urelas | b698a8d882738db06f6612192e1c9fa133a6d7b900e3855765fb1b0327131d3a

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.398999460d5e285dd9687ad135fb4fb0.exe
Size

74KB
MD5

398999460d5e285dd9687ad135fb4fb0
SHA1

7b102b2a42c206d6221d3da85e3c4d5c0f7cff71
SHA256

b698a8d882738db06f6612192e1c9fa133a6d7b900e3855765fb1b0327131d3a
SHA512

b5c04cc5fef0aec3590082925d92ae05ac85cb621a227827aaae671d9fea5e177ec86adfff71167217341410a23e1af7968db779068ab4309a897f929cfaf4f3
SSDEEP

1536:N9KbClKpPaKIqaqnEXOWinTLi94xdq4yY5lBqGu1:N9UClKp+qaqnE+fvGU6qE1

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	NEAS.398999460d5e285dd9687ad135fb4fb0.exe

Executes dropped EXE 1 IoCs

pid	Process
2884	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2884	5112	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	89
PID 5112 wrote to memory of 2884	5112	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	89
PID 5112 wrote to memory of 2884	5112	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	89
PID 5112 wrote to memory of 5012	5112	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	90
PID 5112 wrote to memory of 5012	5112	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	90
PID 5112 wrote to memory of 5012	5112	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.398999460d5e285dd9687ad135fb4fb0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.398999460d5e285dd9687ad135fb4fb0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:5012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f9565536e11b7fe8d014b281c88ed06f

SHA1
066d4ceb3e1ca8e2500f7378c04a62fdac3eedcb

SHA256
827b6e2869972d3123239400011ece7bb74aa3d569468db74eaaf41339d375c3

SHA512
410e7c0cc2fc62470dee0398a5865ba4e408ae89b3d6b3479a60674bc2ebbddc155d6f5484779b114f281a34635a9ab65e0b6d41cb86c0bf78de444bb6b2bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
74KB

MD5
2dc59628eec9641a2542183ee969c959

SHA1
601af96fb323ab530d32fdcb5b9322ddd1fdd499

SHA256
8e9c509aa9dc50edb0c8723e2a6e1b08cc42fd64eca9098ece0594b31270ede2

SHA512
3c135bab2dd68e7a5b161f8c0287a24115feb7a697cdf062e4b57fbf03644077784525258c0659dcf7684c7012fc2e137b19000365703aca31f879670ad441a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
74KB

MD5
2dc59628eec9641a2542183ee969c959

SHA1
601af96fb323ab530d32fdcb5b9322ddd1fdd499

SHA256
8e9c509aa9dc50edb0c8723e2a6e1b08cc42fd64eca9098ece0594b31270ede2

SHA512
3c135bab2dd68e7a5b161f8c0287a24115feb7a697cdf062e4b57fbf03644077784525258c0659dcf7684c7012fc2e137b19000365703aca31f879670ad441a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
74KB

MD5
2dc59628eec9641a2542183ee969c959

SHA1
601af96fb323ab530d32fdcb5b9322ddd1fdd499

SHA256
8e9c509aa9dc50edb0c8723e2a6e1b08cc42fd64eca9098ece0594b31270ede2

SHA512
3c135bab2dd68e7a5b161f8c0287a24115feb7a697cdf062e4b57fbf03644077784525258c0659dcf7684c7012fc2e137b19000365703aca31f879670ad441a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
866e9095da4db7f14eb73520cb0ca36e

SHA1
2e9cb22410566f595f11ed825628565fb0fd57e6

SHA256
3542850adbebe8a80e251ba8a442a354fa7843e5c45ba2f560f5e3c4a450ed91

SHA512
4fe5911f8dc8bbfa37cb9a83d581ea9dc9ec469236a7b63dc1c49fd778a138bc7ae9f82584fa0681b8800097f25e1625a070f1fe97d39008d11ce96f066d907e

Download Submit
memory/2884-12-0x0000000000F30000-0x0000000000F5B000-memory.dmp

Filesize
172KB

Download
memory/2884-17-0x0000000000F30000-0x0000000000F5B000-memory.dmp

Filesize
172KB

Download
memory/2884-19-0x0000000000F30000-0x0000000000F5B000-memory.dmp

Filesize
172KB

Download
memory/2884-25-0x0000000000F30000-0x0000000000F5B000-memory.dmp

Filesize
172KB

Download
memory/5112-0-0x0000000000800000-0x000000000082B000-memory.dmp

Filesize
172KB

Download
memory/5112-14-0x0000000000800000-0x000000000082B000-memory.dmp

Filesize
172KB

Download