General

  • Target

    PlanetsTherapy.rar

  • Size

    71.0MB

  • Sample

    231219-syvv1agfe9

  • MD5

    a9e9a8666a8ef267debeeac61c383606

  • SHA1

    9bc68d1320c96109894538c0ef6b63b014111a90

  • SHA256

    1055ef023406f8ca401e6b652583ca67e85724519100f323f48544ea6d635353

  • SHA512

    ef989918fc354f04931ea0cee2e56998c2475c7f1ea377a788c55605de208cd777676a35e0dcfe837144cbecffd6dda56ddc60dce4e6b9a9e310d8d2845606fd

  • SSDEEP

    1572864:nWTlnaFVTOMJcWqm8WoImDVEOTxN/Tz1F2U7CQr/0POyrPs1Tw25JhcM:eaDTOwDqmDOEcXzVmQr/cPrE1Tw23h9

Malware Config

Targets

    • Target

      PlanetsTherapy.exe

    • Size

      70.9MB

    • MD5

      3b2efa2a4e65bb9018535ba7120bbec9

    • SHA1

      d1bfcf9fdf3200ade60e2c1a0ac4370531193f12

    • SHA256

      0ce6468d55e9a83f2d31d02309ed70dc3e894a6f90626819dc414a9ae863030d

    • SHA512

      49c3858c9306990ce98c70fe26676984fe2abb215793aa0988ed48d8a32ecc4f2271e16627612d5a03ba1ba4e5eacde38758538aadd5f7968305883682b8d47b

    • SSDEEP

      1572864:z4/4rzOchPy4cjKRtxFeYpK4Rkb6n7IFWEOUuqPf7JHArGA7:skqcd7cjKjLRkmn7IFqDqPT9A7

    • Irata

      Irata is an Iranian remote access trojan Android malware first seen in August 2022.

    • Irata payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks