urelas | 9a4c4098645829ae3b5f7830fedd58798ebbf96f0173c90031de1a0d943340d4

Analysis

max time kernel
152s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe
Size

76KB
MD5

1baaf4bfd7943e427e3d0e472f4119d0
SHA1

8f174f4f282f43af4758454fd46e0427be90c6fa
SHA256

9a4c4098645829ae3b5f7830fedd58798ebbf96f0173c90031de1a0d943340d4
SHA512

45c6d9efb75c2dbde50298660135a9bcfa57023873f12388f47c1faa1a65145eed319daf80b7dec82a524439d840d65194c1ab104e296cbffad22c21dec6e8cb
SSDEEP

1536:jIr3YriYiUi+H++o1eVlXd+8c0GXmvJJNHjLwl50fPGX:jyYti0pXd+8c0GWvJ3Hvwl5l

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
5080	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 5080	1384	NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe	88
PID 1384 wrote to memory of 5080	1384	NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe	88
PID 1384 wrote to memory of 5080	1384	NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe	88
PID 1384 wrote to memory of 3696	1384	NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe	89
PID 1384 wrote to memory of 3696	1384	NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe	89
PID 1384 wrote to memory of 3696	1384	NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1baaf4bfd7943e427e3d0e472f4119d0_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
93c65a2d29a3f6fc7c703df149637d7f

SHA1
a4a27b2eec41990a52a2920818cf940e80fa358d

SHA256
75921ea4058e7f9781fed2c5fe0263052d5eb3b192cf5f9fc0e314487d41d5db

SHA512
7a22bbda614ee62db2b90a970b6ce67f54fbd7fe6babd77977c0c712d65544db698e7390f97b533912b660ac8f92b05d21d60d07e014a1e1810d25faa24ab176

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
9148162d4fb239f6845d2954ce1e2b04

SHA1
ae7d03b0ec5eda8d4e7151b49891a6cd68326f51

SHA256
f906d233b9eb75c8d92b5f7531d4dabea3f831a72f8f7aea4775e54f8e628952

SHA512
f3a507c888be700b77b2025e4ea98ec0d5f60035319424ef0231e92256e4ce1ceff6c6b5b69c5f67240189ae1aa4274933262f38f8cffaca58c8e906e56e3b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
9148162d4fb239f6845d2954ce1e2b04

SHA1
ae7d03b0ec5eda8d4e7151b49891a6cd68326f51

SHA256
f906d233b9eb75c8d92b5f7531d4dabea3f831a72f8f7aea4775e54f8e628952

SHA512
f3a507c888be700b77b2025e4ea98ec0d5f60035319424ef0231e92256e4ce1ceff6c6b5b69c5f67240189ae1aa4274933262f38f8cffaca58c8e906e56e3b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
9148162d4fb239f6845d2954ce1e2b04

SHA1
ae7d03b0ec5eda8d4e7151b49891a6cd68326f51

SHA256
f906d233b9eb75c8d92b5f7531d4dabea3f831a72f8f7aea4775e54f8e628952

SHA512
f3a507c888be700b77b2025e4ea98ec0d5f60035319424ef0231e92256e4ce1ceff6c6b5b69c5f67240189ae1aa4274933262f38f8cffaca58c8e906e56e3b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
2829016e1543e25208f35abfdcd1d194

SHA1
e5161f37954516b7890803958b86319e2ad423ed

SHA256
b79e1f32da9646465f7235158e73edaaad259fe47e38e2ca0d3122bffe9acff3

SHA512
d7031ab1f94e3eb4ff39f8cb630011934f0fb9ca723aad8d5f9ec488d77f1a0cb23ecc3b6e4dadb2aba40252e2869bacbc5757a69d76894c26346d5fc11d0338

Download Submit
memory/1384-0-0x00000000009E0000-0x0000000000A1D000-memory.dmp

Filesize
244KB

Download
memory/1384-3-0x00000000009E0000-0x0000000000A1D000-memory.dmp

Filesize
244KB

Download
memory/1384-15-0x00000000009E0000-0x0000000000A1D000-memory.dmp

Filesize
244KB

Download
memory/5080-10-0x0000000000A60000-0x0000000000A9D000-memory.dmp

Filesize
244KB

Download
memory/5080-18-0x0000000000A60000-0x0000000000A9D000-memory.dmp

Filesize
244KB

Download
memory/5080-20-0x0000000000A60000-0x0000000000A9D000-memory.dmp

Filesize
244KB

Download
memory/5080-26-0x0000000000A60000-0x0000000000A9D000-memory.dmp

Filesize
244KB

Download