urelas | b698a8d882738db06f6612192e1c9fa133a6d7b900e3855765fb1b0327131d3a

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.398999460d5e285dd9687ad135fb4fb0.exe
Size

74KB
MD5

398999460d5e285dd9687ad135fb4fb0
SHA1

7b102b2a42c206d6221d3da85e3c4d5c0f7cff71
SHA256

b698a8d882738db06f6612192e1c9fa133a6d7b900e3855765fb1b0327131d3a
SHA512

b5c04cc5fef0aec3590082925d92ae05ac85cb621a227827aaae671d9fea5e177ec86adfff71167217341410a23e1af7968db779068ab4309a897f929cfaf4f3
SSDEEP

1536:N9KbClKpPaKIqaqnEXOWinTLi94xdq4yY5lBqGu1:N9UClKp+qaqnE+fvGU6qE1

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2776	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	30
PID 1696 wrote to memory of 2776	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	30
PID 1696 wrote to memory of 2776	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	30
PID 1696 wrote to memory of 2776	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	30
PID 1696 wrote to memory of 572	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	31
PID 1696 wrote to memory of 572	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	31
PID 1696 wrote to memory of 572	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	31
PID 1696 wrote to memory of 572	1696	NEAS.398999460d5e285dd9687ad135fb4fb0.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.398999460d5e285dd9687ad135fb4fb0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.398999460d5e285dd9687ad135fb4fb0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f9565536e11b7fe8d014b281c88ed06f

SHA1
066d4ceb3e1ca8e2500f7378c04a62fdac3eedcb

SHA256
827b6e2869972d3123239400011ece7bb74aa3d569468db74eaaf41339d375c3

SHA512
410e7c0cc2fc62470dee0398a5865ba4e408ae89b3d6b3479a60674bc2ebbddc155d6f5484779b114f281a34635a9ab65e0b6d41cb86c0bf78de444bb6b2bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
74KB

MD5
ccc3ee3ac253125205ff1245a6f44752

SHA1
855f38c396a52ddc4499a8fb58e4266741b2135e

SHA256
a0cb9bfee56b134f6c7864bea47cc09164c671f79fcbcef753ff7a7be4cf5b63

SHA512
40322a81a9e1edfe55904905daa2de9f6f5d5f5549d1f73e19a5aa0885043598c9084b7ce28450202f7a2f227c31d89edb2306005103f38f58cfbdfcd1359976

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
866e9095da4db7f14eb73520cb0ca36e

SHA1
2e9cb22410566f595f11ed825628565fb0fd57e6

SHA256
3542850adbebe8a80e251ba8a442a354fa7843e5c45ba2f560f5e3c4a450ed91

SHA512
4fe5911f8dc8bbfa37cb9a83d581ea9dc9ec469236a7b63dc1c49fd778a138bc7ae9f82584fa0681b8800097f25e1625a070f1fe97d39008d11ce96f066d907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
866e9095da4db7f14eb73520cb0ca36e

SHA1
2e9cb22410566f595f11ed825628565fb0fd57e6

SHA256
3542850adbebe8a80e251ba8a442a354fa7843e5c45ba2f560f5e3c4a450ed91

SHA512
4fe5911f8dc8bbfa37cb9a83d581ea9dc9ec469236a7b63dc1c49fd778a138bc7ae9f82584fa0681b8800097f25e1625a070f1fe97d39008d11ce96f066d907e

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
74KB

MD5
ccc3ee3ac253125205ff1245a6f44752

SHA1
855f38c396a52ddc4499a8fb58e4266741b2135e

SHA256
a0cb9bfee56b134f6c7864bea47cc09164c671f79fcbcef753ff7a7be4cf5b63

SHA512
40322a81a9e1edfe55904905daa2de9f6f5d5f5549d1f73e19a5aa0885043598c9084b7ce28450202f7a2f227c31d89edb2306005103f38f58cfbdfcd1359976

Download Submit
memory/1696-0-0x00000000009F0000-0x0000000000A1B000-memory.dmp

Filesize
172KB

Download
memory/1696-6-0x00000000005D0000-0x00000000005FB000-memory.dmp

Filesize
172KB

Download
memory/1696-17-0x00000000009F0000-0x0000000000A1B000-memory.dmp

Filesize
172KB

Download
memory/2776-20-0x0000000001270000-0x000000000129B000-memory.dmp

Filesize
172KB

Download
memory/2776-22-0x0000000001270000-0x000000000129B000-memory.dmp

Filesize
172KB

Download
memory/2776-28-0x0000000001270000-0x000000000129B000-memory.dmp

Filesize
172KB

Download