General
-
Target
2025-06-05_260528f79f29eb6763ea9c430dbfc137_cobalt-strike_frostygoop_hijackloader_luca-stealer_poet-rat_sliver_snatch
-
Size
5.0MB
-
Sample
250605-mxbg3swnw7
-
MD5
260528f79f29eb6763ea9c430dbfc137
-
SHA1
29a10192e26d4e222f88c7b203bb637674d72026
-
SHA256
23d521262319b37afd0b11a2852565130c6a7504ec274e78f8c8aaa0a003b97c
-
SHA512
713061ea33605a5c99cbc6dd59b8a38120051582c3fe4db38d3965bd4f7dc0dd671dc9ed8858363a330e870ce98b8d764a4478439b3a34ecaa260b60100517fb
-
SSDEEP
49152:rRg0nHQi1uuVvrb/T8vO90d7HjmAFd4A64nsfJml6OEchY4Vx9n5on0IrYszVS5g:ki1uuVwE2f5Cmsz8GEH+ej4
Static task
static1
Behavioral task
behavioral1
Sample
2025-06-05_260528f79f29eb6763ea9c430dbfc137_cobalt-strike_frostygoop_hijackloader_luca-stealer_poet-rat_sliver_snatch.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-06-05_260528f79f29eb6763ea9c430dbfc137_cobalt-strike_frostygoop_hijackloader_luca-stealer_poet-rat_sliver_snatch.exe
Resource
win11-20250502-en
Malware Config
Extracted
meshagent
2
FERNACOM - RMM
http://mesh.fernacom.com:443/agent.ashx
-
mesh_id
0xBA05A591881C808406B7BCC4161D9293C6288CB73A2AFAB59E7FA25A4E842200A69BC41D82BE701049DE67566CD4D236
-
server_id
D142FFDB35D695FD649690942052243E13C6FF4A97C70B8F187170C5DCD8FDE77A50B64AAA4F98A6E280F416F60F8165
-
wss
wss://mesh.fernacom.com:443/agent.ashx
Targets
-
-
Target
2025-06-05_260528f79f29eb6763ea9c430dbfc137_cobalt-strike_frostygoop_hijackloader_luca-stealer_poet-rat_sliver_snatch
-
Size
5.0MB
-
MD5
260528f79f29eb6763ea9c430dbfc137
-
SHA1
29a10192e26d4e222f88c7b203bb637674d72026
-
SHA256
23d521262319b37afd0b11a2852565130c6a7504ec274e78f8c8aaa0a003b97c
-
SHA512
713061ea33605a5c99cbc6dd59b8a38120051582c3fe4db38d3965bd4f7dc0dd671dc9ed8858363a330e870ce98b8d764a4478439b3a34ecaa260b60100517fb
-
SSDEEP
49152:rRg0nHQi1uuVvrb/T8vO90d7HjmAFd4A64nsfJml6OEchY4Vx9n5on0IrYszVS5g:ki1uuVwE2f5Cmsz8GEH+ej4
-
Detects MeshAgent payload
-
Meshagent family
-
Blocklisted process makes network request
-
Sets service image path in registry
-
Stops running service(s)
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1