urelas | 8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4

Analysis

max time kernel
96s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2025, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe
Size

76KB
MD5

52a8fcf99b8eadfd68b8f8a4e3f52df0
SHA1

c8e7c9a9a6489f23ad9721f1b9bc05d4070414b0
SHA256

8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4
SHA512

51d377308f0a9324d6607dd1e38b4b4ff5101e9e6c585de230195667a93bdbfa5f5903c67dc0bb9e6972987b08f2fed4f5cd10d1a10648e8cafd339f8216c426
SSDEEP

1536:+Uk8RgDXz7Kx8zzgmTlvtKrNCpbXmsz4tHITp:Tk8yn7KdmTINQXzz4a

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe

Executes dropped EXE 1 IoCs

pid	Process
116	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 116	1048	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	82
PID 1048 wrote to memory of 116	1048	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	82
PID 1048 wrote to memory of 116	1048	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	82
PID 1048 wrote to memory of 1896	1048	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	83
PID 1048 wrote to memory of 1896	1048	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	83
PID 1048 wrote to memory of 1896	1048	8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe	83

C:\Users\Admin\AppData\Local\Temp\8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe
"C:\Users\Admin\AppData\Local\Temp\8e24c6f125dfb8085831c56211d068d236301e419b734a6805f76d0d93e1afb4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
76eaed1cdcaa3e93de67dd5f94abb63e

SHA1
c0e0ff36484832ed8fd69b50fc2d2691811f218b

SHA256
fe485dd700b9b8c95e9de719dc1eb9ecf25b8f554fc23a3baa679ff12aa173b5

SHA512
bcf04a4f6e80db17fbb6d9be2b9c5722cd2118a6dbf4b2fc8a438efd8df1085fbc2a08047d1aaa909095f48294c2bb454ac66d76110deb6b6ec153b8a1a5511b

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
76KB

MD5
1fcae6059549108d98553796ed77c011

SHA1
3d8560ebb7372eccb0c70d99adc848f3e388cbbd

SHA256
829914840e50b040f453b58054136039e74873efcff336a9f337cfd2dd9c5481

SHA512
5c32b11d91150688924abb5562053081bcc452944d7cec7335a2d96db5b7162def41c287a7826ea7a22563446a8e58f96364196ef90e70b4407eaa0bbecdcf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
83df7084d2fb706c5d584812144495ce

SHA1
34a28ba433f5709eb024466c2663100fea7ac79d

SHA256
ca1fb010d9a601fa00ff12ac7421a6e99959a5f89273abf82fc285cdda48867b

SHA512
b9fc79596089c6bfbbb9c2a4a5d9abdd989c81575384e8d3d77afcc5399ba76ff07490bb0f53d1db568164891d6b4d6bd5f1ab9730862d5478a818bfca9694a8

Download Submit
memory/116-14-0x0000000000B80000-0x0000000000BAF000-memory.dmp

Filesize
188KB

Download
memory/116-20-0x0000000000B80000-0x0000000000BAF000-memory.dmp

Filesize
188KB

Download
memory/116-22-0x0000000000B80000-0x0000000000BAF000-memory.dmp

Filesize
188KB

Download
memory/116-29-0x0000000000B80000-0x0000000000BAF000-memory.dmp

Filesize
188KB

Download
memory/1048-0-0x0000000000FE0000-0x000000000100F000-memory.dmp

Filesize
188KB

Download
memory/1048-17-0x0000000000FE0000-0x000000000100F000-memory.dmp

Filesize
188KB

Download