urelas | 69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0ea1f02d98705fa23f0f37da08b0b14.exe
Size

207KB
MD5

c0ea1f02d98705fa23f0f37da08b0b14
SHA1

5a688d0be7e642aa3d7541252b9b59cf0ba217f2
SHA256

69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec
SHA512

3d445a1a2234affe526ce3c6f119291fb731c846706e1b0c7d6608c9bc0ce8864f167e552761cba109015576c95b9cdf152d35a3d3734649cf3c785ce496ea3e
SSDEEP

1536:1BucKHs7K2HEG7BpoWiZBYHs977q+7INVdU2Aneb61TVcz+3MJb6rcR6:PuchogM57bIL+eb61TVa+3MJb61

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	c0ea1f02d98705fa23f0f37da08b0b14.exe

Executes dropped EXE 1 IoCs

pid	Process
1128	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1128	624	c0ea1f02d98705fa23f0f37da08b0b14.exe	91
PID 624 wrote to memory of 1128	624	c0ea1f02d98705fa23f0f37da08b0b14.exe	91
PID 624 wrote to memory of 1128	624	c0ea1f02d98705fa23f0f37da08b0b14.exe	91
PID 624 wrote to memory of 4728	624	c0ea1f02d98705fa23f0f37da08b0b14.exe	92
PID 624 wrote to memory of 4728	624	c0ea1f02d98705fa23f0f37da08b0b14.exe	92
PID 624 wrote to memory of 4728	624	c0ea1f02d98705fa23f0f37da08b0b14.exe	92

C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe
"C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
207KB

MD5
2d8d926236c18f2f6bdabc62eb8f63b6

SHA1
754492fda4e35ea4896ffebfb82db2fda8a9d55f

SHA256
9d283031712325b95d21b4238738ad0d3f517948f404523dcdc107ae77d666c6

SHA512
b0e2de6f5f1c810d28e35f0044f721134c08752b79b09d10d6142a8b065479e0a264cf33a7c25d7daf1813d7da5303f7db6ad868f59bae67c8ef08d2bba0d34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
e0fd68b180ca3b880f1253ea525cd8a7

SHA1
2455eb699ff3fdd82160f752d48fe86ddc7462f6

SHA256
3be0e7364b79421b9f0ce4189d9131cf63d9563968912eb438b3e6af528d7631

SHA512
789099ae0edf8d5b33be0b52c6272a9f893145594ddef40e918a63bdd39e03832c8040be0cbfeeb41b7ad847acf8133af08bb6ac92a381cd0ef85144726c5021

Download Submit
memory/624-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/624-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1128-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1128-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download