File name:

2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch

Full analysis: https://app.any.run/tasks/c4c4a097-5e78-4c8c-80f6-e6d952febb09
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 12, 2024, 18:54:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
golang
loader
meshagent
ip-check
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:

3C886E525046EC4023362AB0A8A8A96E

SHA1:

9B43610B5B28FD3B573F7BD9073DC84B913BE909

SHA256:

205495309953CC878B28B5D5F9BC09D908CE8FC4170A98232C833D7C9687DC4F

SSDEEP:

98304:Anz9OgdgXP7aOhkedjIz4ZSCxy1LYQau6q:c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3172)
      • net.exe (PID: 3780)
      • cmd.exe (PID: 640)
      • cmd.exe (PID: 3992)
      • net.exe (PID: 2008)
      • net.exe (PID: 3032)
      • net.exe (PID: 1988)
      • cmd.exe (PID: 2572)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2224)

    • Changes powershell execution policy (Bypass)

      • tacticalrmm.exe (PID: 3560)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 2224)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 4864)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)
      • tacticalrmm.exe (PID: 372)
      • meshagent.exe (PID: 5992)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 3992)

    • Starts CMD.EXE for commands execution

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)

    • Reads the Windows owner or organization settings

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 4392)

    • Creates or modifies Windows services

      • tacticalrmm.exe (PID: 5652)
      • meshagent.exe (PID: 5992)
      • tacticalrmm.exe (PID: 3560)

    • There is functionality for capture public ip (YARA)

      • tacticalrmm.exe (PID: 372)

    • MeshAgent potential remote access (YARA)

      • tacticalrmm.exe (PID: 372)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 4520)
      • tacticalrmm.exe (PID: 3560)

    • Creates a software uninstall entry

      • meshagent.exe (PID: 5992)

    • Searches for installed software

      • tacticalrmm.exe (PID: 372)
      • tacticalrmm.exe (PID: 3560)

    • Application launched itself

      • tacticalrmm.exe (PID: 3560)

    • The process executes Powershell scripts

      • tacticalrmm.exe (PID: 3560)

    • The process bypasses the loading of PowerShell profile settings

      • tacticalrmm.exe (PID: 3560)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 2224)

    • Starts POWERSHELL.EXE for commands execution

      • tacticalrmm.exe (PID: 3560)

    • The process hide an interactive prompt from the user

      • tacticalrmm.exe (PID: 3560)

  • INFO

    • Creates files in the program directory

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)
      • meshagent.exe (PID: 5992)
      • MeshAgent.exe (PID: 4520)
      • tacticalrmm.exe (PID: 372)
      • tacticalrmm.exe (PID: 3560)

    • Checks supported languages

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 4864)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)
      • tacticalrmm.exe (PID: 5652)
      • tacticalrmm.exe (PID: 372)
      • meshagent.exe (PID: 5992)
      • MeshAgent.exe (PID: 4520)
      • tacticalrmm.exe (PID: 3560)

    • The sample compiled with english language support

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)
      • tacticalrmm.exe (PID: 372)
      • meshagent.exe (PID: 5992)

    • Create files in a temporary directory

      • tacticalagent-v2.8.0-windows-amd64.exe (PID: 4864)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)

    • Reads the computer name

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)
      • tacticalrmm.exe (PID: 5652)
      • meshagent.exe (PID: 5992)
      • MeshAgent.exe (PID: 4520)
      • tacticalrmm.exe (PID: 3560)
      • MeshAgent.exe (PID: 628)

    • Reads the software policy settings

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalrmm.exe (PID: 372)
      • tacticalrmm.exe (PID: 3560)

    • Reads the machine GUID from the registry

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalrmm.exe (PID: 5652)
      • tacticalrmm.exe (PID: 372)
      • tacticalrmm.exe (PID: 3560)
      • tacticalrmm.exe (PID: 3488)

    • Application based on Golang

      • 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe (PID: 4548)
      • tacticalrmm.exe (PID: 372)

    • Creates a software uninstall entry

      • tacticalagent-v2.8.0-windows-amd64.tmp (PID: 5268)

    • Reads product name

      • tacticalrmm.exe (PID: 5652)
      • tacticalrmm.exe (PID: 372)

    • Reads Environment values

      • tacticalrmm.exe (PID: 5652)
      • tacticalrmm.exe (PID: 372)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • tacticalrmm.exe (PID: 3560)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • tacticalrmm.exe (PID: 3560)

    • The process uses the downloaded file

      • powershell.exe (PID: 2224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

ProductVersion: v2.0.4.0
ProductName: Tactical RMM Installer
OriginalFileName: installer.go
LegalCopyright: Copyright (c) 2022 AmidaWare LLC
InternalName: rmm.exe
FileVersion: v2.0.4.0
FileDescription: Tactical RMM Installer
CompanyName: AmidaWare LLC
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.0.4.0
FileVersionNumber: 2.0.4.0
Subsystem: Windows command line
SubsystemVersion: 6.1
ImageVersion: 1
OSVersion: 6.1
EntryPoint: 0x66fe0
UninitializedDataSize: -
InitializedDataSize: 246784
CodeSize: 2520576
LinkerVersion: 3
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware, No debug
TimeStamp: 0000:00:00 00:00:00
MachineType: AMD AMD64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
46
Malicious processes
6
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe conhost.exe no specs tacticalagent-v2.8.0-windows-amd64.exe tacticalagent-v2.8.0-windows-amd64.tmp cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs tacticalrmm.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs #MESHAGENT tacticalrmm.exe meshagent.exe meshagent.exe meshagent.exe no specs tacticalrmm.exe tacticalrmm.exe conhost.exe no specs meshagent.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs 2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2216"C:\Users\admin\Desktop\2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe" C:\Users\admin\Desktop\2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exeexplorer.exe
User:
admin
Company:
AmidaWare LLC
Integrity Level:
MEDIUM
Description:
Tactical RMM Installer
Exit code:
3221226540
Version:
v2.0.4.0
Modules
Images
c:\users\admin\desktop\2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe
c:\windows\system32\ntdll.dll
4548"C:\Users\admin\Desktop\2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe" C:\Users\admin\Desktop\2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe
explorer.exe
User:
admin
Company:
AmidaWare LLC
Integrity Level:
HIGH
Description:
Tactical RMM Installer
Exit code:
0
Version:
v2.0.4.0
Modules
Images
c:\users\admin\desktop\2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4864C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXESC:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe
User:
admin
Company:
AmidaWare Inc
Integrity Level:
HIGH
Description:
Tactical RMM Agent Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\programdata\tacticalrmm\tacticalagent-v2.8.0-windows-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5268"C:\Users\admin\AppData\Local\Temp\is-1TC2E.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$8007E,3652845,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXESC:\Users\admin\AppData\Local\Temp\is-1TC2E.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
tacticalagent-v2.8.0-windows-amd64.exe
User:
admin
Company:
AmidaWare Inc
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-1tc2e.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
3172"cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpcC:\Windows\SysWOW64\cmd.exetacticalagent-v2.8.0-windows-amd64.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5776ping 127.0.0.1 -n 2 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2008net stop tacticalrpcC:\Windows\SysWOW64\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5868C:\WINDOWS\system32\net1 stop tacticalrpcC:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
28 706
Read events
28 651
Write events
55
Delete events
0

Modification events

(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.2
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\TacticalAgent
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\TacticalAgent\
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:DisplayName
Value:
Tactical RMM Agent
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files\TacticalAgent\tacticalrmm.exe
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files\TacticalAgent\unins000.exe"
(PID) Process:(5268) tacticalagent-v2.8.0-windows-amd64.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\TacticalAgent\unins000.exe" /SILENT
Executable files
9
Suspicious files
6
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
45482024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exeC:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exeexecutable
MD5:ED40540E7432BACAA08A6CD6A9F63004
SHA256:D6C7BDAB07151678B713A02EFE7AD5281B194B0D5B538061BDAFDF2C4CA1FDAA
5268tacticalagent-v2.8.0-windows-amd64.tmpC:\Users\admin\AppData\Local\Temp\is-2N1R2.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5992meshagent.exeC:\Program Files\Mesh Agent\MeshAgent.exeexecutable
MD5:32E747EDA182352F2F1883979B8ECCAB
SHA256:2E94C1F68D529EDECEC9184EE10A3383153752FF57018585D7B491B1EBB6157C
4520MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\70D634EA162258DC359BD5FDE94558B108790BFEbinary
MD5:69EF504CE5AA8AA4106752FA491E70C4
SHA256:9F5A3077DEF69D2E3C324BA275F757909FBFFD38E4448F3A358293D9B75719BE
5268tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\unins000.exeexecutable
MD5:5E81857286E2795352225BE245FBD62B
SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
5268tacticalagent-v2.8.0-windows-amd64.tmpC:\Users\admin\AppData\Local\Temp\Setup Log 2024-12-12 #001.txttext
MD5:951CD69FEE2F75DCAF56297BE77B0C4F
SHA256:EE68A81FF4DF6AB26FB3A04E434221F5B8E2148C3FAC40EE044D76E14FAF0EEE
4520MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\40AF6FB2DB0C56131671E0B79E9B4183557CF1C2binary
MD5:39B2698228116F921C98AAE6AE6D4EB5
SHA256:E48013E5A0F75598D57161819574E66B79B05C248E83061A2E0EA0466B00A95C
628MeshAgent.exeC:\Program Files\Mesh Agent\MeshAgent.dbbinary
MD5:624E2B4D0C316D015A92A82B3DCE951E
SHA256:E8CB38CEEB4B3B2074E4E31CABDDB2BB7CC697EEE41E301A3149CFC803EA66C4
5268tacticalagent-v2.8.0-windows-amd64.tmpC:\Program Files\TacticalAgent\tacticalrmm.exeexecutable
MD5:6CFBD2DA5F304A3B8972EAFE6FE4D191
SHA256:AD29D4E9E01870FFBDB6F2498E6CE36A708E56DB2AD431BA2D80BF5A6CAAC069
4520MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\68A012C59961A116D0D6DC1CAF6F2172F509F7B4binary
MD5:1FDE70095AE3AC747DE44D1B0C7F3B6D
SHA256:7F98D55628FF26CFDE3D45D6C301286497B2AA66F68A24D042A94BD07507ECA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
54
DNS requests
18
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
101
185.229.65.114:443
https://mesh.andvo.ru/agent.ashx
unknown
GET
101
185.229.65.114:443
https://api.andvo.ru/natsws
unknown
GET
302
140.82.121.3:443
https://github.com/amidaware/rmmagent/releases/download/v2.8.0/py3.11.9_amd64.zip
unknown
GET
101
185.229.65.114:443
https://api.andvo.ru/natsws
unknown
GET
302
140.82.121.3:443
https://github.com/amidaware/rmmagent/releases/download/v2.8.0/tacticalagent-v2.8.0-windows-amd64.exe
unknown
1356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1356
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.3:443
https://github.com/denoland/deno/releases/download/v1.44.4/deno-x86_64-pc-windows-msvc.zip
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1356
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4548
2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe
140.82.121.3:443
github.com
GITHUB
US
shared
1356
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4548
2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch.exe
185.199.111.133:443
objects.githubusercontent.com
FASTLY
US
shared
4712
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.171
  • 104.126.37.153
  • 104.126.37.162
  • 104.126.37.179
  • 104.126.37.155
  • 104.126.37.170
  • 104.126.37.154
  • 104.126.37.185
  • 104.126.37.161
whitelisted
google.com
  • 142.250.185.174
whitelisted
github.com
  • 140.82.121.3
  • 140.82.121.4
shared
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.180
  • 23.48.23.143
  • 23.48.23.167
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.145
whitelisted
objects.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
shared
www.microsoft.com
  • 184.30.21.171
whitelisted
api.andvo.ru
  • 185.229.65.114
unknown
mesh.andvo.ru
  • 185.229.65.114
unknown
icanhazip.tacticalrmm.io
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
Potentially Bad Traffic
ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-12_3c886e525046ec4023362ab0a8a8a96e_frostygoop_luca-stealer_poet-rat_snatch