General
-
Target
2025-06-05_1532db5d5a58aef608f4b7608404a276_cobalt-strike_frostygoop_luca-stealer_poet-rat_sliver_snatch
-
Size
5.0MB
-
Sample
250605-lvj6rscp21
-
MD5
1532db5d5a58aef608f4b7608404a276
-
SHA1
70be46215e77be13c37219fc23e1e59ee88d8ee4
-
SHA256
d34fffd6d485e7f3633db429c681307c403f0502c9cfe014e78717981798d228
-
SHA512
1daa5cdcc8880a0f3c8c39bd2d1a0073b33e97ffef9aff2a9671d19329c7a0fd8911497dd017d5ddb17d0e9730140d9e965a2920ed6d5cb4992940bec9aef7a6
-
SSDEEP
49152:ugvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZY:p4e4uPpVm6gTVGIO7DfEs+eX
Static task
static1
Behavioral task
behavioral1
Sample
2025-06-05_1532db5d5a58aef608f4b7608404a276_cobalt-strike_frostygoop_luca-stealer_poet-rat_sliver_snatch.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
meshagent
2
TacticalRMM
http://mesh.pchelper.ru:443/agent.ashx
-
mesh_id
0x43CCE4DD140774A1474B9BCCF100432C7AB1B31DAA58E3CB472C7055685FC704BBE67FFDA1C77B0FD931FABC6DC3D23B
-
server_id
B9576B568DE61B6A40634A6BDFB57FC7ABBBE76BAECBAFF8752567A2B8130AF2E8D3AA8973BC0178454AADFDD748DF03
-
wss
wss://mesh.pchelper.ru:443/agent.ashx
Targets
-
-
Target
2025-06-05_1532db5d5a58aef608f4b7608404a276_cobalt-strike_frostygoop_luca-stealer_poet-rat_sliver_snatch
-
Size
5.0MB
-
MD5
1532db5d5a58aef608f4b7608404a276
-
SHA1
70be46215e77be13c37219fc23e1e59ee88d8ee4
-
SHA256
d34fffd6d485e7f3633db429c681307c403f0502c9cfe014e78717981798d228
-
SHA512
1daa5cdcc8880a0f3c8c39bd2d1a0073b33e97ffef9aff2a9671d19329c7a0fd8911497dd017d5ddb17d0e9730140d9e965a2920ed6d5cb4992940bec9aef7a6
-
SSDEEP
49152:ugvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZY:p4e4uPpVm6gTVGIO7DfEs+eX
-
Detects MeshAgent payload
-
Meshagent family
-
Blocklisted process makes network request
-
Sets service image path in registry
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1