urelas | f6c8a2b59adf369b7096bbffb617c22e767ac6f6d9ba40966ed346e59d6a84a3

Analysis

max time kernel
170s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e32ef0e287e6b5e284b882356a849220.exe
Size

344KB
MD5

e32ef0e287e6b5e284b882356a849220
SHA1

249ecaba9a2302d5b41fb7dbdcfa845fe06a8d7b
SHA256

f6c8a2b59adf369b7096bbffb617c22e767ac6f6d9ba40966ed346e59d6a84a3
SHA512

bbaa666ef50a94c325a11fcb08ed3f4c5007886274347ec0d9e168115561abfd6bef0399b282ecfadf49eb83ae14d3906b9668dfd901653472c20e1b82e06204
SSDEEP

6144:SaVKyyzwbnUkoiqwcAR92o29tZTEr6UTdO5CksxCDy9pPbzBHU2ytlu8:g7yUTihRQhE9ONs46pP3BHUbtT

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.e32ef0e287e6b5e284b882356a849220.exe

Executes dropped EXE 1 IoCs

pid	Process
1372	qylut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 1372	4300	NEAS.e32ef0e287e6b5e284b882356a849220.exe	102
PID 4300 wrote to memory of 1372	4300	NEAS.e32ef0e287e6b5e284b882356a849220.exe	102
PID 4300 wrote to memory of 1372	4300	NEAS.e32ef0e287e6b5e284b882356a849220.exe	102
PID 4300 wrote to memory of 224	4300	NEAS.e32ef0e287e6b5e284b882356a849220.exe	103
PID 4300 wrote to memory of 224	4300	NEAS.e32ef0e287e6b5e284b882356a849220.exe	103
PID 4300 wrote to memory of 224	4300	NEAS.e32ef0e287e6b5e284b882356a849220.exe	103

C:\Users\Admin\AppData\Local\Temp\NEAS.e32ef0e287e6b5e284b882356a849220.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e32ef0e287e6b5e284b882356a849220.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Users\Admin\AppData\Local\Temp\qylut.exe
  "C:\Users\Admin\AppData\Local\Temp\qylut.exe"
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
217c2cdd7203c235aef2433dd21c8d78

SHA1
daddc6bf0a3c11b91df59a634e5b319074960118

SHA256
de70a281264a8355daadcd0d271be717d99bb8b676794f94f18e4365a4715498

SHA512
f8f490e2127986108291b4e930e095991fca35d20ee8ab64d6851b94fbf2bc6c5e93f642f0063d1ee424f26199673f477ba3c2f28e1540b327ea108ecd27d014

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b703f394f85f93034ac538108793134f

SHA1
4f4e5a2a559c96fa83c039208d60a23f24f25eaf

SHA256
c68f2bd2134628b9fb567fd7ad004ef2d1a358407ea91f7e2a0a8a9434fbdb47

SHA512
2b95eb7a3b54f7a3278d345147632ff335bad813274b0bccc2eabec933f256681b0050866a11086f690e6388ec41c15349f55575061f2bc92b0c05058f4e58b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qylut.exe

Filesize
345KB

MD5
10260d4a2d04901dd793f6a4ae0178e6

SHA1
1360e11cd03425a362ba85c935f521595e422af9

SHA256
ca890a93efd0c1e5981699865b8602d864664ab42eda548715671ebec5edd0de

SHA512
eb42572be56bfe4c096162a18f0a4ded8edbd499e685b09575287b81d161568c99c9e57ce593c1bdff1252132688475cb43ea44a063fe2cc8369ca105a3a1eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qylut.exe

Filesize
345KB

MD5
10260d4a2d04901dd793f6a4ae0178e6

SHA1
1360e11cd03425a362ba85c935f521595e422af9

SHA256
ca890a93efd0c1e5981699865b8602d864664ab42eda548715671ebec5edd0de

SHA512
eb42572be56bfe4c096162a18f0a4ded8edbd499e685b09575287b81d161568c99c9e57ce593c1bdff1252132688475cb43ea44a063fe2cc8369ca105a3a1eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qylut.exe

Filesize
345KB

MD5
10260d4a2d04901dd793f6a4ae0178e6

SHA1
1360e11cd03425a362ba85c935f521595e422af9

SHA256
ca890a93efd0c1e5981699865b8602d864664ab42eda548715671ebec5edd0de

SHA512
eb42572be56bfe4c096162a18f0a4ded8edbd499e685b09575287b81d161568c99c9e57ce593c1bdff1252132688475cb43ea44a063fe2cc8369ca105a3a1eb8

Download Submit
memory/1372-18-0x0000000000020000-0x00000000000E1000-memory.dmp

Filesize
772KB

Download
memory/1372-26-0x0000000000020000-0x00000000000E1000-memory.dmp

Filesize
772KB

Download
memory/1372-27-0x0000000000020000-0x00000000000E1000-memory.dmp

Filesize
772KB

Download
memory/4300-0-0x00000000000D0000-0x0000000000191000-memory.dmp

Filesize
772KB

Download
memory/4300-1-0x00000000000D0000-0x0000000000191000-memory.dmp

Filesize
772KB

Download
memory/4300-5-0x00000000000D0000-0x0000000000191000-memory.dmp

Filesize
772KB

Download
memory/4300-25-0x00000000000D0000-0x0000000000191000-memory.dmp

Filesize
772KB

Download