General

  • Target

    rmm-whiterookcyber-hexicor-workstation.zip

  • Size

    1KB

  • Sample

    240924-bllm5asajm

  • MD5

    59bcd2fb3763d5ef4435388ef11c5d33

  • SHA1

    937d68f14e5d31f90641bf46533052cb34000fd9

  • SHA256

    1d8248219cabdcd1a8333109dd734e0a99acdc9614464a04f5c07a70a6c3d1b2

  • SHA512

    0daa24f7ea6e835964a7ef81c0c1c447187a10b45b147dfab2b143cdf2fb752c5fea895d0d62270632df17baf090074aa657c704fdc5fc8654ade64b49a3f460

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://agents.tacticalrmm.com/api/v2/agents/?version=2.8.0&arch=amd64&token=bf707b3c-4252-4a77-8073-3f7b12589422&plat=windows&api=api.trmm.screwlooseit.com.au

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.trmm.screwlooseit.com.au:443/agent.ashx

Attributes
  • mesh_id

    0x85FB9F905C525B468D5ECF7ACD8D71551BDAC5541F3C5BF805CACAD4EA856C5137320D5A60A4C26BE8665E24CF35F395

  • server_id

    433049C9A3214D7670D82306969EA38C1B34CA0CF0AE3C16194665BCDBB838705CCF8FDD48B68623920AC9585D137C28

  • wss

    wss://mesh.trmm.screwlooseit.com.au:443/agent.ashx

Targets

    • Target

      rmm-whiterookcyber-hexicor-workstation.ps1

    • Size

      2KB

    • MD5

      035bc3a476c6fe3a307059df1d877604

    • SHA1

      2e7db353e1674bd81416a355d743b2ee2f12e1e5

    • SHA256

      71f7b34ad56f0fdfd440be7a1e530662c5991191c2b7a8c9d9fd851c839c6feb

    • SHA512

      f596760227d0f93612eda9c5b3d2bd409b7442b3c089412b174d15e6f16489d36a40157145d9415962a184013c76936cc194eb72ddb77f3cccecd7576ee56aa7

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Blocklisted process makes network request

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Stops running service(s)

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks