Overview

overview

10

Static

static

10

2024-11-01...ot.exe

windows7-x64

10

2024-11-01...ot.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-01_a3b2fa7015f80bea2644aaa963f709f5_magniber_qakbot.exe

  • Size

    4.7MB

  • MD5

    a3b2fa7015f80bea2644aaa963f709f5

  • SHA1

    406d3de703b6263ff3a06ea21b061339817726e3

  • SHA256

    0001ea31fc114b31d77b362e7e63252a0a681d5937dcb783da74677d2cae20a2

  • SHA512

    40fb89c24d097d0a2827b177ff628c6e907820b50cdbed128da0aafd41bcfed4c3bb7ffaf5cd9e690b6a18b6554a969e8bea5770a26127b2ddedb548c434a0a9

  • SSDEEP

    49152:a2V7djp+oE2ZjHoZB6EZ88JUUXIEABMRviTURcl:a2V7NpW6Y6joUx

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-01_a3b2fa7015f80bea2644aaa963f709f5_magniber_qakbot.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-01_a3b2fa7015f80bea2644aaa963f709f5_magniber_qakbot.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\sander.exe
      "C:\Users\Admin\AppData\Local\Temp\sander.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
        "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3884
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat
    Filesize

    331B

    MD5

    e633c74d9f8dcf0e83d6a63e79aabb91

    SHA1

    0f5f280c6b924bb0f2b9ef532f2bbad1ffa644d7

    SHA256

    f716b14036c0695521617167073e15e9e472d7283f7aecdd9d275e23bd8373df

    SHA512

    b553fa594a4a7e6682571cf6e4c6c456c0673fbabf397096dcc35df51edc552f851b794116fa3b50723c3166ff007c12d124c9e90fb35b0bd5aca613ff85724d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    Filesize

    221KB

    MD5

    faad52ab3adb17828271edffc4340eb2

    SHA1

    56f173b317ce23aa5e8119426ad6f0c834d810b5

    SHA256

    7a404a2c5579122b60ed438d9b64b2eb507f380c0b3e3ccd886a5c5ab5ddd607

    SHA512

    6e0cc9d012a587ecb285cc31f67cbf46e3355ffcf6318f6c4732a9df1aae93c63c9d810fb2d283d622a83359be0c6bd2cd2f76ef61244c1c733aeadd6d3920e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    04113afab96ff36e7da4cabf336079cf

    SHA1

    2ab6a01f123c1ef4227cb134612749b67a237bf6

    SHA256

    8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

    SHA512

    68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sander.exe
    Filesize

    4.7MB

    MD5

    557904a905a1bef30dd219e3d6e7e9de

    SHA1

    df1b7868f985ef6ea413bf0628c4edc26b895133

    SHA256

    a0af121fa0544ac50aee49677fbac6fec93251de20207a374a46588affea54d5

    SHA512

    3075563464eab1cfb8a94dc1cf24dbab970b9ddb82dbd14d2da54537bcb8aa6c1ec425280a44fa142f62852dbfbaa1158c0c937ea58d26d665a278ed8d537c98

    Download Submit

  • memory/1640-30-0x00000000002A0000-0x0000000000783000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1640-11-0x00000000002A0000-0x0000000000783000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1640-17-0x00000000002A0000-0x0000000000783000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3884-33-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-34-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-31-0x00000000023C0000-0x00000000023C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3884-40-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-27-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-32-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-39-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-26-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-35-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-36-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-37-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/3884-38-0x0000000000EF0000-0x0000000000F91000-memory.dmp

    Filesize

    644KB

    Download

  • memory/4656-15-0x00000000009A0000-0x0000000000E83000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/4656-0-0x00000000009A0000-0x0000000000E83000-memory.dmp

    Filesize

    4.9MB

    Download