General

  • Target

    GalaxySwapperV2.exe

  • Size

    70.8MB

  • Sample

    231208-cy8h4aaa9x

  • MD5

    adaefc3e73fce569a4ff670fd6916532

  • SHA1

    9d484ba3f331e062ee18f213a712473eae4274c1

  • SHA256

    038f126107c495cf65eeca3ac151df56503d3da8a392b101365297759c0d5b62

  • SHA512

    c77a6d1992d0938c77461dde26c6985e6b3280a037c75f5500eb8bf5de3fd88e816ef50592c40c57d83e20df6f9a5306959c893d2c9337163239ed7abd59b911

  • SSDEEP

    1572864:t4/4rzOchPqaQNucn4ai2QfGSvEDtqJQZbXj9hCbB9MvNgqgL7:qkqcdQNHNiNto4JijEcNgqA7

Malware Config

Targets

    • Target

      GalaxySwapperV2.exe

    • Size

      70.8MB

    • MD5

      adaefc3e73fce569a4ff670fd6916532

    • SHA1

      9d484ba3f331e062ee18f213a712473eae4274c1

    • SHA256

      038f126107c495cf65eeca3ac151df56503d3da8a392b101365297759c0d5b62

    • SHA512

      c77a6d1992d0938c77461dde26c6985e6b3280a037c75f5500eb8bf5de3fd88e816ef50592c40c57d83e20df6f9a5306959c893d2c9337163239ed7abd59b911

    • SSDEEP

      1572864:t4/4rzOchPqaQNucn4ai2QfGSvEDtqJQZbXj9hCbB9MvNgqgL7:qkqcdQNHNiNto4JijEcNgqA7

    • Irata

      Irata is an Iranian remote access trojan Android malware first seen in August 2022.

    • Irata payload

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks