urelas | d5295dcd878f03515473703afa8d8b6108f0073ef6622d06d1ed962d9c5f0255

Analysis

max time kernel
143s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03be7942023f8a6b767b51fe18b018b8.exe
Size

95KB
MD5

03be7942023f8a6b767b51fe18b018b8
SHA1

52107bae9da2f1d2de6df8a89e564e2934cedeec
SHA256

d5295dcd878f03515473703afa8d8b6108f0073ef6622d06d1ed962d9c5f0255
SHA512

2fa43273cd0aeade5e0e49faa4a2881ab5693277746bee6182277c2de28cd66e01d4cba7c715cb648b1e93cfd1626bf0ada51b216039203ac32383b27b221870
SSDEEP

1536:nwhq8V9IpPf2lgiIJ4pivJnuNVueC39GdBR3M9co:nqV9MziU4piRun7C3CP3Mb

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	03be7942023f8a6b767b51fe18b018b8.exe

Executes dropped EXE 1 IoCs

pid	Process
1288	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1288	3068	03be7942023f8a6b767b51fe18b018b8.exe	93
PID 3068 wrote to memory of 1288	3068	03be7942023f8a6b767b51fe18b018b8.exe	93
PID 3068 wrote to memory of 1288	3068	03be7942023f8a6b767b51fe18b018b8.exe	93
PID 3068 wrote to memory of 220	3068	03be7942023f8a6b767b51fe18b018b8.exe	89
PID 3068 wrote to memory of 220	3068	03be7942023f8a6b767b51fe18b018b8.exe	89
PID 3068 wrote to memory of 220	3068	03be7942023f8a6b767b51fe18b018b8.exe	89

C:\Users\Admin\AppData\Local\Temp\03be7942023f8a6b767b51fe18b018b8.exe
"C:\Users\Admin\AppData\Local\Temp\03be7942023f8a6b767b51fe18b018b8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:220
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
53KB

MD5
eb493e5b3defe22fb0bc0412ada80519

SHA1
4ba6d6c848b4428530231d2f5ef8b6db29351b0d

SHA256
67ce68e4df009ee7d76a730b9afbd51377b2d04a7191e3ed10afe23c1359df96

SHA512
615ad44758679329513a449c131b70a563921c96fe40fb57ced4ddf264415a3d1a35403581f4baf9b75c2bd80be87c50f0121caa447eb01aebe56c8f29b87d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
47KB

MD5
73c25826f0550fe2ff38550669fc9fd4

SHA1
91f3624bd01586362118020f89b5353ea29ced2f

SHA256
653ab355198a1e332cde56f0347f1ec015fc18edec0227c54e4d12b8dcfe92d0

SHA512
4ec700e575d75362e956c9f67ef34089874839ed51398a9af4f8e76c5f9b4c03f3d50e91fb15a1d31831044b2c37d90a8e63200fd39cb1ba18267b67addbb613

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
24KB

MD5
17afedab1cb2707ad287206b653def46

SHA1
09963846e6a1c37eb6d3bda930262a0471f5ceae

SHA256
b6c487955698aa390fe66f33a7fa1624b92ffbadc72432ed05d71a26bca77d99

SHA512
0880a317043623dfbddda0719d3054868abccaf117fafb764aaf96fe917bfb8453f120d7468de60f7466c2c43fc030c4c9c935c8d471f8f86f1fdaaa1b709de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
2115fc896a2bea49526d77114af3e39b

SHA1
44a0d5ee05621acd8c4da5c1be2edb6f0efcf6ef

SHA256
f9b083875da9bb0265b90fc2bc187b7c008622c4c384ed05334fbd4a47d1688f

SHA512
d263bd5e41941a6849bb34bfabcd31a0817418da2372b5c829c27bbd0657860b047a478637949c4a4c63915e3763cd7831807ace18ea514800abfe454bdc64df

Download Submit
memory/1288-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1288-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1288-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1288-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3068-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download