General

  • Target

    2025-06-05_260528f79f29eb6763ea9c430dbfc137_cobalt-strike_frostygoop_hijackloader_luca-stealer_poet-rat_sliver_snatch

  • Size

    5.0MB

  • Sample

    250605-mxbg3swnw7

  • MD5

    260528f79f29eb6763ea9c430dbfc137

  • SHA1

    29a10192e26d4e222f88c7b203bb637674d72026

  • SHA256

    23d521262319b37afd0b11a2852565130c6a7504ec274e78f8c8aaa0a003b97c

  • SHA512

    713061ea33605a5c99cbc6dd59b8a38120051582c3fe4db38d3965bd4f7dc0dd671dc9ed8858363a330e870ce98b8d764a4478439b3a34ecaa260b60100517fb

  • SSDEEP

    49152:rRg0nHQi1uuVvrb/T8vO90d7HjmAFd4A64nsfJml6OEchY4Vx9n5on0IrYszVS5g:ki1uuVwE2f5Cmsz8GEH+ej4

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

FERNACOM - RMM

C2

http://mesh.fernacom.com:443/agent.ashx

Attributes
  • mesh_id

    0xBA05A591881C808406B7BCC4161D9293C6288CB73A2AFAB59E7FA25A4E842200A69BC41D82BE701049DE67566CD4D236

  • server_id

    D142FFDB35D695FD649690942052243E13C6FF4A97C70B8F187170C5DCD8FDE77A50B64AAA4F98A6E280F416F60F8165

  • wss

    wss://mesh.fernacom.com:443/agent.ashx

Targets

    • Target

      2025-06-05_260528f79f29eb6763ea9c430dbfc137_cobalt-strike_frostygoop_hijackloader_luca-stealer_poet-rat_sliver_snatch

    • Size

      5.0MB

    • MD5

      260528f79f29eb6763ea9c430dbfc137

    • SHA1

      29a10192e26d4e222f88c7b203bb637674d72026

    • SHA256

      23d521262319b37afd0b11a2852565130c6a7504ec274e78f8c8aaa0a003b97c

    • SHA512

      713061ea33605a5c99cbc6dd59b8a38120051582c3fe4db38d3965bd4f7dc0dd671dc9ed8858363a330e870ce98b8d764a4478439b3a34ecaa260b60100517fb

    • SSDEEP

      49152:rRg0nHQi1uuVvrb/T8vO90d7HjmAFd4A64nsfJml6OEchY4Vx9n5on0IrYszVS5g:ki1uuVwE2f5Cmsz8GEH+ej4

    • Detects MeshAgent payload

    • MeshAgent

      MeshAgent is an open source remote access trojan written in C++.

    • Meshagent family

    • Blocklisted process makes network request

    • Sets service image path in registry

    • Stops running service(s)

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks