urelas | 94181c81dadb20f8c08e403539ac887ce483115f2df8d3817feab2b204b6714d

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
02-11-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5abe6d760deb88c44b47dbf866e16120.exe
Size

466KB
MD5

5abe6d760deb88c44b47dbf866e16120
SHA1

0af4527d0fe047cee6dd432d4a267631c1cee103
SHA256

94181c81dadb20f8c08e403539ac887ce483115f2df8d3817feab2b204b6714d
SHA512

c19443c2eba178afb656f088f5f0ab37fafd686642ec74d6f9d09bbd3aa0027b8b199e50f9b6aa90a5de4f0b593e75f54cd42b1783f882e8122ef3bf87e90725
SSDEEP

12288:j3CtSokfFGUMKwlTIU/b37dJ75WEe+eKTxB6m8:jx9GzHlTv/b35tecFB6p

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2060	sander.exe

Loads dropped DLL 1 IoCs

pid	Process
2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2060	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	28
PID 2936 wrote to memory of 2060	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	28
PID 2936 wrote to memory of 2060	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	28
PID 2936 wrote to memory of 2060	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	28
PID 2936 wrote to memory of 2676	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	29
PID 2936 wrote to memory of 2676	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	29
PID 2936 wrote to memory of 2676	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	29
PID 2936 wrote to memory of 2676	2936	NEAS.5abe6d760deb88c44b47dbf866e16120.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.5abe6d760deb88c44b47dbf866e16120.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5abe6d760deb88c44b47dbf866e16120.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
8ed9fd05d078b87e45fcc0875548650b

SHA1
27557db6ea2413136363b272601506511db133bc

SHA256
12fdfbde565264047154d1e3fe4de9b81f8d9b720dbaa69dd5b3cea957a17d79

SHA512
098d20a40fb2a24db55bb4b9459d99fdb0a91a8fc136eb0c52d337b42838fc49ddde1330746f5e962affe818499142f6d6fbad5c57ca628afec22dd33cd9cd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
8ed9fd05d078b87e45fcc0875548650b

SHA1
27557db6ea2413136363b272601506511db133bc

SHA256
12fdfbde565264047154d1e3fe4de9b81f8d9b720dbaa69dd5b3cea957a17d79

SHA512
098d20a40fb2a24db55bb4b9459d99fdb0a91a8fc136eb0c52d337b42838fc49ddde1330746f5e962affe818499142f6d6fbad5c57ca628afec22dd33cd9cd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145cec05d8d704ff7aa3d812b1aff628

SHA1
097ae09965ed3804359803708b8af87b5b90fcbb

SHA256
66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea

SHA512
1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
466KB

MD5
981d65584baec13f8a0047d082bb5794

SHA1
50c8d3393cc950fe959fcaca6a19ebcd8dea9af7

SHA256
d34d2f2bccfec92f2cf6636cb947dc9c2c6243176b8a27cc67dc8c01385440c1

SHA512
392daf758f0c64663e02fda18e581e22d82819cac4fd475957ccc1a01ef5a4708f4be77ab2abd3d4e7226e9b7968a3daef2edefbe4ee6bbc88f2d06e160e585c

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
466KB

MD5
981d65584baec13f8a0047d082bb5794

SHA1
50c8d3393cc950fe959fcaca6a19ebcd8dea9af7

SHA256
d34d2f2bccfec92f2cf6636cb947dc9c2c6243176b8a27cc67dc8c01385440c1

SHA512
392daf758f0c64663e02fda18e581e22d82819cac4fd475957ccc1a01ef5a4708f4be77ab2abd3d4e7226e9b7968a3daef2edefbe4ee6bbc88f2d06e160e585c

Download Submit
memory/2060-17-0x0000000000F20000-0x0000000000FA2000-memory.dmp

Filesize
520KB

Download
memory/2060-21-0x0000000000F20000-0x0000000000FA2000-memory.dmp

Filesize
520KB

Download
memory/2060-22-0x0000000000F20000-0x0000000000FA2000-memory.dmp

Filesize
520KB

Download
memory/2936-0-0x0000000000E20000-0x0000000000EA2000-memory.dmp

Filesize
520KB

Download
memory/2936-8-0x0000000000D80000-0x0000000000E02000-memory.dmp

Filesize
520KB

Download
memory/2936-18-0x0000000000E20000-0x0000000000EA2000-memory.dmp

Filesize
520KB

Download