Overview

overview

10

Static

static

10

6db46f5209...c8.exe

windows7-x64

10

6db46f5209...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2024, 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6db46f5209af5f0723c22fc474f524eaa27141d4b2009ef0ac06d98b03bcc9c8.exe

  • Size

    169KB

  • MD5

    d888942a5749ed544df0099ee0350f8d

  • SHA1

    a23c9a6a0f5eed6c9df3c93aa575a7566388797c

  • SHA256

    6db46f5209af5f0723c22fc474f524eaa27141d4b2009ef0ac06d98b03bcc9c8

  • SHA512

    6ee3f3e0f3ea4847a359f91cefb0cd0bd14536211943c616f4aeb5db4635d04226e0ebe4f3d962032476f43203102e74f5e4dd077f3f1a9080715e5d73e96b99

  • SSDEEP

    1536:eADA0Wbt1931D2P7BWLQ4zR4LUKMcPHFE3HP/GTW65CGEgvpxyTf/k:eADA0Wc7UJ6LZMaHLW65DE8pxWE

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6db46f5209af5f0723c22fc474f524eaa27141d4b2009ef0ac06d98b03bcc9c8.exe
    "C:\Users\Admin\AppData\Local\Temp\6db46f5209af5f0723c22fc474f524eaa27141d4b2009ef0ac06d98b03bcc9c8.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\huter.exe
      "C:\Users\Admin\AppData\Local\Temp\huter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    e9bde5b44e2cc18d88ff2ee2dbc7081c

    SHA1

    b2eba2136f52d53ff3f60541bc79e7b217d0b268

    SHA256

    53c25f3ea9f537bb7d5accae21cbc5c9ef83e4bdf52143201ab08b69403b489c

    SHA512

    573357570a89779fc2984dcc70639460bc8d0cfc6d3a0a37d0623a5804630e804b34671b0f98765b9f7a68b04aa550ffbfd9ca69f6157cff1c826466943bfc8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\huter.exe
    Filesize

    169KB

    MD5

    1cc7074fd273065881f2ca1a4681366e

    SHA1

    87c3e143035df3f70a3d59370dd6c4fbf193544e

    SHA256

    a9445908e2c276cb788d31625974a80e32c041c89316053eb13507235a7acfdd

    SHA512

    b6cc53a5a89aa7d4e4b9b423a48e845ba3ff675a20e1b2d268af7ff2ea86b6f26fe348086d743cdafbb2e3767eb6ed2f0ccd40aeacf8cada9fdd5da43d74b447

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
    Filesize

    338B

    MD5

    8031fb9400ee5eef5412fff023a2531b

    SHA1

    e433b7351c4f4125c6f22b1d94134effa431a677

    SHA256

    e1f6c39e8424ec4679ea416a4fb129132b555e187eafe69a60bf37cef2f64c31

    SHA512

    341bf93d7663ed9fd3a7c7d3a9a55269df93e316d9bf1c05fbfd1cdaba1351370978a372340b39e54cc04284393b4862670db15930ae860f00c3bdcb8822a816

    Download Submit

  • memory/1692-12-0x0000000000740000-0x0000000000770000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1692-17-0x0000000000740000-0x0000000000770000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1692-18-0x0000000000740000-0x0000000000770000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3480-0-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3480-14-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

    Filesize

    192KB

    Download