File name:	2025-02-18_3eb16bfe589fa8eede0d65e4eaa97af7_frostygoop_luca-stealer_poet-rat_snatch
Full analysis:	https://app.any.run/tasks/90b227a5-2b11-4657-b18c-d501b4b23b54
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	February 18, 2025, 03:10:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	golang loader websocket exfiltration meshagent ip-check arch-exec arch-scr arch-doc
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 7 sections
MD5:	3EB16BFE589FA8EEDE0D65E4EAA97AF7
SHA1:	50AA35104C75E11303A3196D580BA56F6527AB18
SHA256:	DB8E872638FA6E88EAD099D9534B38485E368FD6FAF91D46CC1D5281646CFDDD
SSDEEP:	98304:Unz9agBgXP7aOhkedjIT4ZSCXy13YQau6qW:y2

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	3
CodeSize:	2520576
InitializedDataSize:	246784
UninitializedDataSize:	-
EntryPoint:	0x66fe0
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line
FileVersionNumber:	2.0.4.0
ProductVersionNumber:	2.0.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	AmidaWare LLC
FileDescription:	Tactical RMM Installer
FileVersion:	v2.0.4.0
InternalName:	rmm.exe
LegalCopyright:	Copyright (c) 2022 AmidaWare LLC
OriginalFileName:	installer.go
ProductName:	Tactical RMM Installer
ProductVersion:	v2.0.4.0


(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 6.2.2
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files\TacticalAgent
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	InstallLocation
Value: C:\Program Files\TacticalAgent\
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: (Default)
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	Inno Setup: Language
Value: english
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	DisplayName
Value: Tactical RMM Agent
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files\TacticalAgent\tacticalrmm.exe
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	UninstallString
Value: "C:\Program Files\TacticalAgent\unins000.exe"
(PID) Process:	(6944) tacticalagent-v2.8.0-windows-amd64.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0D34D278-5FAF-4159-A4A0-4E2D2C08139D}_is1
Operation:	write	Name:	QuietUninstallString
Value: "C:\Program Files\TacticalAgent\unins000.exe" /SILENT

PID	Process	Filename		Type
6944	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\is-5O1H1.tmp		executable
		MD5:5E81857286E2795352225BE245FBD62B	SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
6916	tacticalagent-v2.8.0-windows-amd64.exe	C:\Users\admin\AppData\Local\Temp\is-7JSPI.tmp\tacticalagent-v2.8.0-windows-amd64.tmp		executable
		MD5:A639312111D278FEE4F70299C134D620	SHA256:4B0BE5167A31A77E28E3F0A7C83C9D289845075B51E70691236603B1083649DF
6944	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\unins000.exe		executable
		MD5:5E81857286E2795352225BE245FBD62B	SHA256:2624C22DA19E89717DCD522D22B21849A1C3F0EB781333DF85BE5FCD57597278
6944	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\is-GO8PD.tmp		executable
		MD5:6CFBD2DA5F304A3B8972EAFE6FE4D191	SHA256:AD29D4E9E01870FFBDB6F2498E6CE36A708E56DB2AD431BA2D80BF5A6CAAC069
5736	meshagent.exe	C:\Program Files\Mesh Agent\MeshAgent.exe		executable
		MD5:7450D1FC59FF95B1763698ABF88CA6EF	SHA256:F5BDCB4432E1058CF9316F81FC80561C95539D7AB4254C1E46E48B29CB1D33FF
6944	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Users\admin\AppData\Local\Temp\is-RN6QK.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
1620	MeshAgent.exe	C:\Program Files\Mesh Agent\MeshAgent.db		binary
		MD5:8EAA58E300399CA35A63CBCA4ADF336F	SHA256:6BDF8B727282DE5C9BD1188ECD02680B596F0C47F0C0C62EBD48312B04D7929C
6944	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Program Files\TacticalAgent\tacticalrmm.exe		executable
		MD5:6CFBD2DA5F304A3B8972EAFE6FE4D191	SHA256:AD29D4E9E01870FFBDB6F2498E6CE36A708E56DB2AD431BA2D80BF5A6CAAC069
6944	tacticalagent-v2.8.0-windows-amd64.tmp	C:\Users\admin\AppData\Local\Temp\Setup Log 2025-02-18 #001.txt		text
		MD5:1D9CA94338C05ECE6157093851E7F179	SHA256:C316571D306E9F1CDB44287D6F7A57E2880B4A499AD67BD4B1BF6F7AE300BD2B
6572	MeshAgent.exe	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7732266F69BB2FCB6940F13C061E7C316EE277EB		binary
		MD5:75F1093AEE9B958746ADD09993D4B63C	SHA256:41E13E2567EDE5666568EF2AD318B5F85226A7850484F2BD30D6776AF3F37119

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	302	140.82.121.4:443	https://github.com/amidaware/rmmagent/releases/download/v2.8.0/tacticalagent-v2.8.0-windows-amd64.exe	unknown	—	—	—
—	—	GET	101	194.242.121.194:443	https://mesh.rmmlot.ru/agent.ashx	unknown	—	—	—
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	101	194.242.121.194:443	https://api.rmmlot.ru/natsws	unknown	—	—	—
—	—	GET	101	194.242.121.194:443	https://api.rmmlot.ru/natsws	unknown	—	—	—
—	—	GET	302	140.82.121.4:443	https://github.com/amidaware/rmmagent/releases/download/v2.8.0/py3.11.9_amd64.zip	unknown	—	—	—
—	—	GET	101	194.242.121.194:443	https://mesh.rmmlot.ru/agent.ashx	unknown	—	—	—
—	—	GET	302	140.82.121.4:443	https://github.com/nushell/nushell/releases/download/0.93.0/nu-0.93.0-x86_64-windows-msvc-full.zip	unknown	—	—	—
—	—	GET	302	140.82.121.4:443	https://github.com/denoland/deno/releases/download/v1.44.4/deno-x86_64-pc-windows-msvc.zip	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6672	2025-02-18_3eb16bfe589fa8eede0d65e4eaa97af7_frostygoop_luca-stealer_poet-rat_snatch.exe	140.82.121.4:443	github.com	GITHUB	US	whitelisted
6672	2025-02-18_3eb16bfe589fa8eede0d65e4eaa97af7_frostygoop_luca-stealer_poet-rat_snatch.exe	185.199.109.133:443	objects.githubusercontent.com	FASTLY	US	whitelisted
3976	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6168	tacticalrmm.exe	194.242.121.194:443	api.rmmlot.ru	Closed Joint Stock Company CROC incorporated	RU	unknown
6572	MeshAgent.exe	194.242.121.194:443	api.rmmlot.ru	Closed Joint Stock Company CROC incorporated	RU	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.185.206	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
github.com	140.82.121.4	whitelisted
objects.githubusercontent.com	185.199.109.133 185.199.110.133 185.199.111.133 185.199.108.133	whitelisted
api.rmmlot.ru	194.242.121.194	unknown
mesh.rmmlot.ru	194.242.121.194	unknown
icanhazip.tacticalrmm.io	188.114.97.3 188.114.96.3	unknown
chocolatey.org	104.18.21.76 104.18.20.76	whitelisted

PID	Process	Class	Message
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Request for EXE via GO HTTP Client
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO Packed Executable Download

General Info

2025-02-18_3eb16bfe589fa8eede0d65e4eaa97af7_frostygoop_luca-stealer_poet-rat_snatch

3EB16BFE589FA8EEDE0D65E4EAA97AF7

50AA35104C75E11303A3196D580BA56F6527AB18

DB8E872638FA6E88EAD099D9534B38485E368FD6FAF91D46CC1D5281646CFDDD

98304:Unz9agBgXP7aOhkedjIT4ZSCXy13YQau6qW:y2

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

Changes the Windows auto-update feature

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Downloads the requested resource (POWERSHELL)

Script downloads file (POWERSHELL)

SUSPICIOUS

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Runs PING.EXE to delay simulation

Starts CMD.EXE for commands execution

Windows service management via SC.EXE

Uses TASKKILL.EXE to kill process

Creates or modifies Windows services

Creates a software uninstall entry

Executes as Windows Service

Searches for installed software

There is functionality for taking screenshot (YARA)

MeshAgent potential remote access (YARA)

There is functionality for capture public ip (YARA)

Application launched itself

Process requests binary or script from the Internet

The process bypasses the loading of PowerShell profile settings

The process executes Powershell scripts

The process hide an interactive prompt from the user

Starts POWERSHELL.EXE for commands execution

Process drops python dynamic module

Process drops legitimate windows executable

Gets or sets the security protocol (POWERSHELL)

Creates a directory (POWERSHELL)

Uses WMIC.EXE to obtain data on processes

Gets file extension (POWERSHELL)

Drops 7-zip archiver for unpacking

Gets path to any of the special folders (POWERSHELL)

The process creates files with name similar to system file names

INFO

Creates files in the program directory

The sample compiled with english language support

Checks supported languages

Reads the machine GUID from the registry

Create files in a temporary directory

Reads the computer name

Reads the software policy settings

Application based on Golang

Detects GO elliptic curve encryption (YARA)

Reads Environment values

Reads product name

Creates a software uninstall entry

Drops encrypted JS script (Microsoft Script Encoder)

Disables trace logs

Checks whether the specified file exists (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Uses string replace method (POWERSHELL)

Script raised an exception (POWERSHELL)

Manual execution by a user

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules