General
-
Target
PlanetsTherapy.rar
-
Size
71.0MB
-
Sample
231219-syvv1agfe9
-
MD5
a9e9a8666a8ef267debeeac61c383606
-
SHA1
9bc68d1320c96109894538c0ef6b63b014111a90
-
SHA256
1055ef023406f8ca401e6b652583ca67e85724519100f323f48544ea6d635353
-
SHA512
ef989918fc354f04931ea0cee2e56998c2475c7f1ea377a788c55605de208cd777676a35e0dcfe837144cbecffd6dda56ddc60dce4e6b9a9e310d8d2845606fd
-
SSDEEP
1572864:nWTlnaFVTOMJcWqm8WoImDVEOTxN/Tz1F2U7CQr/0POyrPs1Tw25JhcM:eaDTOwDqmDOEcXzVmQr/cPrE1Tw23h9
Static task
static1
Behavioral task
behavioral1
Sample
PlanetsTherapy.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
PlanetsTherapy.exe
Resource
win10v2004-20231215-en
Malware Config
Targets
-
-
Target
PlanetsTherapy.exe
-
Size
70.9MB
-
MD5
3b2efa2a4e65bb9018535ba7120bbec9
-
SHA1
d1bfcf9fdf3200ade60e2c1a0ac4370531193f12
-
SHA256
0ce6468d55e9a83f2d31d02309ed70dc3e894a6f90626819dc414a9ae863030d
-
SHA512
49c3858c9306990ce98c70fe26676984fe2abb215793aa0988ed48d8a32ecc4f2271e16627612d5a03ba1ba4e5eacde38758538aadd5f7968305883682b8d47b
-
SSDEEP
1572864:z4/4rzOchPy4cjKRtxFeYpK4Rkb6n7IFWEOUuqPf7JHArGA7:skqcd7cjKjLRkmn7IFqDqPT9A7
-
Irata
Irata is an Iranian remote access trojan Android malware first seen in August 2022.
-
Irata payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1