Resubmissions

17-12-2023 17:18

231217-vvgkbageg4 10

17-12-2023 16:29

231217-tzg6zafabl 10

17-12-2023 16:14

231217-tpw75sgdd6 10

17-12-2023 13:47

231217-q3yrcaefar 10

General

  • Target

    TatsuBeta.exe

  • Size

    71.0MB

  • Sample

    231217-tpw75sgdd6

  • MD5

    9d557789ba3f83c24ad854e437c74b68

  • SHA1

    03c9cdf37f4be76988aa73f98deba3cce92acb69

  • SHA256

    15bb700544c589dba519ae5692062b766d9eced9ed7f6fabc3c44acd686ec2cc

  • SHA512

    3131ca035700984a30b8a7902b62ada88deaad11682ba6bf66bee24ae4aa1fdc00d9e153a96e0d6f801cd4f0665d841dbccbc20bbe881ce5c07daebad29e5ce9

  • SSDEEP

    1572864:V4/4rzOchPLfSy1zsnwUAQL/JhdmSew8sZ1rv7j4ayDBpP3DGh7:ikqcdbH1MbThdgsZ1nj4tBpzGh7

Malware Config

Targets

    • Target

      TatsuBeta.exe

    • Size

      71.0MB

    • MD5

      9d557789ba3f83c24ad854e437c74b68

    • SHA1

      03c9cdf37f4be76988aa73f98deba3cce92acb69

    • SHA256

      15bb700544c589dba519ae5692062b766d9eced9ed7f6fabc3c44acd686ec2cc

    • SHA512

      3131ca035700984a30b8a7902b62ada88deaad11682ba6bf66bee24ae4aa1fdc00d9e153a96e0d6f801cd4f0665d841dbccbc20bbe881ce5c07daebad29e5ce9

    • SSDEEP

      1572864:V4/4rzOchPLfSy1zsnwUAQL/JhdmSew8sZ1rv7j4ayDBpP3DGh7:ikqcdbH1MbThdgsZ1nj4tBpzGh7

    • Irata

      Irata is an Iranian remote access trojan Android malware first seen in August 2022.

    • Irata payload

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks