urelas | c8f69d94ef15e08ac5c19bf6e52c0f9d38d988dc90e6d42fd5bc043809fa0573

Analysis

max time kernel
121s
max time network
136s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe
Size

355KB
MD5

fcfeef990e9adcdb1f849dc1c9903ab0
SHA1

2c46363f64b514ebe4b0ac4f1157b9583180c861
SHA256

c8f69d94ef15e08ac5c19bf6e52c0f9d38d988dc90e6d42fd5bc043809fa0573
SHA512

6472b13546e73f601ea1449b5ec05b28b8a88d9cfa3a33e833702853e685cde6f8e642f763a71c3170bb505a8d45050fa12295f374b37edb63bdd8039bc18012
SSDEEP

6144:q09g16vl/rOlA2//whEp0Gd1EL0F921aZL1+p9XD6UFEMk02lI1:A2Ol1//whEp0Gd1E8921UCz6cEt9q

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2044	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2788	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	30
PID 2132 wrote to memory of 2788	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	30
PID 2132 wrote to memory of 2788	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	30
PID 2132 wrote to memory of 2788	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	30
PID 2132 wrote to memory of 2044	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	31
PID 2132 wrote to memory of 2044	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	31
PID 2132 wrote to memory of 2044	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	31
PID 2132 wrote to memory of 2044	2132	NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fcfeef990e9adcdb1f849dc1c9903ab0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d07ff64d03d4bccb6df3a678a0e28e82

SHA1
f60f59c065801583606be822fdf412e7b5f0c2a6

SHA256
b370aad726e60f6ee85992c68b42bd6d2f5a429b2d3d31bdf53866904ec68f70

SHA512
36bb2d96e9f5c80a7c86829436ae53934cf086c9204c9fbd4164908fcd352ec58bc28b735269c2dc50b173a10664593e7b8d7b26fff3df011c5fee8a438a30b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
355KB

MD5
a0c5bc7b1cefe3fa917bba976bd1b8c1

SHA1
5c5a1a467d772ed907762f8d8a0329373e45da31

SHA256
7b765b6c162bcaf9cd1537bfbd043ac0b623826e13136ffa77e241e1a81c3b8e

SHA512
8de9814c1082dbc418607eaeaef396091237b7693396296b77d653ebcbbb4de7f187f1fb69099f2e96212dfdaeca2e26e71f8de59487a86b6c0d8d5bf1020880

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
073def9891450a8293a32915a3568926

SHA1
d8fb7de956d7979b576e06a5cee32bc2ac6ced60

SHA256
b4a2720c9c7ba483194f1c1e53bb0d9bc8685db2bb21f534ccfcfe3619653347

SHA512
a1d2fb9a1bc4eca1c8d93de3336b29e885c805d1949ba4266ab03c2ce7543d291f982f20f6064bd6978078a7ebbfb21baaf7c6fa12b50c0974b9e07c6232e4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
073def9891450a8293a32915a3568926

SHA1
d8fb7de956d7979b576e06a5cee32bc2ac6ced60

SHA256
b4a2720c9c7ba483194f1c1e53bb0d9bc8685db2bb21f534ccfcfe3619653347

SHA512
a1d2fb9a1bc4eca1c8d93de3336b29e885c805d1949ba4266ab03c2ce7543d291f982f20f6064bd6978078a7ebbfb21baaf7c6fa12b50c0974b9e07c6232e4bc

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
355KB

MD5
a0c5bc7b1cefe3fa917bba976bd1b8c1

SHA1
5c5a1a467d772ed907762f8d8a0329373e45da31

SHA256
7b765b6c162bcaf9cd1537bfbd043ac0b623826e13136ffa77e241e1a81c3b8e

SHA512
8de9814c1082dbc418607eaeaef396091237b7693396296b77d653ebcbbb4de7f187f1fb69099f2e96212dfdaeca2e26e71f8de59487a86b6c0d8d5bf1020880

Download Submit
memory/2132-0-0x0000000000160000-0x00000000001BF000-memory.dmp

Filesize
380KB

Download
memory/2132-6-0x0000000000480000-0x00000000004DF000-memory.dmp

Filesize
380KB

Download
memory/2132-18-0x0000000000160000-0x00000000001BF000-memory.dmp

Filesize
380KB

Download
memory/2788-10-0x0000000000D90000-0x0000000000DEF000-memory.dmp

Filesize
380KB

Download
memory/2788-21-0x0000000000D90000-0x0000000000DEF000-memory.dmp

Filesize
380KB

Download
memory/2788-22-0x0000000000D90000-0x0000000000DEF000-memory.dmp

Filesize
380KB

Download