File name:	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch
Full analysis:	https://app.any.run/tasks/b3b47400-4708-429f-ab0e-cf50bceb970a
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	January 25, 2025, 13:30:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader golang evasion meshagent ip-check remote rustdesk
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:	4C63B362B73A36E9410738B9F81428EF
SHA1:	32824D470F193773E515870C9D3CF8DFA076B2A6
SHA256:	A9FCD874776F3F25782F85303CEC11AC2C2E599D05E3D8A3EC3CB5E253BF7D12
SSDEEP:	98304:f9Ogc4grqaOh8gJphW4ZSCC41ZYQau6qA:XK

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	2520576
InitializedDataSize:	246784
UninitializedDataSize:	-
EntryPoint:	0x66fe0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line
FileVersionNumber:	2.0.4.0
ProductVersionNumber:	2.0.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	AmidaWare LLC
FileDescription:	Tactical RMM Installer
FileVersion:	v2.0.4.0
InternalName:	rmm.exe
LegalCopyright:	Copyright (c) 2022 AmidaWare LLC
OriginalFileName:	installer.go
ProductName:	Tactical RMM Installer
ProductVersion:	v2.0.4.0


(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 6.2.2
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files\TacticalAgent
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files\TacticalAgent\
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: (Default)
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: Language
Value: english
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	DisplayName
Value: Tactical RMM Agent
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\TacticalAgent\tacticalrmm.exe
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\TacticalAgent\unins000.exe"
(PID) Process:	(4652) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	QuietUninstallString
Value: "C:\Program Files\TacticalAgent\unins000.exe" /SILENT

PID	Process	Filename		Type
4652	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\unins000.exe		executable
		MD5:5E81857286E2795352225BE245FBD62B	SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
4652	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\is-O6KBF.tmp		executable
		MD5:5E81857286E2795352225BE245FBD62B	SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
4652	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Users\admin\AppData\Local\Temp\is-5OBKN.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2072	tacticalagent-v2.8.0-windows-amd64.exe	C:\Users\admin\AppData\Local\Temp\is-OMKP6.tmp\tacticalagent-v2.8.0-windows-amd64.tmp		executable
		MD5:A639312111D278FEE4F70299C134D620	SHA256:4B0BE5167A31A77E28E3F0A7C83C9D289845075B51E70691236603B1083649DF
5992	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe		executable
		MD5:2F046950E65922336CD83BF0DBC9DE33	SHA256:412E1F600251B21911C582E69381F677E663231F5E1D10786D88A026E00EA811
4652	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\tacticalrmm.exe		executable
		MD5:BB383B7C3D5E4ACB1001AB099B5B0F3C	SHA256:A6D3159C858AA3704F35D69B27829618AD0D1BAE894C848A5233100C17464F95
4652	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\is-15CLI.tmp		executable
		MD5:BB383B7C3D5E4ACB1001AB099B5B0F3C	SHA256:A6D3159C858AA3704F35D69B27829618AD0D1BAE894C848A5233100C17464F95
4652	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\unins000.dat		binary
		MD5:520BAE723AD5E7C04E91E9B93EF265C1	SHA256:F2A64EBB538B253FC60EB23A9F9BF8F6E3B8752DC4FD7D790E0519BC0B463FFA
4652	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Users\admin\AppData\Local\Temp\Setup Log 2025-01-25 #001.txt		text
		MD5:C6FC90882E963477115B1BCBF690C815	SHA256:40509564D964BE8681FE3CFE1B57A30CC319B6A2F849E6B96651DCB5F7EB2256
5548	MeshAgent.exe	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3AFD07F95E75DD562CF435E3EC2FF9FE02C468C0		binary
		MD5:F0B11F828A2DE36AC71979F27255730E	SHA256:63E8D6877E7DC689A8E350D4F5C01A18155CB4F563C2A22154AB8DFFCA3C5BA1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	101	192.243.222.221:443	https://mesh.trmm.v-consulting.com/agent.ashx	unknown	—	—	unknown
—	—	GET	101	192.243.222.221:443	https://api.trmm.v-consulting.com/natsws	unknown	—	—	unknown
—	—	GET	101	192.243.222.221:443	https://api.trmm.v-consulting.com/natsws	unknown	—	—	unknown
—	—	GET	302	140.82.121.4:443	https://github.com/amidaware/rmmagent/releases/download/v2.8.0/py3.11.9_amd64.zip	unknown	—	—	unknown
—	—	GET	101	192.243.222.221:443	https://mesh.trmm.v-consulting.com/agent.ashx	unknown	—	—	unknown
—	—	GET	200	104.21.12.79:443	https://agents.tacticalrmm.com/api/v2/agents?version=2.8.0&arch=amd64&token=a8858841-9033-44e6-9c5d-bf84521a4f65&plat=windows&api=api.trmm.v-consulting.com	unknown	executable	4.30 Mb	unknown
—	—	POST	200	192.243.222.221:443	https://api.trmm.v-consulting.com/api/v3/meshexe/	unknown	executable	3.31 Mb	unknown
—	—	GET	200	34.160.111.145:443	https://ifconfig.me/ip	unknown	text	39 b	shared
—	—	POST	200	192.243.222.221:443	https://api.trmm.v-consulting.com/api/v3/newagent/	unknown	binary	61 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6068	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.16.204.153:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5992	2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch.exe	172.67.151.233:443	agents.tacticalrmm.com	CLOUDFLARENET	US	unknown
6068	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6068	svchost.exe	23.37.237.227:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.37.237.227:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
www.bing.com	2.16.204.153 2.16.204.138 2.16.204.152 2.16.204.146 2.16.204.135 2.16.204.151 2.16.204.141 2.16.204.139 2.16.204.140 2.16.204.136	whitelisted
google.com	142.250.185.78	whitelisted
agents.tacticalrmm.com	172.67.151.233 104.21.12.79	unknown
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.37.237.227	whitelisted
api.trmm.v-consulting.com	192.243.222.221	unknown
mesh.trmm.v-consulting.com	192.243.222.221	unknown
icanhazip.tacticalrmm.io	188.114.96.3 188.114.97.3	unknown
ifconfig.me	34.160.111.145	shared

PID	Process	Class	Message
2192	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
5040	tacticalrmm.exe	Device Retrieving External IP Address Detected	ET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com)
5040	tacticalrmm.exe	Potentially Bad Traffic	ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
7136	powershell.exe	Potentially Bad Traffic	ET INFO Observed Chocolatey Windows Package Management Domain (chocolatey .org in TLS SNI)
2192	svchost.exe	Misc activity	ET INFO RustDesk Domain in DNS Lookup
6912	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key
2192	svchost.exe	Misc activity	ET INFO RustDesk Relay Domain in DNS Lookup
6912	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key
2392	rustdesk.exe	Misc activity	ET INFO RustDesk Register Public Key

General Info

2025-01-25_4c63b362b73a36e9410738b9f81428ef_frostygoop_hijackloader_luca-stealer_poet-rat_snatch

4C63B362B73A36E9410738B9F81428EF

32824D470F193773E515870C9D3CF8DFA076B2A6

A9FCD874776F3F25782F85303CEC11AC2C2E599D05E3D8A3EC3CB5E253BF7D12

98304:f9Ogc4grqaOh8gJphW4ZSCC41ZYQau6qA:XK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Changes the Windows auto-update feature

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Executing a file with an untrusted certificate

Create files in the Startup directory

Downloads the requested resource (POWERSHELL)

RUSTDESK has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Runs PING.EXE to delay simulation

Starts CMD.EXE for commands execution

Creates or modifies Windows services

Windows service management via SC.EXE

Uses TASKKILL.EXE to kill process

MeshAgent potential remote access (YARA)

There is functionality for taking screenshot (YARA)

There is functionality for capture public ip (YARA)

Creates a software uninstall entry

Executes as Windows Service

Searches for installed software

Checks for external IP

The process executes via Task Scheduler

Executing commands from a ".bat" file

Starts POWERSHELL.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

The process executes Powershell scripts

The process hide an interactive prompt from the user

Uses powercfg.exe to modify the power settings

Application launched itself

CSC.EXE is used to compile C# code

Process drops python dynamic module

Process drops legitimate windows executable

Gets or sets the security protocol (POWERSHELL)

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts application with an unusual extension

Stops a currently running service

Uses NETSH.EXE to delete a firewall rule or allowed programs

Starts SC.EXE for service management

Uses REG/REGEDIT.EXE to modify registry

Runs shell command (SCRIPT)

The process executes VB scripts

Sets the service to start on system boot

Creates a new Windows service

Starts itself from another location

Uses NETSH.EXE to add a firewall rule or allowed programs

The process checks if it is being run in the virtual environment

Connects to unusual port

INFO

Creates files in the program directory

Checks supported languages

Reads the machine GUID from the registry

Application based on Golang

Create files in a temporary directory

The sample compiled with english language support

Reads the computer name

Reads the software policy settings

Reads product name

Creates a software uninstall entry

Reads Environment values

Drops encrypted JS script (Microsoft Script Encoder)

Disables trace logs

Uses string replace method (POWERSHELL)

Uses string split method (POWERSHELL)

Script raised an exception (POWERSHELL)

Changes the display of characters in the console