Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 25, 2024, 10:45 a.m.	Sept. 25, 2024, 10:54 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`749bd6bf56a6d0ad6a8a4e5712377555`
SHA256	`e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3`
CRC32	`FB4F8AD7`
ssdeep	`49152:UkQletNpj4NmwF1tBE6BAfTm9k9MJsuAfChboFtcZo:UFletXjoD1tBEc90XCo6Zo`
Yara	Malicious_Library_Zero - Malicious_Library NSIS_Installer - Null Soft Installer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

Installeraus.exe "C:\Users\test22\AppData\Local\Temp\Installeraus.exe"
1648
- meshagent32-group.exe "C:\Users\test22\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
  2168

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
94.131.119.184	Active	Moloch

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 94.131.119.184:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49168 94.131.119.184:443	None	None	None

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 25, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 25, 2024, 10:45 a.m.	computer_name: TEST22-PC	1	1

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 25, 2024, 10:45 a.m.			0	0

Time & API	Arguments	Status	Return
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: ...Checking for previous installation of "Mesh Agent" console_handle: 0x00000007	1	1
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: [NONE] console_handle: 0x00000007	1	1
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: ...Installing service console_handle: 0x00000007	1	1
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: [DONE] console_handle: 0x00000007	1	1
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: -> Writing firewall rules for Mesh Agent Service... console_handle: 0x00000007	1	1
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: [DONE] console_handle: 0x00000007	1	1
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: -> Starting service... console_handle: 0x00000007	1	1
WriteConsoleA Sept. 25, 2024, 10:45 a.m.	buffer: [OK] console_handle: 0x00000007	1	1

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 25, 2024, 10:45 a.m.		1	1	0

section

.ndata

file	C:\Users\test22\AppData\Roaming\MSIX\meshagent32-group.exe
file	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

Time & API	Arguments	Status	Return	Repeated
CreateServiceW Sept. 25, 2024, 10:45 a.m.	service_start_name: start_type: 2 password: display_name: Mesh Agent filepath: C:\Users\test22\AppData\Roaming\MSIX\"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe" service_name: Mesh Agent filepath_r: "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe" desired_access: 983551 service_handle: 0x03f4e070 error_control: 0 service_type: 272 service_manager_handle: 0x03f4e098	1	66379888	0

file	C:\Users\test22\AppData\Roaming\MSIX\meshagent32-group.exe

wmi	<INVALID POINTER>

host

94.131.119.184

service_name	Mesh Agent				service_path	C:\Users\test22\AppData\Roaming\MSIX\"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath				reg_value	"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.MeshAgent.4!c
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Nemesis.36049
Cylance	Unsafe
VIPRE	Gen:Variant.Nemesis.36049
Sangfor	Trojan.Win32.Agent.Vmmj
BitDefender	Gen:Variant.Nemesis.36049
Arcabit	Trojan.Nemesis.D8CD1
VirIT	Trojan.Win32.Genus.WDM
ESET-NOD32	a variant of Generik.JRABCRO
APEX	Malicious
Avast	NSIS:MalwareX-gen [Trj]
MicroWorld-eScan	Gen:Variant.Nemesis.36049
Rising	HackTool.MeshAgent!8.13A31 (TFE:5:3FAGppPZPZV)
Emsisoft	Gen:Variant.Nemesis.36049 (B)
DrWeb	Program.MeshAgent.1
TrendMicro	Trojan.Win32.AMADEY.YXEITZ
McAfeeD	ti!E6148C7E8CEC
CTX	exe.trojan.meshagent
Sophos	Mal/Generic-S
FireEye	Gen:Variant.Nemesis.36049
Antiy-AVL	RiskWare[RemoteAdmin]/Win32.MeshAgent
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Malware.Win32.MeshAgent.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
GData	Gen:Variant.Nemesis.36049
McAfee	Artemis!749BD6BF56A6
DeepInstinct	MALICIOUS
VBA32	Trojan.Staser
Malwarebytes	Generic.Malware/Suspicious
Panda	Trj/CI.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEITZ
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	Riskware/Application
AVG	NSIS:MalwareX-gen [Trj]
Paloalto	generic.ml

Installeraus.exe