General

  • Target

    2025-06-05_1532db5d5a58aef608f4b7608404a276_cobalt-strike_frostygoop_luca-stealer_poet-rat_sliver_snatch

  • Size

    5.0MB

  • Sample

    250605-lvj6rscp21

  • MD5

    1532db5d5a58aef608f4b7608404a276

  • SHA1

    70be46215e77be13c37219fc23e1e59ee88d8ee4

  • SHA256

    d34fffd6d485e7f3633db429c681307c403f0502c9cfe014e78717981798d228

  • SHA512

    1daa5cdcc8880a0f3c8c39bd2d1a0073b33e97ffef9aff2a9671d19329c7a0fd8911497dd017d5ddb17d0e9730140d9e965a2920ed6d5cb4992940bec9aef7a6

  • SSDEEP

    49152:ugvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZY:p4e4uPpVm6gTVGIO7DfEs+eX

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.pchelper.ru:443/agent.ashx

Attributes
  • mesh_id

    0x43CCE4DD140774A1474B9BCCF100432C7AB1B31DAA58E3CB472C7055685FC704BBE67FFDA1C77B0FD931FABC6DC3D23B

  • server_id

    B9576B568DE61B6A40634A6BDFB57FC7ABBBE76BAECBAFF8752567A2B8130AF2E8D3AA8973BC0178454AADFDD748DF03

  • wss

    wss://mesh.pchelper.ru:443/agent.ashx

Targets

    • Target

      2025-06-05_1532db5d5a58aef608f4b7608404a276_cobalt-strike_frostygoop_luca-stealer_poet-rat_sliver_snatch

    • Size

      5.0MB

    • MD5

      1532db5d5a58aef608f4b7608404a276

    • SHA1

      70be46215e77be13c37219fc23e1e59ee88d8ee4

    • SHA256

      d34fffd6d485e7f3633db429c681307c403f0502c9cfe014e78717981798d228

    • SHA512

      1daa5cdcc8880a0f3c8c39bd2d1a0073b33e97ffef9aff2a9671d19329c7a0fd8911497dd017d5ddb17d0e9730140d9e965a2920ed6d5cb4992940bec9aef7a6

    • SSDEEP

      49152:ugvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZY:p4e4uPpVm6gTVGIO7DfEs+eX

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Blocklisted process makes network request

    • Sets service image path in registry

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks