urelas | bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 05:42 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe
Size

96KB
MD5

17d33d83b92175363fab6972255e994b
SHA1

68ed18a0cf8e816cff9aea0ebe7a1543e0f124cf
SHA256

bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153
SHA512

874f444052ad9440b03944e4292f96d4313ec69ae4132a22bbaa5dcfb838e6ddc807fb27007938c49078d2147de83e20fe0b660b94ff12a044e5d2ec233f077f
SSDEEP

768:PcPYj9Y5By4gtdjv+x3itPaoobv9TjeHl7j3hgSOpP7tRLZU9qZU9QCma3/WJG1u:PkOwUtxmx3QVgX2xjRpkpUmgWJds7R+

Score

10^/10

urelas aspackv2 discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000a000000023b89-7.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe

Executes dropped EXE 1 IoCs

pid	Process
4436	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 4436	1544	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe	83
PID 1544 wrote to memory of 4436	1544	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe	83
PID 1544 wrote to memory of 4436	1544	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe	83
PID 1544 wrote to memory of 396	1544	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe	85
PID 1544 wrote to memory of 396	1544	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe	85
PID 1544 wrote to memory of 396	1544	bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe	85

C:\Users\Admin\AppData\Local\Temp\bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe
"C:\Users\Admin\AppData\Local\Temp\bb0a8b1cd841f54f8fb49ad3f11fdfdf2f0ff54aca2ccafa190a0d956dc18153.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:396

Network

DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

182.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.129.81.91.in-addr.arpa

IN PTR

Response
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

21.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

21.49.80.91.in-addr.arpa

IN PTR

Response
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

112.175.88.209:11120

huter.exe

260 B
5
112.175.88.208:11150

huter.exe

260 B
5
112.175.88.209:11170

huter.exe

260 B
5
112.175.88.207:11150

huter.exe

260 B
5

8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

182.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

182.129.81.91.in-addr.arpa
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

167.173.78.104.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

21.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

21.49.80.91.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4b88240437d0b3ad37b7d18b8742f0ad

SHA1
89d10465de137ee27e28712434962964f6c6d4aa

SHA256
ccef0808f14ac77049ff7fc059b055507036f7c3df62cc11499b2fb807e71b95

SHA512
7a99318ebbdee41b778adeaa2c60cb95e1b7ee954694efcdd1510ccd81e009962c23e2e62c1d67def4210294e8c8283e6275b928f37a811f894700d0b238a76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
96KB

MD5
724ba96c6f77a39d9733f08fe304ef1f

SHA1
090a2df03c895a9792a8316a19e29c20cd10ded5

SHA256
ed4422d3b6afd30983f889a8c6653fe343c8ef9dace0fc365e6bc806200a7e92

SHA512
63fbb8524595f051d177cb4770ea5ee9f555deeda9c75ec290dac7316fa6cebfef2ff909099d86345467450af486d12cede50783d75940377a2bf992ca86e69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
d46ab4964e4c49ef2ffeab2fc6f0cb12

SHA1
e581f7fd6776f2b854f72d24f0388c102b5bf30e

SHA256
ad6e2bd4540f36fe3b6cc6e17424fefa420b664a4a9072a7a40f65df3129879b

SHA512
a36b8c15df95347fd397597d224927eddccc1c76fbe8ed8822c768c5b958f9cb20ed7812c05dff447b126d012a2f2bd708f2032f86e4d7d3e7d919489fb9086f

Download Submit
memory/1544-0-0x00000000009D0000-0x00000000009FA000-memory.dmp

Filesize
168KB

Download
memory/1544-1-0x00000000009D0000-0x00000000009FA000-memory.dmp

Filesize
168KB

Download
memory/1544-17-0x00000000009D0000-0x00000000009FA000-memory.dmp

Filesize
168KB

Download
memory/4436-14-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/4436-13-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/4436-20-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/4436-22-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download
memory/4436-29-0x0000000000F50000-0x0000000000F7A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.