urelas | b495a933d917284d9f35f1a013d9717c20a55bcea142ae03de6790071f0ea3d4

Analysis

max time kernel
136s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6fbb9f08304493011c5f575281a17200.exe
Size

77KB
MD5

6fbb9f08304493011c5f575281a17200
SHA1

bcb7cdfd873dec0827f9436cfeb9e21e8af69468
SHA256

b495a933d917284d9f35f1a013d9717c20a55bcea142ae03de6790071f0ea3d4
SHA512

92d59a578e3846c8db686ab07f76c575916fddbe978428b51d8c199b271a7c289a703d1b1a0ed3e94b6316c75fc50b57c71eb0d788fa55ef6aa10dcb978395b4
SSDEEP

1536:zxKyhnAUfUiZR9G84qk+Be/HZ17hmZp2t:zLCEZTGx518E

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.6fbb9f08304493011c5f575281a17200.exe

Executes dropped EXE 1 IoCs

pid	Process
4012	poldge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4012	4060	NEAS.6fbb9f08304493011c5f575281a17200.exe	93
PID 4060 wrote to memory of 4012	4060	NEAS.6fbb9f08304493011c5f575281a17200.exe	93
PID 4060 wrote to memory of 4012	4060	NEAS.6fbb9f08304493011c5f575281a17200.exe	93
PID 4060 wrote to memory of 4760	4060	NEAS.6fbb9f08304493011c5f575281a17200.exe	94
PID 4060 wrote to memory of 4760	4060	NEAS.6fbb9f08304493011c5f575281a17200.exe	94
PID 4060 wrote to memory of 4760	4060	NEAS.6fbb9f08304493011c5f575281a17200.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.6fbb9f08304493011c5f575281a17200.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6fbb9f08304493011c5f575281a17200.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\poldge.exe
  "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af6f90fee60d60070d9076eba7533c76

SHA1
015da84cb0cfce8699e8b1937dfac54a15e7e792

SHA256
14360d90f621ef9e1d84b269de67f782c9f6a904cf3226c2724d4898c157b687

SHA512
53ce60ef6f9dc9241d106d4e160833430e7855a221babf9835578096313a7a8ba1285df8d5620850ffe9f41f860e04e758a2f0be6fe688a87ea13d780234c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
78KB

MD5
5f93059a2380f17d28bbf3c259b4168d

SHA1
ccab05081be2960c26825ff94d683d84a12bcc1b

SHA256
14ff8b568f85a78ac80233b44d9ead49f8d81af010b9aa8c71b8da396fd581ca

SHA512
de6a15f3a1ad4ae5f36d8de5dd3093c76504c1d045d0cdd3a615b4c75450b787edfb0e7da33ce2e5ee9ed562d4e51e83205faba54f271bd6d334142776652c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
78KB

MD5
5f93059a2380f17d28bbf3c259b4168d

SHA1
ccab05081be2960c26825ff94d683d84a12bcc1b

SHA256
14ff8b568f85a78ac80233b44d9ead49f8d81af010b9aa8c71b8da396fd581ca

SHA512
de6a15f3a1ad4ae5f36d8de5dd3093c76504c1d045d0cdd3a615b4c75450b787edfb0e7da33ce2e5ee9ed562d4e51e83205faba54f271bd6d334142776652c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
78KB

MD5
5f93059a2380f17d28bbf3c259b4168d

SHA1
ccab05081be2960c26825ff94d683d84a12bcc1b

SHA256
14ff8b568f85a78ac80233b44d9ead49f8d81af010b9aa8c71b8da396fd581ca

SHA512
de6a15f3a1ad4ae5f36d8de5dd3093c76504c1d045d0cdd3a615b4c75450b787edfb0e7da33ce2e5ee9ed562d4e51e83205faba54f271bd6d334142776652c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
253b224b4b890a6141588c3af279b4cd

SHA1
2b03fb0f093da8899a4792dec24524d6ef48d47c

SHA256
7a32edda7451cca0ead58782ed1938581f697044c3b920edd631e8c3ec96dc83

SHA512
359bcdb083bfbe4ff4a47be406fc6ba6c9e36e452e646d4b4783ecb327fc1c8599ca44e0b33ce054a5b3f5f5c92d61e6f944479c9e3965b3ac4e5558fa0afcc3

Download Submit
memory/4012-13-0x0000000000CD0000-0x0000000000CFE000-memory.dmp

Filesize
184KB

Download
memory/4012-18-0x0000000000CD0000-0x0000000000CFE000-memory.dmp

Filesize
184KB

Download
memory/4012-24-0x0000000000CD0000-0x0000000000CFE000-memory.dmp

Filesize
184KB

Download
memory/4060-0-0x00000000004E0000-0x000000000050E000-memory.dmp

Filesize
184KB

Download
memory/4060-3-0x00000000004E0000-0x000000000050E000-memory.dmp

Filesize
184KB

Download
memory/4060-15-0x00000000004E0000-0x000000000050E000-memory.dmp

Filesize
184KB

Download