General

  • Target

    2024-09-28_f5cf021c76c2b7ad3d683e7d7839dc9f_poet-rat_snatch

  • Size

    5.0MB

  • Sample

    240928-vz54gaxdrl

  • MD5

    f5cf021c76c2b7ad3d683e7d7839dc9f

  • SHA1

    58f4b330be8f657a9759e9a88ef57d952a71b654

  • SHA256

    f1de63e36ed1999a8c95f09b6af2c1eac37d0edcbb08de5af98d8abd60b82cb3

  • SHA512

    33d4b6270cecf93153027ba4202ec9ab064464aa4e9532bb17e3a97be1fed4e997a4a4003761ce5132925ff8e44584472c814ad547d86a781da50ab5ab1d5c28

  • SSDEEP

    49152:tgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZH:q4e4uPpVm6gTVGIO7DfE6+eS

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.pivstandart.ru:443/agent.ashx

Attributes
  • mesh_id

    0xE6A0EB7B491100BB804B64CF8283276367BD72249E44AE0A25268C87A85263196C658FECAE53830097A4B3ED4BBAED4D

  • server_id

    F98163BFE1DA56903B3FBD7DEAB19FE5E52B82260F71E5B2821181C8052F42B8DABF19E3D1452693B2F7FDFF1A3EEBB3

  • wss

    wss://mesh.pivstandart.ru:443/agent.ashx

Targets

    • Target

      2024-09-28_f5cf021c76c2b7ad3d683e7d7839dc9f_poet-rat_snatch

    • Size

      5.0MB

    • MD5

      f5cf021c76c2b7ad3d683e7d7839dc9f

    • SHA1

      58f4b330be8f657a9759e9a88ef57d952a71b654

    • SHA256

      f1de63e36ed1999a8c95f09b6af2c1eac37d0edcbb08de5af98d8abd60b82cb3

    • SHA512

      33d4b6270cecf93153027ba4202ec9ab064464aa4e9532bb17e3a97be1fed4e997a4a4003761ce5132925ff8e44584472c814ad547d86a781da50ab5ab1d5c28

    • SSDEEP

      49152:tgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZH:q4e4uPpVm6gTVGIO7DfE6+eS

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Blocklisted process makes network request

    • Sets service image path in registry

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks