urelas | 33c550e7d8a526bf5fa92c9946a292769cb78d4f54b7221a6960740feaccc8eb

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bd711982026f3a86ef657bcfc639ca30.exe
Size

203KB
MD5

bd711982026f3a86ef657bcfc639ca30
SHA1

e2bd2b0dd4e8823e3a29679acefc54d2804190cb
SHA256

33c550e7d8a526bf5fa92c9946a292769cb78d4f54b7221a6960740feaccc8eb
SHA512

510bc867f1da1dbe7a31bcb5b7db9f43323388b1dc69125ba4144a363e862c4bd0bab7ae2b11702e343787b84889c03c654190c2fd213135db7cf02fc1313700
SSDEEP

3072:DPijU4kcITkEnbBvByrEVoULptsdXfBo/DBJBGzkP9T:LijBkcITtnbBvnjLpSa/B

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	NEAS.bd711982026f3a86ef657bcfc639ca30.exe

Executes dropped EXE 1 IoCs

pid	Process
3676	shoste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3676	2116	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	89
PID 2116 wrote to memory of 3676	2116	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	89
PID 2116 wrote to memory of 3676	2116	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	89
PID 2116 wrote to memory of 4372	2116	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	90
PID 2116 wrote to memory of 4372	2116	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	90
PID 2116 wrote to memory of 4372	2116	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.bd711982026f3a86ef657bcfc639ca30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bd711982026f3a86ef657bcfc639ca30.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f51c1462254f3bb8aa00201af0b0a030

SHA1
60d3c892bb5c4f654c318451012f936d81164418

SHA256
695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5

SHA512
41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
ec8c6027d576083934b133ef746f6a91

SHA1
c29c6728bddf5a06a3e922ad7edca09eb586a552

SHA256
a9e8324119f6d504c148e6ff00726c640a4fdc037185a63a7cf401be95e2dfe0

SHA512
0a26fe53575fa2f53556ad97bc000aded5003dab82cb456b98bc3a98afdfee34ab0f6d5d2abadf8c124cce109dcdf627dc37ec7fa11db90295099ee1ed887311

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
203KB

MD5
1ed33d7a4bf90e3bd0a9c1c4ac17b9bc

SHA1
e595eedf4a810f8c4329127e2b236612f6cbca78

SHA256
65b3308402fceeedfeb24ae5ae580d05e0147db2e14d7a5026de1c1e21178d5d

SHA512
b651fad1fdadad4c74f94c23cdf30c4a31e8a5e95d65df2e910fb984eab4d5654083f2f5eb67465673a87b525b13f7484e4036a1290182c070b645847dc5fe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
203KB

MD5
1ed33d7a4bf90e3bd0a9c1c4ac17b9bc

SHA1
e595eedf4a810f8c4329127e2b236612f6cbca78

SHA256
65b3308402fceeedfeb24ae5ae580d05e0147db2e14d7a5026de1c1e21178d5d

SHA512
b651fad1fdadad4c74f94c23cdf30c4a31e8a5e95d65df2e910fb984eab4d5654083f2f5eb67465673a87b525b13f7484e4036a1290182c070b645847dc5fe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
203KB

MD5
1ed33d7a4bf90e3bd0a9c1c4ac17b9bc

SHA1
e595eedf4a810f8c4329127e2b236612f6cbca78

SHA256
65b3308402fceeedfeb24ae5ae580d05e0147db2e14d7a5026de1c1e21178d5d

SHA512
b651fad1fdadad4c74f94c23cdf30c4a31e8a5e95d65df2e910fb984eab4d5654083f2f5eb67465673a87b525b13f7484e4036a1290182c070b645847dc5fe91

Download Submit
memory/2116-0-0x0000000000C50000-0x0000000000C86000-memory.dmp

Filesize
216KB

Download
memory/2116-14-0x0000000000C50000-0x0000000000C86000-memory.dmp

Filesize
216KB

Download
memory/3676-11-0x0000000000D30000-0x0000000000D66000-memory.dmp

Filesize
216KB

Download
memory/3676-17-0x0000000000D30000-0x0000000000D66000-memory.dmp

Filesize
216KB

Download
memory/3676-18-0x0000000000D30000-0x0000000000D66000-memory.dmp

Filesize
216KB

Download