urelas | 33c550e7d8a526bf5fa92c9946a292769cb78d4f54b7221a6960740feaccc8eb

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.bd711982026f3a86ef657bcfc639ca30.exe
Size

203KB
MD5

bd711982026f3a86ef657bcfc639ca30
SHA1

e2bd2b0dd4e8823e3a29679acefc54d2804190cb
SHA256

33c550e7d8a526bf5fa92c9946a292769cb78d4f54b7221a6960740feaccc8eb
SHA512

510bc867f1da1dbe7a31bcb5b7db9f43323388b1dc69125ba4144a363e862c4bd0bab7ae2b11702e343787b84889c03c654190c2fd213135db7cf02fc1313700
SSDEEP

3072:DPijU4kcITkEnbBvByrEVoULptsdXfBo/DBJBGzkP9T:LijBkcITtnbBvnjLpSa/B

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2576	shoste.exe

Loads dropped DLL 1 IoCs

pid	Process
2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2576	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	28
PID 2212 wrote to memory of 2576	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	28
PID 2212 wrote to memory of 2576	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	28
PID 2212 wrote to memory of 2576	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	28
PID 2212 wrote to memory of 2704	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	29
PID 2212 wrote to memory of 2704	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	29
PID 2212 wrote to memory of 2704	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	29
PID 2212 wrote to memory of 2704	2212	NEAS.bd711982026f3a86ef657bcfc639ca30.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.bd711982026f3a86ef657bcfc639ca30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.bd711982026f3a86ef657bcfc639ca30.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f51c1462254f3bb8aa00201af0b0a030

SHA1
60d3c892bb5c4f654c318451012f936d81164418

SHA256
695c02a7ab1d4a3bf5060ab1c7c63f651dc1fd945c0c5c3263c23db769f689c5

SHA512
41059643033b10394b1593371e22542e4b7f504a3da36ca2cdbf28521dd24bd70d70f42c99f580227e9799c64b5c23c7b9182ca518245b66eb831868e043e0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
ec8c6027d576083934b133ef746f6a91

SHA1
c29c6728bddf5a06a3e922ad7edca09eb586a552

SHA256
a9e8324119f6d504c148e6ff00726c640a4fdc037185a63a7cf401be95e2dfe0

SHA512
0a26fe53575fa2f53556ad97bc000aded5003dab82cb456b98bc3a98afdfee34ab0f6d5d2abadf8c124cce109dcdf627dc37ec7fa11db90295099ee1ed887311

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
ec8c6027d576083934b133ef746f6a91

SHA1
c29c6728bddf5a06a3e922ad7edca09eb586a552

SHA256
a9e8324119f6d504c148e6ff00726c640a4fdc037185a63a7cf401be95e2dfe0

SHA512
0a26fe53575fa2f53556ad97bc000aded5003dab82cb456b98bc3a98afdfee34ab0f6d5d2abadf8c124cce109dcdf627dc37ec7fa11db90295099ee1ed887311

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
203KB

MD5
5e7c3643c3ef74bf400beff123e0263e

SHA1
8e9d35c3b5dcc42a288d215aa0c2dde73cb10cac

SHA256
e51bb658dbe01033c0f0eb3942ef83ca23791e0a575322881b1bc210f98584ae

SHA512
4c8fb1d48fac9c9bf97625e2ab5d4aad5a5d151e5c43466b26dc7b4d2c92133413ede9d4d033a5a2252c4597a838e3b2856c968953f464c394e0a1650457e718

Download Submit
\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
203KB

MD5
5e7c3643c3ef74bf400beff123e0263e

SHA1
8e9d35c3b5dcc42a288d215aa0c2dde73cb10cac

SHA256
e51bb658dbe01033c0f0eb3942ef83ca23791e0a575322881b1bc210f98584ae

SHA512
4c8fb1d48fac9c9bf97625e2ab5d4aad5a5d151e5c43466b26dc7b4d2c92133413ede9d4d033a5a2252c4597a838e3b2856c968953f464c394e0a1650457e718

Download Submit
memory/2212-0-0x0000000000240000-0x0000000000276000-memory.dmp

Filesize
216KB

Download
memory/2212-6-0x0000000000450000-0x0000000000486000-memory.dmp

Filesize
216KB

Download
memory/2212-18-0x0000000000240000-0x0000000000276000-memory.dmp

Filesize
216KB

Download
memory/2576-16-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2576-21-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download
memory/2576-22-0x0000000000080000-0x00000000000B6000-memory.dmp

Filesize
216KB

Download