urelas | 33413b258984ae33cb8b622bdbbeec3a572ab08e4d5fd0837fb194525c036d52

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 08:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0b95b593846d690a5ea971b4c3e054e0.exe
Size

51KB
MD5

0b95b593846d690a5ea971b4c3e054e0
SHA1

94576410c6f2c9d4991075acb90e0270f2e6b503
SHA256

33413b258984ae33cb8b622bdbbeec3a572ab08e4d5fd0837fb194525c036d52
SHA512

d7f762d5e0bf20f4793ee20ee81752c203c0205b0a1ab06a208d56ec1635deff0edec1c972c7a03b846c1f97dc0558384d205cea15c73020e9070ec38bc5d9da
SSDEEP

1536:834/PC7Ruz3hRXRASULZ6JKYdbzcmhCZnUx7:It7R8fU6n8Ux7

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2428	mokdhft.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2428	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	28
PID 3068 wrote to memory of 2428	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	28
PID 3068 wrote to memory of 2428	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	28
PID 3068 wrote to memory of 2428	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	28
PID 3068 wrote to memory of 2772	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	29
PID 3068 wrote to memory of 2772	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	29
PID 3068 wrote to memory of 2772	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	29
PID 3068 wrote to memory of 2772	3068	NEAS.0b95b593846d690a5ea971b4c3e054e0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.0b95b593846d690a5ea971b4c3e054e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0b95b593846d690a5ea971b4c3e054e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\mokdhft.exe
  "C:\Users\Admin\AppData\Local\Temp\mokdhft.exe"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
39e55c2b5135dd669ad371cc03d79fc2

SHA1
d027fea84a269f8e556dfb5411ac3d01b9311017

SHA256
ecf7b9f0150af34b1d09f4602f0acf31445ff28e40b2411b0e32180bb8672919

SHA512
e75942d900b97d254097d8a44bfde16bdc99cc0f124541316a0987b2fb5433b7b1f12d4eff8b47d05e9068e7a038e4dd92998646448dcb0d6615a81a561ef280

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
51KB

MD5
823ca07593ba37a71913e3659ac05898

SHA1
8ee1993947287a9f017d983d980b2215f39a23a5

SHA256
03de51b54d4fb59222d89eaf8bd6751445416725d99ef621c5965813ac50ea32

SHA512
e0c60cdf172c36cf2cd6a7d45e54932e0ea2d96d05a55611908de8515a3cacec6eece833fb899197971847c35fc5057fbb6d8300bfb81b9c74906f2cac699705

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
dbd9f92bc16074685158ac6ccc50ba43

SHA1
f50f3605c5f8287f756638da0a41fba9e9f22cbc

SHA256
8a1f32ea3cd07fb47fb7543a119daabfab6b35196afa2dda59ee2fa28977070c

SHA512
6e1c223f9b13440440942ae6643935ad279e0e48d38a91072ce782ca6a669a728ad3cd8c5a93aa519ed4a7b896d02aa783575a2074a5019482fd253ce5cae8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
dbd9f92bc16074685158ac6ccc50ba43

SHA1
f50f3605c5f8287f756638da0a41fba9e9f22cbc

SHA256
8a1f32ea3cd07fb47fb7543a119daabfab6b35196afa2dda59ee2fa28977070c

SHA512
6e1c223f9b13440440942ae6643935ad279e0e48d38a91072ce782ca6a669a728ad3cd8c5a93aa519ed4a7b896d02aa783575a2074a5019482fd253ce5cae8f0

Download Submit
\Users\Admin\AppData\Local\Temp\mokdhft.exe

Filesize
51KB

MD5
823ca07593ba37a71913e3659ac05898

SHA1
8ee1993947287a9f017d983d980b2215f39a23a5

SHA256
03de51b54d4fb59222d89eaf8bd6751445416725d99ef621c5965813ac50ea32

SHA512
e0c60cdf172c36cf2cd6a7d45e54932e0ea2d96d05a55611908de8515a3cacec6eece833fb899197971847c35fc5057fbb6d8300bfb81b9c74906f2cac699705

Download Submit
memory/2428-10-0x0000000001310000-0x0000000001343000-memory.dmp

Filesize
204KB

Download
memory/2428-21-0x0000000001310000-0x0000000001343000-memory.dmp

Filesize
204KB

Download
memory/2428-24-0x0000000001310000-0x0000000001343000-memory.dmp

Filesize
204KB

Download
memory/2428-30-0x0000000001310000-0x0000000001343000-memory.dmp

Filesize
204KB

Download
memory/3068-0-0x0000000000130000-0x0000000000163000-memory.dmp

Filesize
204KB

Download
memory/3068-9-0x0000000002190000-0x00000000021C3000-memory.dmp

Filesize
204KB

Download
memory/3068-18-0x0000000000130000-0x0000000000163000-memory.dmp

Filesize
204KB

Download