162A004F9C6522F23DCCB77963AED48BF412F130072E8CA297ED256E877B1D5
Magika powershell
Reporter abuse_ch
Tags:MeshAgent ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69df8f2245787c53e539eecb
Tags:
ransomware shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm base64 base64 cmd crypto dropper evasive fingerprint fingerprint hacktool ipconfig keylogger lolbin lolbin netsh obfuscated overlay persistence powershell schtasks zero-day
Link:
https://www.filescan.io/uploads/69df8f12799d5bf325ffbb4d/reports/05bb67e4-5e1b-40f1-ae84-1be4b4b987b2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea
Result
Gathering data
Verdict:
Malicious
File Type:
ps1
First seen:
2026-04-15T10:02:00Z UTC
Last seen:
2026-04-15T10:12:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb HEUR:Trojan.PowerShell.Generic not-a-virus:HEUR:RemoteAdmin.Win32.MeshAgent.gen
Link:
https://opentip.kaspersky.com/d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1898735
Signature
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Sigma detected: Delete Important Scheduled Task
Sigma detected: Potentially Suspicious PowerShell Child Processes
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Score:
5%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea/
Verdict:
Malicious
Threat:
Family.MESHAGENT
Link:
https://tip.neiki.dev/file/d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ghuiiz65x7zcvqvy7lbrjimh7x32vy5bnyoqo2oaezzbf6sbdva._file
Verdict:
malicious
Label(s):
meshagent
Create hunting rule
Similar samples:
12304b7c8fa917092a9b51195bc8fa9f8ab33e4fe7dd0a5c62d2e9014d05233f
MeshAgent
1ea07b21a1c289874ae9b39f1fe77e57de8a3227e53296f1871a24d09fd3c3d8
MeshAgent
22087deb8a6e7de42d07bb2a81488da74401726243a32df627fa3b3806294cdf
MeshAgent
51b4207ed9ef06a4c50808e933fc01ad1eb30613bd65702427bbeddac4c5dc25
MeshAgent
6545b109e575cc3a60d80e7155a4a5f70d770adbe96965cb7e42a2d62ca83043
MeshAgent
b3394d237e9c5558b33b5cfb7da7178e625a4ef1a126c0b0d1b13ac2f2d73ceb
MeshAgent
ba25f8ebac2b55cc744c226010fa3c4422dd77d8aeee495d203715abe8553b27
MeshAgent
d04f66d478b6abd76cc1b5ebb6cad16b79e1549bd90ca628947b0b61e45d1eda
MeshAgent
error
MeshAgent
fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373
MeshAgent
+ 28 additional samples on MalwareBazaar
Result
Malware family:
meshagent
Create hunting rule
Score:
  10/10
Tags:
family:meshagent backdoor defense_evasion discovery execution persistence privilege_escalation ransomware rat trojan
Link:
https://tria.ge/reports/260415-qgljwse13j/
Behaviour
Gathers network information
Modifies data under HKEY_USERS
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Modifies powershell logging option
Executes dropped EXE
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies Windows Firewall
Sets service image path in registry
Clears Windows event logs
Detects MeshAgent payload
Family: MeshAgent
Malware Config
Dropper Extraction:
https://dwkch.ru/meshagents?id=3&meshid=g3qQmGuuQeuKcWATXQJ2kFRNAVgYUYMIbGileCXMMUiSABwlmUBigllxjAOCx30b&installflags=3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_AMSI_Bypass
Create hunting rule
Author:ditekSHen
Description:Detects AMSI bypass pattern
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:WIN_ClickFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MeshAgent

PowerShell (PS) ps1 d18f44233eedff915615c7d618a50c3fefbd571d0b70e83b4e01339097d208ea

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3822412/
  
Delivery method
Distributed via web download

Comments