urelas | d9a17aed417dc9f940be21cc63a8336bdd5ad9579f029042458d865488195473

Analysis

max time kernel
120s
max time network
134s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1644f6c757497ce876455a1dd76570b0.exe
Size

170KB
MD5

1644f6c757497ce876455a1dd76570b0
SHA1

1efc36b4eb0d08c5ae03f9213690d516003686a4
SHA256

d9a17aed417dc9f940be21cc63a8336bdd5ad9579f029042458d865488195473
SHA512

a778d1b7473abfbb3f1817bfad8077b5c3d035478702c598680a5780d545b52875b45088cd8045025467bb7e78bcf15fd4b757e852f249d9d741ddf9e630bb21
SSDEEP

1536:JADA0Wbt1931D2P7BWLQ4zR4LUKMcPHFE3HP/GTW65CGEgvpCfcyn3m:JADA0Wc7UJ6LZMaHLW65DE8pCEQ2

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1880	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2652	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2652	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	28
PID 2160 wrote to memory of 2652	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	28
PID 2160 wrote to memory of 2652	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	28
PID 2160 wrote to memory of 2652	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	28
PID 2160 wrote to memory of 1880	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	29
PID 2160 wrote to memory of 1880	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	29
PID 2160 wrote to memory of 1880	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	29
PID 2160 wrote to memory of 1880	2160	NEAS.1644f6c757497ce876455a1dd76570b0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.1644f6c757497ce876455a1dd76570b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1644f6c757497ce876455a1dd76570b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e9bde5b44e2cc18d88ff2ee2dbc7081c

SHA1
b2eba2136f52d53ff3f60541bc79e7b217d0b268

SHA256
53c25f3ea9f537bb7d5accae21cbc5c9ef83e4bdf52143201ab08b69403b489c

SHA512
573357570a89779fc2984dcc70639460bc8d0cfc6d3a0a37d0623a5804630e804b34671b0f98765b9f7a68b04aa550ffbfd9ca69f6157cff1c826466943bfc8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
170KB

MD5
6b5646fda64cc7a5ad8f2cac4a35c1a8

SHA1
1bf2f3a55ee146ce553c768f8110675a24dc0734

SHA256
c2d34c8e0a04892b20f7ba7c3814a0acd84c0a8c3ce2f7af60c6809063db2017

SHA512
33b84360ab2ab94f10ae75bba5897790b6ffb1447211189f5bdc7a5dc11731963b21e40f6359d14c0dd486fb1a78344fa4a106140d809ef6a4117810254d2dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
e5e6beb828eaba127b1af5d189be13b9

SHA1
879b8c9ce86e6a67d2d6f147ca388a13713704b7

SHA256
8d8954a50fbe7c970cc9c92f9b9ba6e5f929a194a1feb5db476770d83b572306

SHA512
900249f8d0e2bab56c1c763179aa4f00aea40cdaa79f65d8a5fcb8ae815e9e45a9f6a6b3cbec5c245b0306e740a851eb19f7faef701606b70aea4a421c50834c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
e5e6beb828eaba127b1af5d189be13b9

SHA1
879b8c9ce86e6a67d2d6f147ca388a13713704b7

SHA256
8d8954a50fbe7c970cc9c92f9b9ba6e5f929a194a1feb5db476770d83b572306

SHA512
900249f8d0e2bab56c1c763179aa4f00aea40cdaa79f65d8a5fcb8ae815e9e45a9f6a6b3cbec5c245b0306e740a851eb19f7faef701606b70aea4a421c50834c

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
170KB

MD5
6b5646fda64cc7a5ad8f2cac4a35c1a8

SHA1
1bf2f3a55ee146ce553c768f8110675a24dc0734

SHA256
c2d34c8e0a04892b20f7ba7c3814a0acd84c0a8c3ce2f7af60c6809063db2017

SHA512
33b84360ab2ab94f10ae75bba5897790b6ffb1447211189f5bdc7a5dc11731963b21e40f6359d14c0dd486fb1a78344fa4a106140d809ef6a4117810254d2dac

Download Submit
memory/2160-0-0x0000000000AA0000-0x0000000000AD1000-memory.dmp

Filesize
196KB

Download
memory/2160-6-0x0000000000A50000-0x0000000000A81000-memory.dmp

Filesize
196KB

Download
memory/2160-17-0x0000000000AA0000-0x0000000000AD1000-memory.dmp

Filesize
196KB

Download
memory/2652-20-0x0000000000BA0000-0x0000000000BD1000-memory.dmp

Filesize
196KB

Download
memory/2652-21-0x0000000000BA0000-0x0000000000BD1000-memory.dmp

Filesize
196KB

Download