urelas | ff34314a429adb6dae01697ca5ae48bfec80dcefdef39629c9eed36d65ab49c6

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e5ae79491bdad7d13b42da25a61ee100.exe
Size

231KB
MD5

e5ae79491bdad7d13b42da25a61ee100
SHA1

20d4fecb9314ccb047a5a6ab4695a0fc40fa4f67
SHA256

ff34314a429adb6dae01697ca5ae48bfec80dcefdef39629c9eed36d65ab49c6
SHA512

2a6e5dbe04354735a02eef891bd97dc28905d63a073e3193a27f62c33fc361cefd48a451c3aff328d392c6350d44c1d655d89634e0e8045787edb7a50a4fb947
SSDEEP

3072:/YshWbz+6LPr5Qy7K65UC1O9Ro2rqYyXzCEwGNy:/YQWbS6LPeHC1O9RleYuzCEwGNy

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1440	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1632	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1632	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	28
PID 1228 wrote to memory of 1632	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	28
PID 1228 wrote to memory of 1632	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	28
PID 1228 wrote to memory of 1632	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	28
PID 1228 wrote to memory of 1440	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	29
PID 1228 wrote to memory of 1440	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	29
PID 1228 wrote to memory of 1440	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	29
PID 1228 wrote to memory of 1440	1228	NEAS.e5ae79491bdad7d13b42da25a61ee100.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.e5ae79491bdad7d13b42da25a61ee100.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e5ae79491bdad7d13b42da25a61ee100.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6e0ecec5e285ac121f1bf7f3a59ce016

SHA1
d432c8dd0bd3ddfffaa5a22a74c6da08172c13d7

SHA256
c1df717fda579031c64433ccadbc1e471654b843121f07f4066b7793355e2dfe

SHA512
9c20f07807c92a4bd1808deb68e571fd0ea26f39b6033c8f9e40c0346267aae396ba4ceac427c2daf95d855cca22f05aaeb7ad4f93bd8289972816a55d69527d

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
231KB

MD5
a28bbb62683c3d07f13802b58cba177f

SHA1
1f8404fc233779526bf4fb48fee9a24715750766

SHA256
50186a7cb3695906915bb995784424e1480da9f548a1ef9a37312249b2f12db1

SHA512
fb8a6b94b74d8f332eddbc2d6f7f317ad78a84b950a45fd193103e64f95e476aa7a2b24c13c32ec2713b394c76dacc132bc01faaba117c036d92c698b817e2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
a55d65d2d1ba5a81a657a51561e0d651

SHA1
08dd709b2bd4135b83fe79dbe600c0e713ce18e5

SHA256
b8a508df6c8c34f18c0a594dd0b0df9d7f79fb7b06f838cb4067b4d608f6ce64

SHA512
81f1f0b480d1cb8a52df8047ffffca46f47113eb441c4d791fb0ec11647897ff185b7993fe475688d6eb474675bce563bc666742960e3bfeedf22dfdb5ebcbdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
a55d65d2d1ba5a81a657a51561e0d651

SHA1
08dd709b2bd4135b83fe79dbe600c0e713ce18e5

SHA256
b8a508df6c8c34f18c0a594dd0b0df9d7f79fb7b06f838cb4067b4d608f6ce64

SHA512
81f1f0b480d1cb8a52df8047ffffca46f47113eb441c4d791fb0ec11647897ff185b7993fe475688d6eb474675bce563bc666742960e3bfeedf22dfdb5ebcbdf

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
231KB

MD5
a28bbb62683c3d07f13802b58cba177f

SHA1
1f8404fc233779526bf4fb48fee9a24715750766

SHA256
50186a7cb3695906915bb995784424e1480da9f548a1ef9a37312249b2f12db1

SHA512
fb8a6b94b74d8f332eddbc2d6f7f317ad78a84b950a45fd193103e64f95e476aa7a2b24c13c32ec2713b394c76dacc132bc01faaba117c036d92c698b817e2d2

Download Submit
memory/1228-0-0x0000000000E80000-0x0000000000EBD000-memory.dmp

Filesize
244KB

Download
memory/1228-8-0x0000000000D90000-0x0000000000DCD000-memory.dmp

Filesize
244KB

Download
memory/1228-18-0x0000000000E80000-0x0000000000EBD000-memory.dmp

Filesize
244KB

Download
memory/1632-11-0x0000000000340000-0x000000000037D000-memory.dmp

Filesize
244KB

Download
memory/1632-21-0x0000000000340000-0x000000000037D000-memory.dmp

Filesize
244KB

Download
memory/1632-22-0x0000000000340000-0x000000000037D000-memory.dmp

Filesize
244KB

Download