urelas | ff34314a429adb6dae01697ca5ae48bfec80dcefdef39629c9eed36d65ab49c6

Analysis

max time kernel
137s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e5ae79491bdad7d13b42da25a61ee100.exe
Size

231KB
MD5

e5ae79491bdad7d13b42da25a61ee100
SHA1

20d4fecb9314ccb047a5a6ab4695a0fc40fa4f67
SHA256

ff34314a429adb6dae01697ca5ae48bfec80dcefdef39629c9eed36d65ab49c6
SHA512

2a6e5dbe04354735a02eef891bd97dc28905d63a073e3193a27f62c33fc361cefd48a451c3aff328d392c6350d44c1d655d89634e0e8045787edb7a50a4fb947
SSDEEP

3072:/YshWbz+6LPr5Qy7K65UC1O9Ro2rqYyXzCEwGNy:/YQWbS6LPeHC1O9RleYuzCEwGNy

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-568313063-1441237985-1542345083-1000\Control Panel\International\Geo\Nation	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe

Executes dropped EXE 1 IoCs

pid	Process
4948	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4948	1756	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	85
PID 1756 wrote to memory of 4948	1756	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	85
PID 1756 wrote to memory of 4948	1756	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	85
PID 1756 wrote to memory of 4196	1756	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	86
PID 1756 wrote to memory of 4196	1756	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	86
PID 1756 wrote to memory of 4196	1756	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.e5ae79491bdad7d13b42da25a61ee100.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e5ae79491bdad7d13b42da25a61ee100.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6e0ecec5e285ac121f1bf7f3a59ce016

SHA1
d432c8dd0bd3ddfffaa5a22a74c6da08172c13d7

SHA256
c1df717fda579031c64433ccadbc1e471654b843121f07f4066b7793355e2dfe

SHA512
9c20f07807c92a4bd1808deb68e571fd0ea26f39b6033c8f9e40c0346267aae396ba4ceac427c2daf95d855cca22f05aaeb7ad4f93bd8289972816a55d69527d

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
232KB

MD5
30a98e2a2dcd3a4f46d08d631ee001cd

SHA1
c92fd52e386ee4dc1dae37346fb1795a80ceaafe

SHA256
0620cc593754dccf38ed20050adb37676d900dde08e4d11ff66cf1e2f5e7a8f0

SHA512
c1cb8fc915aa8181e75761f3335de8d01b952028d0bef55f95fd5e6115c106a48dc12a65be3108a9a7a6f182b208d859c5d6260d465721a197029acb16683667

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
232KB

MD5
30a98e2a2dcd3a4f46d08d631ee001cd

SHA1
c92fd52e386ee4dc1dae37346fb1795a80ceaafe

SHA256
0620cc593754dccf38ed20050adb37676d900dde08e4d11ff66cf1e2f5e7a8f0

SHA512
c1cb8fc915aa8181e75761f3335de8d01b952028d0bef55f95fd5e6115c106a48dc12a65be3108a9a7a6f182b208d859c5d6260d465721a197029acb16683667

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
232KB

MD5
30a98e2a2dcd3a4f46d08d631ee001cd

SHA1
c92fd52e386ee4dc1dae37346fb1795a80ceaafe

SHA256
0620cc593754dccf38ed20050adb37676d900dde08e4d11ff66cf1e2f5e7a8f0

SHA512
c1cb8fc915aa8181e75761f3335de8d01b952028d0bef55f95fd5e6115c106a48dc12a65be3108a9a7a6f182b208d859c5d6260d465721a197029acb16683667

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
a55d65d2d1ba5a81a657a51561e0d651

SHA1
08dd709b2bd4135b83fe79dbe600c0e713ce18e5

SHA256
b8a508df6c8c34f18c0a594dd0b0df9d7f79fb7b06f838cb4067b4d608f6ce64

SHA512
81f1f0b480d1cb8a52df8047ffffca46f47113eb441c4d791fb0ec11647897ff185b7993fe475688d6eb474675bce563bc666742960e3bfeedf22dfdb5ebcbdf

Download Submit
memory/1756-0-0x0000000000340000-0x000000000037D000-memory.dmp

Filesize
244KB

Download
memory/1756-14-0x0000000000340000-0x000000000037D000-memory.dmp

Filesize
244KB

Download
memory/4948-11-0x0000000000FF0000-0x000000000102D000-memory.dmp

Filesize
244KB

Download
memory/4948-17-0x0000000000FF0000-0x000000000102D000-memory.dmp

Filesize
244KB

Download
memory/4948-18-0x0000000000FF0000-0x000000000102D000-memory.dmp

Filesize
244KB

Download