urelas | bd88f56c8503d0c523bd2983668660d51c23aa47f6745ea0a67e173c0ed98b24

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 22:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5afb31bc636d0b2df98395567be31208_JC.exe
Size

97KB
MD5

5afb31bc636d0b2df98395567be31208
SHA1

23e0515d87f15f03159e0b8c8b24916b7e992fe0
SHA256

bd88f56c8503d0c523bd2983668660d51c23aa47f6745ea0a67e173c0ed98b24
SHA512

cb5a1e543eda14dee65566889e9b19f4ed70edee75ba7f41994ed4165fe28b4f8bccd995d643f475c2daff9ca1cfc2a738da7ac106c7846ea5dae30166c992fd
SSDEEP

768:54pt1NSf7M9Syk+IAnTjwm41tYhZV6pudcMiDh7FOaRb8RC1J3AFLT7Dm3UIn4UH:OVNSf7hyk+I6412V6PMqAax80XAFSrR1

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2112	5afb31bc636d0b2df98395567be31208_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2388	2112	5afb31bc636d0b2df98395567be31208_JC.exe	28
PID 2112 wrote to memory of 2388	2112	5afb31bc636d0b2df98395567be31208_JC.exe	28
PID 2112 wrote to memory of 2388	2112	5afb31bc636d0b2df98395567be31208_JC.exe	28
PID 2112 wrote to memory of 2388	2112	5afb31bc636d0b2df98395567be31208_JC.exe	28
PID 2112 wrote to memory of 2388	2112	5afb31bc636d0b2df98395567be31208_JC.exe	28
PID 2112 wrote to memory of 2388	2112	5afb31bc636d0b2df98395567be31208_JC.exe	28
PID 2112 wrote to memory of 2388	2112	5afb31bc636d0b2df98395567be31208_JC.exe	28
PID 2112 wrote to memory of 2768	2112	5afb31bc636d0b2df98395567be31208_JC.exe	29
PID 2112 wrote to memory of 2768	2112	5afb31bc636d0b2df98395567be31208_JC.exe	29
PID 2112 wrote to memory of 2768	2112	5afb31bc636d0b2df98395567be31208_JC.exe	29
PID 2112 wrote to memory of 2768	2112	5afb31bc636d0b2df98395567be31208_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\5afb31bc636d0b2df98395567be31208_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5afb31bc636d0b2df98395567be31208_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8c69e006046149f40585fb3e1bfafb4

SHA1
97073fb1d116248dbecd009e4bf873ab45c6c2da

SHA256
df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

SHA512
b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
97KB

MD5
04f6753ed88dd5b7dc4b3838fbfb509d

SHA1
f143319a89158459af8e549912ed6a8b7a049144

SHA256
86e6978258c8aa453f89a1d4bc240d98a54710b72e2a9f72c758417ca36cb613

SHA512
b49b5cac84b900c602070537dd1bb15923424e36fe996211f216d3a01023f5a27a892dcfa62f5b35f3531572294a24b23e582ab923ad61c37a940d7b16412117

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
280B

MD5
814d6c179a10216f54744035bdc903d0

SHA1
f2ead90765a4cb38d5bdcfa70659103ecbf4eb02

SHA256
af12e5eab4c6f1f082c8d11aa375ce59171c856f487697887b417fd059d6e7c0

SHA512
db85225107c65eefeb794d2b8909cc5f0b2a364d84cfb54764ec6d21b78b020b88e0a5be699b95608a6ea6cf9a90545550151d4be1d19cb5cc57234e63878cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
280B

MD5
814d6c179a10216f54744035bdc903d0

SHA1
f2ead90765a4cb38d5bdcfa70659103ecbf4eb02

SHA256
af12e5eab4c6f1f082c8d11aa375ce59171c856f487697887b417fd059d6e7c0

SHA512
db85225107c65eefeb794d2b8909cc5f0b2a364d84cfb54764ec6d21b78b020b88e0a5be699b95608a6ea6cf9a90545550151d4be1d19cb5cc57234e63878cf1

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
97KB

MD5
04f6753ed88dd5b7dc4b3838fbfb509d

SHA1
f143319a89158459af8e549912ed6a8b7a049144

SHA256
86e6978258c8aa453f89a1d4bc240d98a54710b72e2a9f72c758417ca36cb613

SHA512
b49b5cac84b900c602070537dd1bb15923424e36fe996211f216d3a01023f5a27a892dcfa62f5b35f3531572294a24b23e582ab923ad61c37a940d7b16412117

Download Submit
memory/2112-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2112-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2388-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download