urelas | 5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe
Size

94KB
MD5

9647fefa1bd11c353e52678626ecd180
SHA1

55d857d317b611fa82fa9fa3b071cf49452cac80
SHA256

5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881
SHA512

5c4e402ae12d26aa0d4a0ed9e51f656398765f56cfd77e2e2bd4696a910f447ac5c9e4f59bc8862b245480f5ed6d1c987920aa2ddf47ed0c9869733b8e5826ed
SSDEEP

768:tp0ti4HnnhtwYbJy6rioyelmd1TzulQEDDPOwc5n5uNCT/jhhLBxQIwqepJZU9mO:tWzhtJbUgHoADDIx1hLfuJrO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe

Executes dropped EXE 1 IoCs

pid	Process
3588	huter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 3588	5108	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe	85
PID 5108 wrote to memory of 3588	5108	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe	85
PID 5108 wrote to memory of 3588	5108	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe	85
PID 5108 wrote to memory of 2536	5108	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe	86
PID 5108 wrote to memory of 2536	5108	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe	86
PID 5108 wrote to memory of 2536	5108	5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe	86

C:\Users\Admin\AppData\Local\Temp\5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe
"C:\Users\Admin\AppData\Local\Temp\5085669c7ebe8a60cd39dbe9c8d10d1d2d1aa370f635d4461636bf5a47114881N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
16c2bcf1dae729c5cb36a1875efe354c

SHA1
775fbf4b6a2e5bc033b86cfc0893250b5d387a45

SHA256
796a881d71234f7fcd9f5220c6e5674e231610bbf37626d9e5b79dc3268b7bb4

SHA512
d8bd6cb6cb6ccd3c2cc40edde9cd3e8c09d1ae55c21ac1896325c324c08507e68c16d3864923806d29db79c57b958dac68e43bdcf809c0a2c8b5b0a7b8557177

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
94KB

MD5
e1eef42c4f4454694fc56dcb237b82ae

SHA1
78e0814eeae7b94bf48367710e885d1778ba5666

SHA256
bc25dfa5ab626d63c3af8aabd078aa3cfdca1f616f9886643f6d0cc213ab2227

SHA512
e6b074b60f8dc6c8cd7d0cd9af842357c35d9a27c91638b152c71bda5618f7881d4ccb1852ca099d2f071190a84a31aee8e649e8f083500dd9fc31cf58021240

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
e5b434cfb593ee3959eafe7204db2911

SHA1
ecb2b4cee8bfda3c31819b589f8c6483d88f34f4

SHA256
d656cefbbd1b3ceeeaad920b3edd62f59ea9dcfd4d08815c2ad56e38ace598c7

SHA512
60e09c823aa941531395767e849ff0c71551d9d94ea6b0957c1b221418cad8dd68950999ecd6ea23f7fc1bdc5c8276291ad469b8cead455cdb9f2f292e2e6d30

Download Submit
memory/3588-10-0x0000000000F10000-0x0000000000F40000-memory.dmp

Filesize
192KB

Download
memory/3588-18-0x0000000000F10000-0x0000000000F40000-memory.dmp

Filesize
192KB

Download
memory/3588-20-0x0000000000F10000-0x0000000000F40000-memory.dmp

Filesize
192KB

Download
memory/3588-27-0x0000000000F10000-0x0000000000F40000-memory.dmp

Filesize
192KB

Download
memory/5108-0-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/5108-15-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download