urelas | ce686444e9efcc8bfc02d34d6e5fe0fa92c17731552259d0f1f9c4869d42b3b4

Analysis

max time kernel
48s
max time network
44s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe
Size

143KB
MD5

30fbf43d06640fe0b3e5c723a161a1a0
SHA1

8ca198d54a2fe3696566051dd621e51f07256e9a
SHA256

ce686444e9efcc8bfc02d34d6e5fe0fa92c17731552259d0f1f9c4869d42b3b4
SHA512

c1edb62027bdfb59ff1d528fd5e225357eb5602751ca7aec316122d0f2b32ca2f8bf220c9eeef5982626a6b7ab69e5b3341d77387b6b8ef30a821dc6478a5c00
SSDEEP

1536:L/oEFqfCZ10zcT9Yh8AIXcjyz9cOXfiXGImcatMrsWjcdW6o5gRwtTfKCl0:L/5FqCxiXEcO3XfGf2tMUW6o5gRwdll0

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2332	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2604	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2604	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	28
PID 2132 wrote to memory of 2604	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	28
PID 2132 wrote to memory of 2604	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	28
PID 2132 wrote to memory of 2604	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	28
PID 2132 wrote to memory of 2332	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	29
PID 2132 wrote to memory of 2332	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	29
PID 2132 wrote to memory of 2332	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	29
PID 2132 wrote to memory of 2332	2132	NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.30fbf43d06640fe0b3e5c723a161a1a0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
143KB

MD5
575a39880aaa7e7ab171c074bf8fe90c

SHA1
b1a746e76839a54b34e1f546c66d706cc2ffc4bf

SHA256
9e96962a0ccc3975c97cd2a7bf538cb30d6b4ad2563b5a05a481a76f416935f7

SHA512
6f08d6bf60f84794a030770c2ad7e3fe13a51937b3c161e83209dfaa1b09e3b9ebce8f63fc11df3d51b16d7c813b9370f03a3c0ad27f2a7809ee58e14f7c07f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e2d9c84d22710b94f88db5e136efd92e

SHA1
5636678dda45ea10068357a9b17878399804aea3

SHA256
91377fdab72045adb923f62c3b0b46de7360e62beaab96489eefb36dd8554f25

SHA512
11159ba71474c0fc20139e27d71e10349b486d17cdd60a1df93babf9d8f40d8ab0764a881b93472e03036a50735b2b3defc790da5519d8cf723c6de46b008f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
f4ced14bd38ffa35882fc0ec1ae0fbd1

SHA1
0ef2c25a1be113342f41e47b92becacbf5b642c9

SHA256
90b60b1c2a56057056f563b9f2122ae267d870fb4ca6fd3b4b658e6894d02d63

SHA512
58bf8b14e5900d4aa51e41d4995c2ff60e9bd6a25b64a8219db4905f422c25d0cadfa24dd2fba74f0f2777274f2609f8438149fe27ca490d8191decacf82d101

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
f4ced14bd38ffa35882fc0ec1ae0fbd1

SHA1
0ef2c25a1be113342f41e47b92becacbf5b642c9

SHA256
90b60b1c2a56057056f563b9f2122ae267d870fb4ca6fd3b4b658e6894d02d63

SHA512
58bf8b14e5900d4aa51e41d4995c2ff60e9bd6a25b64a8219db4905f422c25d0cadfa24dd2fba74f0f2777274f2609f8438149fe27ca490d8191decacf82d101

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
143KB

MD5
575a39880aaa7e7ab171c074bf8fe90c

SHA1
b1a746e76839a54b34e1f546c66d706cc2ffc4bf

SHA256
9e96962a0ccc3975c97cd2a7bf538cb30d6b4ad2563b5a05a481a76f416935f7

SHA512
6f08d6bf60f84794a030770c2ad7e3fe13a51937b3c161e83209dfaa1b09e3b9ebce8f63fc11df3d51b16d7c813b9370f03a3c0ad27f2a7809ee58e14f7c07f0

Download Submit
memory/2132-0-0x0000000000E60000-0x0000000000E87000-memory.dmp

Filesize
156KB

Download
memory/2132-6-0x0000000000570000-0x0000000000597000-memory.dmp

Filesize
156KB

Download
memory/2132-17-0x0000000000E60000-0x0000000000E87000-memory.dmp

Filesize
156KB

Download