urelas | 9711852bf7fcd819124f68a006c160702fe1e2c7360a0ba19a84f4123e5cc698

Analysis

max time kernel
120s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe
Size

170KB
MD5

ea28e4e279da969adaa2d55040bf79c8
SHA1

2a9131e3acbdb853480c29f85b60e20623e96dc6
SHA256

9711852bf7fcd819124f68a006c160702fe1e2c7360a0ba19a84f4123e5cc698
SHA512

bd794ad16e300129174eb8d835808863c2460a6396dc01a76d8260e5a06f82433694582a4cefc18dcd3296dc60b930cb39daab1e0803e881901de5505f846077
SSDEEP

1536:eADA0Wbt1931D2P7BWLQ4zR4LUKMcPHFE3HP/GTW65CGEgvpxyTf+:eADA0Wc7UJ6LZMaHLW65DE8pxWW

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1416	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1416	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	27
PID 2904 wrote to memory of 1416	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	27
PID 2904 wrote to memory of 1416	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	27
PID 2904 wrote to memory of 1416	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	27
PID 2904 wrote to memory of 2680	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	29
PID 2904 wrote to memory of 2680	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	29
PID 2904 wrote to memory of 2680	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	29
PID 2904 wrote to memory of 2680	2904	NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ea28e4e279da969adaa2d55040bf79c8_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e9bde5b44e2cc18d88ff2ee2dbc7081c

SHA1
b2eba2136f52d53ff3f60541bc79e7b217d0b268

SHA256
53c25f3ea9f537bb7d5accae21cbc5c9ef83e4bdf52143201ab08b69403b489c

SHA512
573357570a89779fc2984dcc70639460bc8d0cfc6d3a0a37d0623a5804630e804b34671b0f98765b9f7a68b04aa550ffbfd9ca69f6157cff1c826466943bfc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
170KB

MD5
c8079daa196f168b58646b3d963f40b6

SHA1
c620b654dd6acbd6250f116eb58cce317f009940

SHA256
d01a14114abe0872ce62678b6f20de2e7df03228e2f8bd26aea4a77ff4971925

SHA512
6c9dd882b74ae5975be11290e5c4d7a9b65ca3cf0301cbfda79d129dda5a7392882ec98fd5b743ae0bd67fca2cf4460733134549e8511b0cd672a40299e5731a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
0be3ce439674969ad422d412240c0b0a

SHA1
6231c66f2ac62aaa6042637c25813f747866e04a

SHA256
c6ab57dc94c6713ed4be909e35902f0096597c82dc20295c2c85ad86b8f9f03c

SHA512
f66347948776a95a0ea790711056ae18571e6e46f6936e4f35865541120112dabd5655660e4bb960343eaad85934bad8588ca0456bed19b3217c93a4d35b5288

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
290B

MD5
0be3ce439674969ad422d412240c0b0a

SHA1
6231c66f2ac62aaa6042637c25813f747866e04a

SHA256
c6ab57dc94c6713ed4be909e35902f0096597c82dc20295c2c85ad86b8f9f03c

SHA512
f66347948776a95a0ea790711056ae18571e6e46f6936e4f35865541120112dabd5655660e4bb960343eaad85934bad8588ca0456bed19b3217c93a4d35b5288

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
170KB

MD5
c8079daa196f168b58646b3d963f40b6

SHA1
c620b654dd6acbd6250f116eb58cce317f009940

SHA256
d01a14114abe0872ce62678b6f20de2e7df03228e2f8bd26aea4a77ff4971925

SHA512
6c9dd882b74ae5975be11290e5c4d7a9b65ca3cf0301cbfda79d129dda5a7392882ec98fd5b743ae0bd67fca2cf4460733134549e8511b0cd672a40299e5731a

Download Submit
memory/1416-10-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/1416-21-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/1416-22-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/2904-0-0x0000000000290000-0x00000000002C0000-memory.dmp

Filesize
192KB

Download
memory/2904-6-0x0000000000570000-0x00000000005A0000-memory.dmp

Filesize
192KB

Download
memory/2904-18-0x0000000000290000-0x00000000002C0000-memory.dmp

Filesize
192KB

Download