Overview

overview

10

Static

static

3

e639d9121d...bb.exe

windows7-x64

10

e639d9121d...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2025 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e639d9121dd463c2311edb62712483fa484650b85e2163de9f593f5a55ac20bb.exe

  • Size

    76KB

  • MD5

    d7f1d696e70b95e4998ef20a3c26e08f

  • SHA1

    beaef86646949709a6e268d6ede697663896e714

  • SHA256

    e639d9121dd463c2311edb62712483fa484650b85e2163de9f593f5a55ac20bb

  • SHA512

    16c8d76c197cd0feaebcc46b9228d987323af868dc65915b8cc47ea1578ef300c13be6d8a347dbc0f9d2d4e73f52e2b6fa95115402c669bc30dde35b14abe86e

  • SSDEEP

    1536:JBsRUZ2mpkX27tLUgk98l6h0JBDrDI6Rg4dOj:7NXkX27t5k8JRDIkgP

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

112.175.88.208

112.175.88.207

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e639d9121dd463c2311edb62712483fa484650b85e2163de9f593f5a55ac20bb.exe
    "C:\Users\Admin\AppData\Local\Temp\e639d9121dd463c2311edb62712483fa484650b85e2163de9f593f5a55ac20bb.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\dofhir.exe
      "C:\Users\Admin\AppData\Local\Temp\dofhir.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1124
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      PID:876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dofhir.exe
    Filesize

    76KB

    MD5

    4237e31020b473fd92f330c6af0c8162

    SHA1

    cbd43864a32dffc5d12ca5e2de8adff77cd5d6c7

    SHA256

    402cac53f953f44a8340d92b4b68f9788f048ace3c738d9e1e63bbfb6ff072db

    SHA512

    8b00824ea3a037a825ed120580cb7bba86833945b18d01ae1ea4bca1e4ceeb45e8c1efa1fc51ac3628aeef475a715fb780ed7b093410b6042b0ec42bd004c0d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    4adffbc578ceaad93e361c4c2700b4e2

    SHA1

    3078a1c96cf37ee1bde1a548cec44c27f7a8720e

    SHA256

    d0270cf0cebe5fc51dc8d55ffc5d23fcbb682d1822458bcb3d823101ba0a2045

    SHA512

    812400e5e01e5fbaf7917f3d48a40f6d0c6f60bf2602f2827c2d9089022ebf174d04d79bf27bfb67638c78d0b3a86b26e7d4546243491ebb7955f456b9fd9245

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
    Filesize

    338B

    MD5

    118c80ff1f5abc90a6a968f414bba0e3

    SHA1

    86ab1091acc896b89fec6dcebf73ad4836c2162d

    SHA256

    2bf2a29cfe44900b5d6167b108fe14f966cfef0fec7e87fad93b388e314dc6e5

    SHA512

    4fccc13068fcca38e86865b7b6567ce6c83f2ff359ac72575a7477e95de525075efa2b85d385fb8bdff583ef36c7ad023674235bd12e884f60a17845ec93877e

    Download Submit

  • memory/1124-11-0x0000000000E60000-0x0000000000E8F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1124-18-0x0000000000E60000-0x0000000000E8F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1124-20-0x0000000000E60000-0x0000000000E8F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1124-27-0x0000000000E60000-0x0000000000E8F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4984-0-0x0000000000380000-0x00000000003AF000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4984-15-0x0000000000380000-0x00000000003AF000-memory.dmp

    Filesize

    188KB

    Download