urelas | 135807bfc79183f8064315a6b2086ee0933d1f5b44c1e3ab20fbe9824ece90a4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe
Size

4.7MB
MD5

5381e8088a4d5443a40e1316522f8b79
SHA1

6004d42dc5828991c18bce4d18b03991d04b39f5
SHA256

135807bfc79183f8064315a6b2086ee0933d1f5b44c1e3ab20fbe9824ece90a4
SHA512

9438062848f45b92442e68ec86c5273823af740f64c142b353b19f057d1d607f96021595c573fa3ad319b9a27513f70ee4263f22b1e2115f335305c6026ee5b4
SSDEEP

49152:a2V7djp+oE2ZjHoZB6EZ88JUUXIEABMRviTURcI:a2V7NpW6Y6joUE

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sander.exe

Executes dropped EXE 2 IoCs

pid	Process
3276	sander.exe
1872	ctfmom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe
1872	ctfmom.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3276	4296	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe	90
PID 4296 wrote to memory of 3276	4296	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe	90
PID 4296 wrote to memory of 3276	4296	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe	90
PID 4296 wrote to memory of 5044	4296	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe	91
PID 4296 wrote to memory of 5044	4296	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe	91
PID 4296 wrote to memory of 5044	4296	2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe	91
PID 3276 wrote to memory of 1872	3276	sander.exe	102
PID 3276 wrote to memory of 1872	3276	sander.exe	102
PID 3276 wrote to memory of 1872	3276	sander.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-01_5381e8088a4d5443a40e1316522f8b79_magniber_qakbot.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
331B

MD5
22ba921d8d6e205aa419a60f87ef19e7

SHA1
e71bb89d34222ecf12d71df76adde48e7dada0c2

SHA256
5d70927cbabdbcd2a4a39085911bc322ffafd29b33b3191298a9d4bc0683fd6c

SHA512
726c2247b86e3364b7a6c4f77f5d94ba35be38b98c09880ea1044c45fee18a6ffe6de1ebf8c4717375d956e5e8ad2125deb9a3f3680a661baddedfc220a4aa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
6f7433dd66d037254d37338da63c35c5

SHA1
44330ae9d58021b6f1b4de1550464d261992c817

SHA256
7ed3b57dab544cfe103f612aa0bd229442709a490b0282e44dfd3e1d12599e68

SHA512
ae5ddf606bf8b1fc2a36d778105be4825f756a540a741c63f0df0bffc937600101a7b507cbb96154da4dc9253ea4b4a2469ad361cd190f79aeb609fe033d2fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
4.7MB

MD5
86163cfebcb185614add1c19d691524c

SHA1
a3aae21e5545552b4d15efa6b1e90a081e67d711

SHA256
ef2daef1451c71014b9869dbf60584d2cfbf9ac2ac8e74f811bf32ba877a061f

SHA512
c307247d0b10131e8dc1b8ba783f3c5e8772649857e99a69560570f87f1c11b30eb41e6294f7aa15c8a786f7b88c0711a3c7438fa972af09eed2cc3bb21aee01

Download Submit
memory/1872-35-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-33-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-40-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-39-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-28-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-31-0x0000000000AE0000-0x0000000000AE2000-memory.dmp

Filesize
8KB

Download
memory/1872-38-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-26-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-32-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-37-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-34-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/1872-36-0x0000000000B10000-0x0000000000BB1000-memory.dmp

Filesize
644KB

Download
memory/3276-27-0x00000000004B0000-0x0000000000993000-memory.dmp

Filesize
4.9MB

Download
memory/3276-12-0x00000000004B0000-0x0000000000993000-memory.dmp

Filesize
4.9MB

Download
memory/3276-17-0x00000000004B0000-0x0000000000993000-memory.dmp

Filesize
4.9MB

Download
memory/4296-0-0x0000000000530000-0x0000000000A13000-memory.dmp

Filesize
4.9MB

Download
memory/4296-14-0x0000000000530000-0x0000000000A13000-memory.dmp

Filesize
4.9MB

Download