General

  • Target

    2024-11-27_0f0a97e5f2664b87298043aea376cbbf_frostygoop_luca-stealer_poet-rat_snatch

  • Size

    5.0MB

  • Sample

    241127-cv736asjft

  • MD5

    0f0a97e5f2664b87298043aea376cbbf

  • SHA1

    c04b5af158698747ca26800459033699a69b7b1f

  • SHA256

    d28882b11377fb66b7d12d0478b382dc26fc2cdec4555b6b043b168b21c01d12

  • SHA512

    c44b544bf31d74350237dada26dab98bc98d073132eb4c84ec10a7448f8723c53014f5456f3ec56b9f1b18cb55b73bafcf513e33102d517a9c95b0f62b1b56b6

  • SSDEEP

    49152:KgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJpKyutrDb4HGw1lfVGtJS56U:V4e4uPpV26gTVuTO7DfEg+ej

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.romanian-jets.com:443/agent.ashx

Attributes
  • mesh_id

    0x6A438D6B556F8C1837420FB5ADBBC50B34577EF551614395CCE03BD5AE4EC0C9F887D5996DA66744D5C6FEB1938DE8C9

  • server_id

    81E686EA81C1B9C8B4C652CE70BB73F334EFCBDCB67C1992D5F9BFB7FA5CD5F902BC00C108423ABDD9C3095BD743ADA7

  • wss

    wss://mesh.romanian-jets.com:443/agent.ashx

Targets

    • Target

      2024-11-27_0f0a97e5f2664b87298043aea376cbbf_frostygoop_luca-stealer_poet-rat_snatch

    • Size

      5.0MB

    • MD5

      0f0a97e5f2664b87298043aea376cbbf

    • SHA1

      c04b5af158698747ca26800459033699a69b7b1f

    • SHA256

      d28882b11377fb66b7d12d0478b382dc26fc2cdec4555b6b043b168b21c01d12

    • SHA512

      c44b544bf31d74350237dada26dab98bc98d073132eb4c84ec10a7448f8723c53014f5456f3ec56b9f1b18cb55b73bafcf513e33102d517a9c95b0f62b1b56b6

    • SSDEEP

      49152:KgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJpKyutrDb4HGw1lfVGtJS56U:V4e4uPpV26gTVuTO7DfEg+ej

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Blocklisted process makes network request

    • Sets service image path in registry

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks