urelas | cfa1165c51784519f42ed6305ccc7a61453f1d9f60d5f7a7d8ba3e4f9bd14d69

Analysis

max time kernel
140s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2023, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42a62e78038136a74524c58adadab260_JC.exe
Size

96KB
MD5

42a62e78038136a74524c58adadab260
SHA1

3ce734f9a58d00320e688d7644b5a249b826a794
SHA256

cfa1165c51784519f42ed6305ccc7a61453f1d9f60d5f7a7d8ba3e4f9bd14d69
SHA512

532bd2239a00574307038cc8b320a7a5e235870346f68d53dd09ad82c2b7320cb1050f1f12e0b906d8018cbee6a795e654fb3935d03f96fbc2f3ae67366bdfaf
SSDEEP

1536:nwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M9cRzcn:nqV9MziU4piRun7C3CP3MgW

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	42a62e78038136a74524c58adadab260_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4032	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 4032	1324	42a62e78038136a74524c58adadab260_JC.exe	84
PID 1324 wrote to memory of 4032	1324	42a62e78038136a74524c58adadab260_JC.exe	84
PID 1324 wrote to memory of 4032	1324	42a62e78038136a74524c58adadab260_JC.exe	84
PID 1324 wrote to memory of 4736	1324	42a62e78038136a74524c58adadab260_JC.exe	85
PID 1324 wrote to memory of 4736	1324	42a62e78038136a74524c58adadab260_JC.exe	85
PID 1324 wrote to memory of 4736	1324	42a62e78038136a74524c58adadab260_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\42a62e78038136a74524c58adadab260_JC.exe
"C:\Users\Admin\AppData\Local\Temp\42a62e78038136a74524c58adadab260_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
96KB

MD5
fbb8a3338aed6289b2cee586fdabd365

SHA1
f0222a280d1a66ad2543eb8eecf28006ee2a5372

SHA256
9f109e40570da97d9b0d83c854d4e39a231eac8b90623ee8aeb2bc41a98264fb

SHA512
9ceebf44b2b2e6812eb735e44b8b135437ba4389f17aa047a2a019b89dc126803993b33d3a9726b394e3b255426b1c12476c4c6b4f71017bce42a38d20f6bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
96KB

MD5
fbb8a3338aed6289b2cee586fdabd365

SHA1
f0222a280d1a66ad2543eb8eecf28006ee2a5372

SHA256
9f109e40570da97d9b0d83c854d4e39a231eac8b90623ee8aeb2bc41a98264fb

SHA512
9ceebf44b2b2e6812eb735e44b8b135437ba4389f17aa047a2a019b89dc126803993b33d3a9726b394e3b255426b1c12476c4c6b4f71017bce42a38d20f6bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
96KB

MD5
fbb8a3338aed6289b2cee586fdabd365

SHA1
f0222a280d1a66ad2543eb8eecf28006ee2a5372

SHA256
9f109e40570da97d9b0d83c854d4e39a231eac8b90623ee8aeb2bc41a98264fb

SHA512
9ceebf44b2b2e6812eb735e44b8b135437ba4389f17aa047a2a019b89dc126803993b33d3a9726b394e3b255426b1c12476c4c6b4f71017bce42a38d20f6bc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
280B

MD5
33c36650ed812503fc3fd979f845835d

SHA1
7d54ae9c90af7c479efdf2b4f74dab495d07c5cb

SHA256
70895fc5876356dcc8f49f61fe48bf97db6b49f72c434ec288e3cc2aa528dab5

SHA512
857eda36a8275e117e5b9dfa72935f4ff25981a36874a6869cba79750080947c5afb0a8537e8d7f699501ab6bc8e6d898b1646acd6415345ce0028a930b8467e

Download Submit
memory/1324-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1324-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4032-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4032-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4032-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download