🚨#Malware Alert - Family: #IRATA

📂Payload URLs::
https://urlhaus.abuse.ch/url/2712806/
https://urlhaus.abuse.ch/url/2713817/

📂Payload:
https://bazaar.abuse.ch/sample/059f40ff1b6e32a0d570af86ca466c7a05fd333274a6e04e81e2de0f5e655cbb/

🔥C2:
fcmbroker[.]info
featchaddress[.]lat

IP : 185.206.95.12
ISP: AS 202468 ( ABRARVAN-AS - Noyan Abr Arvan Co ) IR
Registrar: NAMECHEAP INC - IANA ID: 1068

#Android #apk

- Payload URLs:

hXXps://iran-sah.fartit.com/saham.apk
hXXps://iran-sahm.fartit.com/saham.apk
hXXps://ed-iran.faqserv.com/app.apk
hXXps://ir-sahm.fartit.com/app.apk
hXXps://ed-ir.faqserv.com/saham.apk
hXXps://ir-saham.faqserv.com/saham.apk
hXXps://sahm-ir.faqserv.com/sahamedalat.apk
hXXps://iran-sa.faqserv.com/saham.apk
hXXps://iran-sahm.vizvaz.com/app.apk
hXXps://adl.authorizeddns.net/app.apk
hXXps://sadl.fartit.com/app.apk
hXXps://sa-iran.fartit.com/app.apk
hXXps://ed-sa.faqserv.com/app.apk
hXXps://adlut.faqserv.com/saham.apk
hXXps://ir-ed.otzo.com/app.apk
hXXps://sah-ir.fartit.com/saham.apk
hXXps://iran.fartit.com/app.apk

IP : 23.94.28.187
ISP: AS 36352 ( AS-COLOCROSSING ) US

#COLOCROSSING

Threat name: #IRATA #spyware

- Payload URLs:

hXXps://adlo.jkub.com/sahamedalat.apk
hXXps://irnnn.jkub.com/app.apk
hXXps://sah-dw.itsaol.com/app.apk
hXXps://adlok.mefound.com/app.apk
hXXps://adledl.dns05.com/app.apk
hXXps://adledli.itsaol.com/app.apk
hXXps://ir-ib.jkub.com/app.apk
hXXps://sah-fa.faqserv.com/app.apk
hXXps://edalat.instanthq.com/saham.apk
hXXps://irib.fartit.com/app.apk
hXXps://ed-ird.instanthq.com/app.apk
hXXps://sah-za.faqserv.com/app.apk
hXXps://sah-mq.faqserv.com/sahamedalat.apk
hXXps://sah-is.jkub.com/sahamedalat.apk
hXXps://adli-bn.otzo.com/sahamedalat.apk
hXXps://adl-sah.jkub.com/app.apk
hXXps://irib.jkub.com/app.apk
hXXps://adir.jkub.com/app.apk
hXXps://adl-ir.fartit.com/app.apk
hXXps://sahxq.itsaol.com/app.apk
hXXps://sahm-ir.fartit.com/sahamedalat.apk
hXXps://sah-jx.itsaol.com/app.apk
hXXps://adlff.jkub.com/app.apk
hXXp://adlsah.itsaol.com/app.apk

IP : 172.172.236.36
ISP: AS 8075 ( MICROSOFT-CORP-MSN-AS-BLOCK ) US

Threat name: #IRATA #spyware

🚨#Malware Alert
File type: #Apk #Android
Threat name: #IRATA #spyware
(IRATA - Iranian Remote Access Tool Android)

- Payload URLs:

hXXp://eblaghshekayatname.hyperphp.com/sana.apk

IP : 185.27.134.59
ISP: AS 34119 ( WILDCARD-AS - Wildcard UK Limited ) GB
Registrar: NAMECHEAP INC

- Payload:

https://bazaar.abuse.ch/sample/91e5c5dbb6e64f5399cd4786f2e91192525b6582a088a8b583a7599a82838567/

#smsspy #spyware #Phishing

🚨#Malware Alert
File type: #Apk #Android
Threat name: #IRATA #spyware
(IRATA - Iranian Remote Access Tool Android)

- Payload URLs:

hXXps://openaico.ir/bot/stream/dl/?q=r6wp3wkS4rU

IP : 157.90.108.250
ISP: AS 24940 ( Hetzner Online GmbH ) DE

- Payload:

https://bazaar.abuse.ch/sample/f403f15de411e46b588b0454694a868adf692ac5e7294d07bd3216d500971d3f/

- C2

gamerdet[.]tk

IP : 172.67.174.204, 104.21.72.41
ISP: AS 13335 ( CLOUDFLARENET ) US

#smsspy #spyware #Phishing

🚨#Malware Alert
File type: #Apk #Android
Threat name: #IRATA #spyware
(IRATA - Iranian Remote Access Tool Android)

- Payload URLs:

hXXps://ceryew2ir.com/ed.apk

IP : 185.143.234.120
ISP: AS 205585 ( Noyan Abr Arvan Co. ) IR
Registrar: NAMECHEAP INC

- Payload:

https://bazaar.abuse.ch/sample/95daed761fda53bc7acdce7b880c1cb661bf75988084914e0958d33314768fa1/

- C2

hXXps://xreyz.com/000
hXXps://xreyz.com/000/rat.php
hXXps://xreyz.com
hXXps://xreyz.com/000/url.txt

IP : 185.143.234.120
ISP: AS 205585 ( Noyan Abr Arvan Co. ) IR
Registrar: NAMECHEAP INC

#smsspy #spyware #Phishing

🚨#Malware Alert
File type: #Apk #Android
Threat name: #IRATA #spyware
(IRATA - Iranian Remote Access Tool Android)

- Payload URLs:

hXXp://dl.safone.me/923581/%D8%B9%D8%AF%D8%A7%D9%84%D8%AA+%D9%87%D9%85%D8%B1%D8%A7%D9%87%D8%8C.apk?hash=AgADYg

hXXp://dl.safone.me/923602/Edalat.ir.apk?hash=AgADYw

hXXp://direct.safone.me/923602/Edalat.ir.apk?hash=AgADYw

Registrar: NameCheap, Inc. IANA ID: 1068
IP : 52.212.52.84 , 54.247.69.169 , 63.32.161.232
ISP: AS16509 ( AMAZON-02 ) IE

joke!!

https://infosec.exchange/@onecert/110920781097327031

🚨#Malware Alert
File type: #Apk #Android
Threat name: #IRATA #spyware
(IRATA - Iranian Remote Access Tool Android)

- Payload URLs:
hXXps://site2.ebl-ir.org/adl.apk
hXXps://site3.ebl-ir.org/adl.apk
hXXps://site4.ebl-ir.org/adl.apk
hXXps://site5.ebl-ir.org/adl.apk
hXXps://site6.ebl-ir.org/adl.apk
hXXps://site7.ebl-ir.org/adl.apk
hXXps://site8.ebl-ir.org/adl.apk
hXXps://site9.ebl-ir.org/adl.apk
hXXps://site10.ebl-ir.org/adl.apk
hXXps://site11.ebl-ir.org/adl.apk
hXXps://site12.ebl-ir.org/adl.apk
hXXps://site13.ebl-ir.org/adl.apk
hXXps://site14.ebl-ir.org/adl.apk
hXXps://site15.ebl-ir.org/adl.apk
hXXps://site16.ebl-ir.org/adl.apk
hXXps://site17.ebl-ir.org/adl.apk
hXXps://site18.ebl-ir.org/adl.apk
hXXps://site19.ebl-ir.org/adl.apk
hXXps://site20.ebl-ir.org/adl.apk

IP : 20.74.163.6
ISP: AS 8075 ( MICROSOFT-CORP-MSN-AS-BLOCK ) UAE

#MICROSOFT #Azure

- Payload:

https://bazaar.abuse.ch/sample/decab5c7e9a8d42e09aa6df39385c95dc603285374a76d8c8e08a025bb7e1dd9/

#smsspy #spyware #Phishing

🚨#Malware Alert
File type: #Apk #Android
Threat name: #IRATA #spyware
(IRATA - Iranian Remote Access Tool Android)

- Payload URLs:
hXXps://panel1.iran-pspcoi[.]info/adl[.]apk
hXXps://panel2.iran-pspcoi[.]info/adl[.]apk
hXXps://panel3.iran-pspcoi[.]info/adl[.]apk

IP : 20.74.163.6
ISP: AS 8075 ( MICROSOFT-CORP-MSN-AS-BLOCK ) UAE

#MICROSOFT

- Payload:

https://bazaar.abuse.ch/sample/e0452b81b45a3a36dbabe7522d5ca942635448283f32c35f05d13990480a21ea/

#smsspy #spyware #Phishing