urelas | 6fc67be59975392c35d59cf8316d3788d311a79045dd8b1fc63cc2b879f74502

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.872a8871f090ce817f079b1fd6eba5d0.exe
Size

83KB
MD5

872a8871f090ce817f079b1fd6eba5d0
SHA1

be39c7abeabc7c37ddbfce5e1d4c7222946fd122
SHA256

6fc67be59975392c35d59cf8316d3788d311a79045dd8b1fc63cc2b879f74502
SHA512

7cc288ae47d59b393a2f6cbeceb1b6e1636b1a6a4d1c437bde8f02fed888a19a1c48cc14963e0cfb1eacb2fc5f1f274ab8c9acb7a10e2d754c7e89810bcdb5d3
SSDEEP

1536:71PWJsDkhsc5lw2tPZ1QF30BqIHr6jIfvx:i5l3m3aqI2Ifvx

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	poldge.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2708	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	28
PID 2888 wrote to memory of 2708	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	28
PID 2888 wrote to memory of 2708	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	28
PID 2888 wrote to memory of 2708	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	28
PID 2888 wrote to memory of 2600	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	29
PID 2888 wrote to memory of 2600	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	29
PID 2888 wrote to memory of 2600	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	29
PID 2888 wrote to memory of 2600	2888	NEAS.872a8871f090ce817f079b1fd6eba5d0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.872a8871f090ce817f079b1fd6eba5d0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.872a8871f090ce817f079b1fd6eba5d0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\poldge.exe
  "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3f372385bf24b44385f4b1251d3aca4d

SHA1
83546de6ba8f20bd08a15896d34f6242ed64352f

SHA256
b5edef052667b8380ff98c9ff2029faaaa0b1931818a5ef011ce766193ceda27

SHA512
d2f888908ca52c1a99c3d45e83512e2eafd2cc3ae3b782ef0cc80165c4adaf7e488d1aba2028d83fc39e4b8c96c65f82436a10a94e319b9b8aec1f69cd76e5b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
83KB

MD5
ee99737ee9ba4457c6a73c8e21bc634f

SHA1
03bc4f8a35add5b56e771ebd683b6369f7fbc6a7

SHA256
d87762f29031d195c878cba57579db8f8488c738614a3b4f6ac14e37e9ba04b1

SHA512
14edd625bfb8330546879622ba3ba2f0cbadd9cc18d6e29ac4a8e5dbf360cc7b7cc45a84a491f1706157e3f649ae14439978ffb454396b84ed6e240f2982396e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
b0fe2c4db1a504925687059a864773db

SHA1
b76ad7a1d91869061efa18cb3ed212810c56dbe2

SHA256
9414174ccd3c914de75aa98301d5606de5e5e7a59bbfe6b6e6632c848c77231e

SHA512
caa8a756e9e604153daab26934e0c7c3c14df4eda495ed0d6abe5e385c679dfab5997d2239bdf74cb67d3d70f5c5904ef8e0cc86d8f6dba1bd404c5734f90e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
b0fe2c4db1a504925687059a864773db

SHA1
b76ad7a1d91869061efa18cb3ed212810c56dbe2

SHA256
9414174ccd3c914de75aa98301d5606de5e5e7a59bbfe6b6e6632c848c77231e

SHA512
caa8a756e9e604153daab26934e0c7c3c14df4eda495ed0d6abe5e385c679dfab5997d2239bdf74cb67d3d70f5c5904ef8e0cc86d8f6dba1bd404c5734f90e1a

Download Submit
\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
83KB

MD5
ee99737ee9ba4457c6a73c8e21bc634f

SHA1
03bc4f8a35add5b56e771ebd683b6369f7fbc6a7

SHA256
d87762f29031d195c878cba57579db8f8488c738614a3b4f6ac14e37e9ba04b1

SHA512
14edd625bfb8330546879622ba3ba2f0cbadd9cc18d6e29ac4a8e5dbf360cc7b7cc45a84a491f1706157e3f649ae14439978ffb454396b84ed6e240f2982396e

Download Submit
memory/2708-10-0x0000000001070000-0x000000000109E000-memory.dmp

Filesize
184KB

Download
memory/2708-21-0x0000000001070000-0x000000000109E000-memory.dmp

Filesize
184KB

Download
memory/2708-27-0x0000000001070000-0x000000000109E000-memory.dmp

Filesize
184KB

Download
memory/2888-0-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/2888-5-0x0000000001E50000-0x0000000001E7E000-memory.dmp

Filesize
184KB

Download
memory/2888-18-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download