General
-
Target
2024-11-27_0f0a97e5f2664b87298043aea376cbbf_frostygoop_luca-stealer_poet-rat_snatch
-
Size
5.0MB
-
Sample
241127-cv736asjft
-
MD5
0f0a97e5f2664b87298043aea376cbbf
-
SHA1
c04b5af158698747ca26800459033699a69b7b1f
-
SHA256
d28882b11377fb66b7d12d0478b382dc26fc2cdec4555b6b043b168b21c01d12
-
SHA512
c44b544bf31d74350237dada26dab98bc98d073132eb4c84ec10a7448f8723c53014f5456f3ec56b9f1b18cb55b73bafcf513e33102d517a9c95b0f62b1b56b6
-
SSDEEP
49152:KgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJpKyutrDb4HGw1lfVGtJS56U:V4e4uPpV26gTVuTO7DfEg+ej
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-27_0f0a97e5f2664b87298043aea376cbbf_frostygoop_luca-stealer_poet-rat_snatch.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-27_0f0a97e5f2664b87298043aea376cbbf_frostygoop_luca-stealer_poet-rat_snatch.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
meshagent
2
TacticalRMM
http://mesh.romanian-jets.com:443/agent.ashx
-
mesh_id
0x6A438D6B556F8C1837420FB5ADBBC50B34577EF551614395CCE03BD5AE4EC0C9F887D5996DA66744D5C6FEB1938DE8C9
-
server_id
81E686EA81C1B9C8B4C652CE70BB73F334EFCBDCB67C1992D5F9BFB7FA5CD5F902BC00C108423ABDD9C3095BD743ADA7
-
wss
wss://mesh.romanian-jets.com:443/agent.ashx
Targets
-
-
Target
2024-11-27_0f0a97e5f2664b87298043aea376cbbf_frostygoop_luca-stealer_poet-rat_snatch
-
Size
5.0MB
-
MD5
0f0a97e5f2664b87298043aea376cbbf
-
SHA1
c04b5af158698747ca26800459033699a69b7b1f
-
SHA256
d28882b11377fb66b7d12d0478b382dc26fc2cdec4555b6b043b168b21c01d12
-
SHA512
c44b544bf31d74350237dada26dab98bc98d073132eb4c84ec10a7448f8723c53014f5456f3ec56b9f1b18cb55b73bafcf513e33102d517a9c95b0f62b1b56b6
-
SSDEEP
49152:KgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJpKyutrDb4HGw1lfVGtJS56U:V4e4uPpV26gTVuTO7DfEg+ej
-
Detects MeshAgent payload
-
Meshagent family
-
Blocklisted process makes network request
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1