Overview

overview

10

Static

static

3

2024-11-22...ch.exe

windows7-x64

1

2024-11-22...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-11-22_871090ba766970cd5092900b2bb8bc72_frostygoop_luca-stealer_poet-rat_snatch

  • Size

    5.0MB

  • Sample

    241122-r1a3yasna1

  • MD5

    871090ba766970cd5092900b2bb8bc72

  • SHA1

    ffbe4b5fbe63c89bbbf3c07a0c42a09d9937b31d

  • SHA256

    3d4c66adfda4f5b8f7e6b44e27edd36a99ee5c30f88f460c6ea51108d40c4798

  • SHA512

    c3d956e563da85dd5883dccdd29fbb78f3704e5b0df6bc15ef6baa49d7690bb14f140e9720c85f71c9c2526604a5e9a694b780ce1219850ca9d91358aa165653

  • SSDEEP

    49152:YgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5Zv:X4e4uPpVm6gTVGIO7DfEi+ea

Score
10/10
meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://meshrja.mabbix.com.br:443/agent.ashx

Attributes
  • mesh_id

    0x9B2B0319E4A74B42A39507D39345115340C177F5E5BC421B381B855A04AAF9B40701FAAC46E3D72A23E9AFF3FA7FAA19

  • server_id

    A7ED20168B104B6FC53BA21A88632BE0C82E061129279301C6D6D6B83BE64340DD105A6CA7EAB1007D95A1A1CF3E11C0

  • wss

    wss://meshrja.mabbix.com.br:443/agent.ashx

Targets

    • Target

      2024-11-22_871090ba766970cd5092900b2bb8bc72_frostygoop_luca-stealer_poet-rat_snatch

    • Size

      5.0MB

    • MD5

      871090ba766970cd5092900b2bb8bc72

    • SHA1

      ffbe4b5fbe63c89bbbf3c07a0c42a09d9937b31d

    • SHA256

      3d4c66adfda4f5b8f7e6b44e27edd36a99ee5c30f88f460c6ea51108d40c4798

    • SHA512

      c3d956e563da85dd5883dccdd29fbb78f3704e5b0df6bc15ef6baa49d7690bb14f140e9720c85f71c9c2526604a5e9a694b780ce1219850ca9d91358aa165653

    • SSDEEP

      49152:YgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5Zv:X4e4uPpVm6gTVGIO7DfEi+ea

    Score
    10/10
    meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojan

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

      rattrojanbackdoormeshagent

    • Meshagent family

      meshagent

    • Blocklisted process makes network request

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks