urelas | 7b7861b8fd660d916ceaab223f147b8fc7a391d36b53df6edf3133ba2f7a6d61

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe
Size

4.7MB
MD5

bc3c88404d4409b597b534093153f9c9
SHA1

7c7d487d5c749e8d9d906e8a01b4b8092f457991
SHA256

7b7861b8fd660d916ceaab223f147b8fc7a391d36b53df6edf3133ba2f7a6d61
SHA512

a0b5e5d3fd4ec2a0c95ec3934993155c597fef26ee07d49d15f3e8ae0ad6c4cc409c551bfc20f5e2bae738033d889a39836f23a748c1b57d45fc1bbd44ac7be5
SSDEEP

49152:a2V7djp+oE2ZjHoZB6EZ88JUUXIEABMRviTURcV:a2V7NpW6Y6joUh

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exesander.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sander.exe

Executes dropped EXE 2 IoCs

Processes:

sander.exectfmom.exe

pid	Process
2040	sander.exe
1736	ctfmom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exectfmom.exe2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exesander.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ctfmom.exe

pid	Process
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe
1736	ctfmom.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exesander.exe

description	pid	Process	procid_target
PID 2792 wrote to memory of 2040	2792	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe	82
PID 2792 wrote to memory of 2040	2792	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe	82
PID 2792 wrote to memory of 2040	2792	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe	82
PID 2792 wrote to memory of 2432	2792	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe	83
PID 2792 wrote to memory of 2432	2792	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe	83
PID 2792 wrote to memory of 2432	2792	2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe	83
PID 2040 wrote to memory of 1736	2040	sander.exe	94
PID 2040 wrote to memory of 1736	2040	sander.exe	94
PID 2040 wrote to memory of 1736	2040	sander.exe	94

C:\Users\Admin\AppData\Local\Temp\2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_bc3c88404d4409b597b534093153f9c9_magniber_qakbot.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
331B

MD5
4ad78f3d92e4ad3f81d399d9175e7c0f

SHA1
3a401a8f14f48ef7390331a9c5fe0a3ef4e1d08c

SHA256
85a3ea72a4d42ec84b396045879eb6cf102ec59c7d11faf669baf6743802583b

SHA512
77ad46305c70a0d71da3c200644c8daaf9075e30330202265170298507bd1f80363a6f2be9334043c5e348e94a0bd9ef6f8d95396af50f74ea302f34ba427ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
08a0e02bd9154866d40b6bd7e31bdc5a

SHA1
a155326b3ff90409a66da522baad4b842331cefd

SHA256
cdacc8b1a803582d34cfff10ba909d51f7b4c38eaf2c1a4e14d3481ca739cb2a

SHA512
49b2336cbb8edf6399a8a2f236a19a65f9e6a93edc319a320274002466e8fee07a3814a14a8bbe3ed62fa0f0057e2175076736ba905facaaf4e1866df985fef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
4.7MB

MD5
4df1abf7b06653b4491dff66485fb068

SHA1
8211748a7006a2d7e73ac3eb9173a26c953b6d84

SHA256
c332c9483abb07b391df52aea80fe4ad8d00d83dc67ef15592a5e90a52e80e51

SHA512
24711adb8983e9191e31fa49f6e8f2417b328e3c07967edef82bbbf5bdf51e13269fd15d72322f8183619e42e34fccdb4577b0c0f8a65b932d6fbf19d658eb23

Download Submit
memory/1736-29-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-32-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-41-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-40-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-39-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-27-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/1736-38-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-26-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-33-0x0000000000890000-0x0000000000892000-memory.dmp

Filesize
8KB

Download
memory/1736-37-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-34-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-35-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/1736-36-0x0000000000F30000-0x0000000000FD1000-memory.dmp

Filesize
644KB

Download
memory/2040-28-0x00000000004D0000-0x00000000009B3000-memory.dmp

Filesize
4.9MB

Download
memory/2040-11-0x00000000004D0000-0x00000000009B3000-memory.dmp

Filesize
4.9MB

Download
memory/2040-17-0x00000000004D0000-0x00000000009B3000-memory.dmp

Filesize
4.9MB

Download
memory/2792-15-0x0000000000520000-0x0000000000A03000-memory.dmp

Filesize
4.9MB

Download
memory/2792-0-0x0000000000520000-0x0000000000A03000-memory.dmp

Filesize
4.9MB

Download