urelas | bd28957cd5528ae2fd0e52f267d680d2998211688ef0edba0747fa95c52bd691

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe
Size

191KB
MD5

1729d58ca7e1bbfa82e145ba2ae33840
SHA1

b7ede0c80f8d818c24f1cfac13a85bc5343c9fc2
SHA256

bd28957cd5528ae2fd0e52f267d680d2998211688ef0edba0747fa95c52bd691
SHA512

2e1041465e64e42b20fcf404c6a8f340a48e4a5e88cdeb11f48df0b7e225c70dcfc4324e00f3634c4861573c6e3ca9bda481ddcf62ebc05ba49458478c5c8e14
SSDEEP

3072:mqp2cKm5DI/OQf6B6E8wervMLN78FWY6uGKq0FA11:m8la5aF4jMLh85Ab

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 3060	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	28
PID 2948 wrote to memory of 3060	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	28
PID 2948 wrote to memory of 3060	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	28
PID 2948 wrote to memory of 3060	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	28
PID 2948 wrote to memory of 2956	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	29
PID 2948 wrote to memory of 2956	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	29
PID 2948 wrote to memory of 2956	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	29
PID 2948 wrote to memory of 2956	2948	NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1729d58ca7e1bbfa82e145ba2ae33840.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
191KB

MD5
3b6d94563d020929f2bb6a2b7c731514

SHA1
786eda34c66ff23f1e8587dab8d59f9136e08c72

SHA256
d30673da71bfd8d1fcc804994a244cf5bc9f8be85187c1ba08fffb6dfdbc4fff

SHA512
a8505f48322066a61d4cd616f2c3c8cbbaa16e24e2b76facfc6cd6eff0772cff37dcf724aec6f4331b730bc27f79a073c37fd8b96b9ac0e2d6a1f99ddb4f0dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ea9f790d2dc9f84fbf3bd28090c6e940

SHA1
6afaa837080db5d9d7526103d6883aa97c428a92

SHA256
bf54905579196278856481aae2085f7feb32001fd92ef46b11ce668a5cae74b5

SHA512
abad30d9d71b7ee4540d85013c703d7da48fccca6a39f0218960be3cd500d3d65dbe28ab9418080f131c89e8b531dba3c6c0912fab60b5ad3e1a59ff82554de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
c5efa5fc3a147c8b4c08a522c93ff8fa

SHA1
20cad81d2de0bc6dd8aab23e7104157a4a886a15

SHA256
56b4d796d9de171f4a230a8ae9dc29337c81c9b089c8273d08f51c65975e4368

SHA512
223f2bf616993f3cacc777614075c46ccbcda342e2016490a20b783fcf9c4667e080ea8bcbe7623ff1095fdc190ee1f3f1339489c0aaedf2dcc8ca4160e269d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
c5efa5fc3a147c8b4c08a522c93ff8fa

SHA1
20cad81d2de0bc6dd8aab23e7104157a4a886a15

SHA256
56b4d796d9de171f4a230a8ae9dc29337c81c9b089c8273d08f51c65975e4368

SHA512
223f2bf616993f3cacc777614075c46ccbcda342e2016490a20b783fcf9c4667e080ea8bcbe7623ff1095fdc190ee1f3f1339489c0aaedf2dcc8ca4160e269d5

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
191KB

MD5
3b6d94563d020929f2bb6a2b7c731514

SHA1
786eda34c66ff23f1e8587dab8d59f9136e08c72

SHA256
d30673da71bfd8d1fcc804994a244cf5bc9f8be85187c1ba08fffb6dfdbc4fff

SHA512
a8505f48322066a61d4cd616f2c3c8cbbaa16e24e2b76facfc6cd6eff0772cff37dcf724aec6f4331b730bc27f79a073c37fd8b96b9ac0e2d6a1f99ddb4f0dfb

Download Submit
memory/2948-0-0x00000000011E0000-0x0000000001214000-memory.dmp

Filesize
208KB

Download
memory/2948-6-0x0000000001180000-0x00000000011B4000-memory.dmp

Filesize
208KB

Download
memory/2948-17-0x00000000011E0000-0x0000000001214000-memory.dmp

Filesize
208KB

Download
memory/3060-20-0x0000000001180000-0x00000000011B4000-memory.dmp

Filesize
208KB

Download
memory/3060-21-0x0000000001180000-0x00000000011B4000-memory.dmp

Filesize
208KB

Download