Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
05.01 02:05
LoginMain(1)
05.01 02:05
LoginMain
05.01 02:05
veneziaLogin.js.pobrane
05.01 02:05
troubleshot-modal-info...
05.01 02:05
LoginMain(4)
05.01 02:05
LoginMain(3)
05.01 02:05
LoginMain(2)
05.01 02:05
LoginMain(6)
05.01 02:05
LoginMain(5)
05.01 02:05
background

Latest News
05.01 11:05
Making PyPI's test sui...
05.01 11:05
Sophos Firewall v21.5:...
05.01 11:05
[RSAC 2025 한국관 리포트] 글로...
05.01 11:05
The Detection Opportun...
05.01 10:05
[RSAC 2025 현장 리포트–DAY ...
05.01 10:05
Instacart Buys Grocery...
05.01 10:05
Chart Toppers Live: RS...
05.01 10:05
Apple AirPlay SDK devi...
05.01 09:05
Uncovering MintsLoader...
05.01 09:05
RansomHub Ransomware D...

Summary | ZeroBOX

script.exe

NSIS Generic Malware Malicious Library UPX PE File OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 24, 2024, 6:57 p.m.	Aug. 24, 2024, 7:11 p.m.

Size	1.6MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`dc37d19933e5689c25bc6cce8c15d58c`
SHA256	`fabfaa8fe68a80b286ea7291977e73a830320db89c9acdbfc3373884246f6373`
CRC32	`28FCBAE4`
ssdeep	`24576:zadIJEV+Vz4OjRZMpM2wSZB8Q04KfA3NapQpN65NlwBy8rTx3ZmIkmu3ylHAhf8:WIii8uqMIBv09cNgHwBy8rVkUkyR+U`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

script.exe "C:\Users\test22\AppData\Local\Temp\script.exe"
2536
- leonardo-mesh.exe "C:\Users\test22\AppData\Roaming\Leonardo\leonardo-mesh.exe" -fullinstall
  2632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
104.248.229.104	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49168 -> 104.248.229.104:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49168 104.248.229.104:443	None	None	None

Queries for the computername (3 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 24, 2024, 6:57 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 24, 2024, 6:57 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Aug. 24, 2024, 6:57 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 24, 2024, 6:57 p.m.			0	0

Command line console output was observed (8 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: ...Checking for previous installation of "Mesh Agent" console_handle: 0x00000007	1	1	0
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: [NONE] console_handle: 0x00000007	1	1	0
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: ...Installing service console_handle: 0x00000007	1	1	0
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: [DONE] console_handle: 0x00000007	1	1	0
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: -> Writing firewall rules for Mesh Agent Service... console_handle: 0x00000007	1	1	0
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: [DONE] console_handle: 0x00000007	1	1	0
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: -> Starting service... console_handle: 0x00000007	1	1	0
WriteConsoleA Aug. 24, 2024, 6:57 p.m.	buffer: [OK] console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2024, 6:57 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

Creates executable files on the filesystem (2 events)

file	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
file	C:\Users\test22\AppData\Roaming\Leonardo\leonardo-mesh.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Aug. 24, 2024, 6:57 p.m.	service_start_name: start_type: 2 password: display_name: Mesh Agent filepath: C:\Users\test22\AppData\Roaming\Leonardo\"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe" service_name: Mesh Agent filepath_r: "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe" desired_access: 983551 service_handle: 0x0440bc28 error_control: 0 service_type: 272 service_manager_handle: 0x0440bc50	1	71351336	0

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

Communicates with host for which no DNS query was performed (1 event)

host

104.248.229.104

Installs itself for autorun at Windows startup (2 events)

service_name	Mesh Agent				service_path	C:\Users\test22\AppData\Roaming\Leonardo\"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath				reg_value	"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

File has been identified by 11 AntiVirus engines on VirusTotal as malicious (11 events)

Cylance	Unsafe
VirIT	Trojan.Win32.Genus.WDM
APEX	Malicious
Rising	HackTool.MeshAgent!8.13A31 (TFE:5:3FAGppPZPZV)
DrWeb	Program.MeshAgent.1
FireEye	Generic.mg.dc37d19933e5689c
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.MeshAgent
Kingsoft	malware.kb.a.886
DeepInstinct	MALICIOUS
VBA32	Trojan.Staser
Fortinet	Riskware/Application