General

  • Target

    2025-06-04_b7104eb69317dea5fe78d0d2df95baf1_cobalt-strike_frostygoop_luca-stealer_poet-rat_sliver_snatch

  • Size

    5.0MB

  • Sample

    250604-l7mgnafq8z

  • MD5

    b7104eb69317dea5fe78d0d2df95baf1

  • SHA1

    97337e5f26b8199f7968295fd1fe1e57a5e60079

  • SHA256

    68f7ebe0cb50a329fb2680151c4ea9b66ff13ea4e8df2abcd680ecf7ffedffd8

  • SHA512

    3a3e7388f176cb6692108034e2f28f65f6790312885e89aed5eb72b3dd8447aace7be877cf12e41b2add9b2460657bdaf471d9c03fd6761fa15b9d36ed842523

  • SSDEEP

    49152:zgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZY:84e4uPpVm6gTVGIO7DfEu+eJ

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.pchelper.ru:443/agent.ashx

Attributes
  • mesh_id

    0x43CCE4DD140774A1474B9BCCF100432C7AB1B31DAA58E3CB472C7055685FC704BBE67FFDA1C77B0FD931FABC6DC3D23B

  • server_id

    B9576B568DE61B6A40634A6BDFB57FC7ABBBE76BAECBAFF8752567A2B8130AF2E8D3AA8973BC0178454AADFDD748DF03

  • wss

    wss://mesh.pchelper.ru:443/agent.ashx

Targets

    • Target

      2025-06-04_b7104eb69317dea5fe78d0d2df95baf1_cobalt-strike_frostygoop_luca-stealer_poet-rat_sliver_snatch

    • Size

      5.0MB

    • MD5

      b7104eb69317dea5fe78d0d2df95baf1

    • SHA1

      97337e5f26b8199f7968295fd1fe1e57a5e60079

    • SHA256

      68f7ebe0cb50a329fb2680151c4ea9b66ff13ea4e8df2abcd680ecf7ffedffd8

    • SHA512

      3a3e7388f176cb6692108034e2f28f65f6790312885e89aed5eb72b3dd8447aace7be877cf12e41b2add9b2460657bdaf471d9c03fd6761fa15b9d36ed842523

    • SSDEEP

      49152:zgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZY:84e4uPpVm6gTVGIO7DfEu+eJ

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Blocklisted process makes network request

    • Sets service image path in registry

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks