urelas | 2d33010e37e78fbb3ec9f8c89a73207f2e3ff0ab69e1d40261006c6c414c5397

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
Size

4.7MB
MD5

eead9a03b396523c7f6ab6a44d711617
SHA1

1491e5d862a98174441b532b77d9c0c97f1259c2
SHA256

2d33010e37e78fbb3ec9f8c89a73207f2e3ff0ab69e1d40261006c6c414c5397
SHA512

b5ec90d6c11b64fd4ba80151f8c9206b0b450109dec05c939f4dfd584b26e717c997a7c30996f5e08fed9f140935446a902d6ac74ddf4997237f9b347d80d724
SSDEEP

49152:a2V7djp+oE2ZjHoZB6EZ88JUUXIEABMRviTURcx:a2V7NpW6Y6joUV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exesander.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	sander.exe

Executes dropped EXE 2 IoCs

Processes:

sander.exectfmom.exe

pid	Process
2684	sander.exe
3032	ctfmom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exesander.execmd.exectfmom.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ctfmom.exe

pid	Process
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe
3032	ctfmom.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exesander.exe

description	pid	Process	procid_target
PID 5016 wrote to memory of 2684	5016	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	86
PID 5016 wrote to memory of 2684	5016	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	86
PID 5016 wrote to memory of 2684	5016	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	86
PID 5016 wrote to memory of 1496	5016	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	87
PID 5016 wrote to memory of 1496	5016	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	87
PID 5016 wrote to memory of 1496	5016	2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe	87
PID 2684 wrote to memory of 3032	2684	sander.exe	103
PID 2684 wrote to memory of 3032	2684	sander.exe	103
PID 2684 wrote to memory of 3032	2684	sander.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_eead9a03b396523c7f6ab6a44d711617_magniber_qakbot.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
331B

MD5
52b0348cc9241da384c56284baaf4f06

SHA1
c11ac9521b3494bda57376929a6930e8db9291f0

SHA256
f477fdbc217b493271c0298596cbaa96cfe74f82eca191bf44d7d56307462c65

SHA512
d0a5f71dab429ca3ff113015fa7378d9ff68c9653be836d3f1089da7d8f1dac120888b29e59fe5456b3efa3d58e9848714bbee6f633bf3edcbb97ecdf1093aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
2b5fef2b5bd6d4edc30957400bbc4533

SHA1
e0ac9408199d22cc1192715619a2cce4832747fd

SHA256
b1f338933b7d28e5e080401d0bfe2f1636a7ba4b25333dc4ba6812cfbc95a256

SHA512
64522f3727bdc441ac3e323609c12cac42f9f742a49e828dca9275b8a504d66f4c834db56bedd9e40838bc0568266b5044367d28ca5b14befe5434dd2e5de407

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
4.7MB

MD5
77b8ad1fa44e1f28e9e80615af6ed007

SHA1
3ed173fd0d6954459070bcab0e4eee5a33648ee5

SHA256
74c2dce5226d543f316197fedc19f85b67b02902ba72b33f302e70df6a9501c7

SHA512
16315531f1ca1b22038e8af2b858e3128b201900499edf4dad562f0574ffb4d2230252e6114fdd4af101acb6d7ead76b8c41a612f4304f8d7a33f383d1d8081a

Download Submit
memory/2684-11-0x0000000000920000-0x0000000000E03000-memory.dmp

Filesize
4.9MB

Download
memory/2684-27-0x0000000000920000-0x0000000000E03000-memory.dmp

Filesize
4.9MB

Download
memory/2684-17-0x0000000000920000-0x0000000000E03000-memory.dmp

Filesize
4.9MB

Download
memory/3032-28-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/3032-34-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-41-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-40-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-29-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-33-0x0000000000A00000-0x0000000000A02000-memory.dmp

Filesize
8KB

Download
memory/3032-32-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-26-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-35-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-36-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-37-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-38-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/3032-39-0x0000000000AD0000-0x0000000000B71000-memory.dmp

Filesize
644KB

Download
memory/5016-0-0x0000000000380000-0x0000000000863000-memory.dmp

Filesize
4.9MB

Download
memory/5016-14-0x0000000000380000-0x0000000000863000-memory.dmp

Filesize
4.9MB

Download