General

  • Target

    TatsuBeta.rar

  • Size

    71.1MB

  • Sample

    231217-q3mdbagaa4

  • MD5

    dc9b7bcf91bfb415382e55521c23e916

  • SHA1

    9d015690b0afd236a5adf2bd53c76e6187571556

  • SHA256

    dbbe13e230bf1aafd6069a339fd939e22d272215bf934f763cb1cd3ebe780331

  • SHA512

    ebe3d84537ba8d2e1f8ac932187962db0075329a64ef40de3ad3537524738e6765fef9eb2dbf9801e4b34184f73d55462adc5b6b05fc83531cf2c2390aa6352e

  • SSDEEP

    1572864:qBOoupFAPIiFXrqmxeOGQCDGUhIabMy9N1LHEX6WslpWmka3:E9wFAPIiFbqmxRKyUhIiLkX6WiR3

Malware Config

Targets

    • Target

      TatsuBeta.exe

    • Size

      71.0MB

    • MD5

      9d557789ba3f83c24ad854e437c74b68

    • SHA1

      03c9cdf37f4be76988aa73f98deba3cce92acb69

    • SHA256

      15bb700544c589dba519ae5692062b766d9eced9ed7f6fabc3c44acd686ec2cc

    • SHA512

      3131ca035700984a30b8a7902b62ada88deaad11682ba6bf66bee24ae4aa1fdc00d9e153a96e0d6f801cd4f0665d841dbccbc20bbe881ce5c07daebad29e5ce9

    • SSDEEP

      1572864:V4/4rzOchPLfSy1zsnwUAQL/JhdmSew8sZ1rv7j4ayDBpP3DGh7:ikqcdbH1MbThdgsZ1nj4tBpzGh7

    • Irata

      Irata is an Iranian remote access trojan Android malware first seen in August 2022.

    • Irata payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks