General

  • Target

    LeagueFVMT.exe

  • Size

    70.9MB

  • Sample

    231227-crc4lsaeg9

  • MD5

    e82f8a8021e4b4532c19364b26179b70

  • SHA1

    318a99df3ec9d4d45324e3c195044c8167df98ce

  • SHA256

    986117c91d1ec1eb8a4b437f9890d4396a89aa274a9ea7b660d93746548257fb

  • SHA512

    c4a94664628c6e11cd0b2f4e7492bfea100c65eef24691f83b1ccbcb7307a3be1a225e8a966b0f41e2ea1205a7aec0ac4274e691a95c7ba84a7e3e5d907c6c3e

  • SSDEEP

    1572864:G4/4rzOchP5QXAgEgVoWFQWGTtqnufMdBlk/bkTqmPaS7:Nkqcd5QXAQmWiFkdBSkTrl7

Malware Config

Targets

    • Target

      LeagueFVMT.exe

    • Size

      70.9MB

    • MD5

      e82f8a8021e4b4532c19364b26179b70

    • SHA1

      318a99df3ec9d4d45324e3c195044c8167df98ce

    • SHA256

      986117c91d1ec1eb8a4b437f9890d4396a89aa274a9ea7b660d93746548257fb

    • SHA512

      c4a94664628c6e11cd0b2f4e7492bfea100c65eef24691f83b1ccbcb7307a3be1a225e8a966b0f41e2ea1205a7aec0ac4274e691a95c7ba84a7e3e5d907c6c3e

    • SSDEEP

      1572864:G4/4rzOchP5QXAgEgVoWFQWGTtqnufMdBlk/bkTqmPaS7:Nkqcd5QXAQmWiFkdBSkTrl7

    • Irata

      Irata is an Iranian remote access trojan Android malware first seen in August 2022.

    • Irata payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks