Overview

overview

10

Static

static

3

2024-12-19...ch.exe

windows7-x64

1

2024-12-19...ch.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-12-19_4e09a948b10e96db17394ed8d8a8716a_frostygoop_luca-stealer_poet-rat_snatch

  • Size

    5.0MB

  • Sample

    241219-pknmzstjg1

  • MD5

    4e09a948b10e96db17394ed8d8a8716a

  • SHA1

    71c7e1a0be05023dedcee3cfa6267f1b9a6c5e69

  • SHA256

    8505c093becd6ebe8e8139788e4ebe2b6f596265f18199c874b5603e5bbffd4c

  • SHA512

    26afddb878bad4d00781d2fd652de3e61add418856a040c7645f61e60e25f87fe5b973420a1678ce30b04249307446251b47177e5a0cc04464189f9e141bdc4f

  • SSDEEP

    49152:rgvUDWn4ewuPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGdJS5x9:M4ewuPpVW6gTVe4O7LfEu+eo

Score
10/10
meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    files.iline.pro
  • Port:
    21
  • Username:
    ftp-rmm
  • Password:
    5tB_hNaV2gh!rBh

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.iline.pro:443/agent.ashx

Attributes
  • mesh_id

    0x292B109256604ED7CAE1A1BCE7CE2A9FC9BE56489792BB0EDE5F4A15F5C33A8635085DE21F23A427A744D6D6C58E33AF

  • server_id

    FDA3919C9844218611FEFA0E1F94C674C6DB04D936A2CDCE48D907D5A52A2926F2A1606BA653F07E372730476B6F24C9

  • wss

    wss://mesh.iline.pro:443/agent.ashx

Targets

    • Target

      2024-12-19_4e09a948b10e96db17394ed8d8a8716a_frostygoop_luca-stealer_poet-rat_snatch

    • Size

      5.0MB

    • MD5

      4e09a948b10e96db17394ed8d8a8716a

    • SHA1

      71c7e1a0be05023dedcee3cfa6267f1b9a6c5e69

    • SHA256

      8505c093becd6ebe8e8139788e4ebe2b6f596265f18199c874b5603e5bbffd4c

    • SHA512

      26afddb878bad4d00781d2fd652de3e61add418856a040c7645f61e60e25f87fe5b973420a1678ce30b04249307446251b47177e5a0cc04464189f9e141bdc4f

    • SSDEEP

      49152:rgvUDWn4ewuPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGdJS5x9:M4ewuPpVW6gTVe4O7LfEu+eo

    Score
    10/10
    meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojanupx

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

      rattrojanbackdoormeshagent

    • Meshagent family

      meshagent

    • Blocklisted process makes network request

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks