Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
23-11-2024 19:58
General
-
Target
2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe
-
Size
4.7MB
-
MD5
bc3c88404d4409b597b534093153f9c9
-
SHA1
7c7d487d5c749e8d9d906e8a01b4b8092f457991
-
SHA256
7b7861b8fd660d916ceaab223f147b8fc7a391d36b53df6edf3133ba2f7a6d61
-
SHA512
a0b5e5d3fd4ec2a0c95ec3934993155c597fef26ee07d49d15f3e8ae0ad6c4cc409c551bfc20f5e2bae738033d889a39836f23a748c1b57d45fc1bbd44ac7be5
-
SSDEEP
49152:a2V7djp+oE2ZjHoZB6EZ88JUUXIEABMRviTURcV:a2V7NpW6Y6joUh
Malware Config
Extracted
urelas
121.88.5.183
218.54.30.235
121.88.5.181
112.223.217.101
Signatures
-
Urelas
Urelas is a trojan targeting card games.
-
Urelas family
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sander.exe"C:\Users\Admin\AppData\Local\Temp\sander.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
331B
MD54ad78f3d92e4ad3f81d399d9175e7c0f
SHA13a401a8f14f48ef7390331a9c5fe0a3ef4e1d08c
SHA25685a3ea72a4d42ec84b396045879eb6cf102ec59c7d11faf669baf6743802583b
SHA51277ad46305c70a0d71da3c200644c8daaf9075e30330202265170298507bd1f80363a6f2be9334043c5e348e94a0bd9ef6f8d95396af50f74ea302f34ba427ec5
-
Filesize
221KB
MD56ceb05ea8f66c5ab5f3975a118ff0f5c
SHA1e9e57c1d944f37467588945af52b7d3381887930
SHA2569bc40205cd8e52f8403ee1dbf1bc0ac353873519190ed388db4afb43d89b38d1
SHA512da82ed4ea4766df8705e520fcda0011fa5a5750a1854c1227518593a05f72da3d4a1c8b758c453c2f48618f94325fded83d20fe86dd53105323c52f975a0d443
-
Filesize
512B
MD504113afab96ff36e7da4cabf336079cf
SHA12ab6a01f123c1ef4227cb134612749b67a237bf6
SHA2568b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16
SHA51268358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9
-
Filesize
4.7MB
MD5ad0c29ea26c8efdd9b6e21c7199264b1
SHA14185b9145a1a1234e65c201201f2ebd29a81be42
SHA256f575405952d1999588c76a0b0ca1f88abe536ae8d5dcfcc8ff48ba31011efbfa
SHA51280a5c64955c018fd4a02e5ce0b18bb095922e52555bf4db5a2a76527cb68776bdcf294f0f796db6507271e12eec5e7e240ccd0937492d2b80c1df10b5f607fe1
-
Filesize
4.9MB
-
Filesize
644KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
644KB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
4.9MB