urelas | 2d33010e37e78fbb3ec9f8c89a73207f2e3ff0ab69e1d40261006c6c414c5397

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
Size

4.7MB
MD5

eead9a03b396523c7f6ab6a44d711617
SHA1

1491e5d862a98174441b532b77d9c0c97f1259c2
SHA256

2d33010e37e78fbb3ec9f8c89a73207f2e3ff0ab69e1d40261006c6c414c5397
SHA512

b5ec90d6c11b64fd4ba80151f8c9206b0b450109dec05c939f4dfd584b26e717c997a7c30996f5e08fed9f140935446a902d6ac74ddf4997237f9b347d80d724
SSDEEP

49152:a2V7djp+oE2ZjHoZB6EZ88JUUXIEABMRviTURcx:a2V7NpW6Y6joUV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Executes dropped EXE 2 IoCs

Processes:

sander.exectfmom.exe

pid	Process
1224	sander.exe
3016	ctfmom.exe

Loads dropped DLL 2 IoCs

Processes:

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exesander.exe

pid	Process
2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
1224	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.execmd.exesander.exectfmom.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ctfmom.exe

pid	Process
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe
3016	ctfmom.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exesander.exe

description	pid	Process	procid_target
PID 2908 wrote to memory of 1224	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	28
PID 2908 wrote to memory of 1224	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	28
PID 2908 wrote to memory of 1224	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	28
PID 2908 wrote to memory of 1224	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	28
PID 2908 wrote to memory of 2272	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	29
PID 2908 wrote to memory of 2272	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	29
PID 2908 wrote to memory of 2272	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	29
PID 2908 wrote to memory of 2272	2908	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	29
PID 1224 wrote to memory of 3016	1224	sander.exe	33
PID 1224 wrote to memory of 3016	1224	sander.exe	33
PID 1224 wrote to memory of 3016	1224	sander.exe	33
PID 1224 wrote to memory of 3016	1224	sander.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
331B

MD5
52b0348cc9241da384c56284baaf4f06

SHA1
c11ac9521b3494bda57376929a6930e8db9291f0

SHA256
f477fdbc217b493271c0298596cbaa96cfe74f82eca191bf44d7d56307462c65

SHA512
d0a5f71dab429ca3ff113015fa7378d9ff68c9653be836d3f1089da7d8f1dac120888b29e59fe5456b3efa3d58e9848714bbee6f633bf3edcbb97ecdf1093aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
ab2c622792cf85cdf0bcfe7ec5944c71

SHA1
13924b75d2e2e093a97f552f44ea298e56d14c30

SHA256
aebb49fe8a2cac9db6655a408dc93f44640702e6d9bbacfe55f27e096316c581

SHA512
890df3e1cb8686a6fbc47374abbf956e05431f020f364679f0995d30c39f28b45a0d04795ed89be060dd8e17c03dcd1c8bb5ddcf8c28061f2f4182b3a26b81c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
4.7MB

MD5
b254df1217e1f4fa5ae5ea0c21a56b8b

SHA1
bd9a81d92b8aca18c33ae08492c4e40577edba48

SHA256
93a61447ddd230f92c9ee8d2e765b956472e7cf8131fcaf78611c7ba5c564e39

SHA512
90280ba7c2ffd4b04179655d54d24546e117db65316c1b99b8e2fa0a02a42f867824e32395c6163b9263c448fd4052d3d491fc359dfda6348aa47cdaf15a5d42

Download Submit
memory/1224-17-0x0000000001160000-0x0000000001643000-memory.dmp

Filesize
4.9MB

Download
memory/1224-21-0x0000000001160000-0x0000000001643000-memory.dmp

Filesize
4.9MB

Download
memory/1224-27-0x0000000003480000-0x0000000003521000-memory.dmp

Filesize
644KB

Download
memory/1224-32-0x0000000001160000-0x0000000001643000-memory.dmp

Filesize
4.9MB

Download
memory/2908-15-0x0000000003A40000-0x0000000003F23000-memory.dmp

Filesize
4.9MB

Download
memory/2908-18-0x00000000013C0000-0x00000000018A3000-memory.dmp

Filesize
4.9MB

Download
memory/2908-0-0x00000000013C0000-0x00000000018A3000-memory.dmp

Filesize
4.9MB

Download
memory/3016-29-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-33-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-34-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-35-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-36-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-37-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-38-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-39-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-40-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download
memory/3016-41-0x00000000009C0000-0x0000000000A61000-memory.dmp

Filesize
644KB

Download