urelas | 046703b8d333865f1ab97bc161df0cca8472388c6de9f817152ecfae051bb0e0

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 13:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.80732dad0cd711308fb80c593e1b4a40.exe
Size

167KB
MD5

80732dad0cd711308fb80c593e1b4a40
SHA1

59c210127a5037d54af202cb701843ec53d9a433
SHA256

046703b8d333865f1ab97bc161df0cca8472388c6de9f817152ecfae051bb0e0
SHA512

d5bcb62a8b0e62761249ad5c4c958ec71282eaca2fe898200d9e7c9758b13f882dab606641911383d7b5e059ccd4ec9e8d1e68362ca03aedd2773c8945068543
SSDEEP

3072:w9cZC4zU5jeLX7RxV1w3YS0S+5u5kLpRW:wcZC4zU5aL1oYS015jLp8

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1496	shoste.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1496	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	28
PID 2508 wrote to memory of 1496	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	28
PID 2508 wrote to memory of 1496	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	28
PID 2508 wrote to memory of 1496	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	28
PID 2508 wrote to memory of 2992	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	29
PID 2508 wrote to memory of 2992	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	29
PID 2508 wrote to memory of 2992	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	29
PID 2508 wrote to memory of 2992	2508	NEAS.80732dad0cd711308fb80c593e1b4a40.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.80732dad0cd711308fb80c593e1b4a40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.80732dad0cd711308fb80c593e1b4a40.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b80dc91d4b924877734b14d634f61fa4

SHA1
40ab1aceaa4d50e11a7b7b83a9fa0a6eea915479

SHA256
b0fe1befbd7725c7e2b7cd6de946a4308b72f155676a2c7d41782cc774d4ddd1

SHA512
597008a541ee766266f05f9a8d7801ac86a1b59acee9dd6fcd8d227923a2da9ce805d89df707dd05d93741c65317b44c92e9def1e3332175ea378cecc731de77

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
a85328021c167e95e38659b239aac214

SHA1
2d42356e648e2a4215a9ac33cba63051f725b784

SHA256
bd31bf2fbc9374e80020751263013dfa40b89d802179a23155254ebbcee0e124

SHA512
eaa9c83c36564ba869873e23e4756f05da9ee45891b6d531488494d19283d93231693543b998754ac37c72ae51c86a2a5846e5be0fb5c7a3897421a094404842

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
a85328021c167e95e38659b239aac214

SHA1
2d42356e648e2a4215a9ac33cba63051f725b784

SHA256
bd31bf2fbc9374e80020751263013dfa40b89d802179a23155254ebbcee0e124

SHA512
eaa9c83c36564ba869873e23e4756f05da9ee45891b6d531488494d19283d93231693543b998754ac37c72ae51c86a2a5846e5be0fb5c7a3897421a094404842

Download Submit
C:\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
167KB

MD5
b8a9db890dbd2d3fa4ef23127f92b921

SHA1
444c0d61a6e15ea69c7f350b678068c12289d297

SHA256
cd55f45a858a9ba600d2e10eb0eae9762e7bf9ba18d9958b8a7a19104290bc9e

SHA512
e2751f21329b8566a8397fdc7b86a4e3fdc562e43b3c6716b09b4911efa5abd2dcac199d2bc8dbed408a217af2a2c36be8adc54bf2fb532448c84c9a63beb579

Download Submit
\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
167KB

MD5
b8a9db890dbd2d3fa4ef23127f92b921

SHA1
444c0d61a6e15ea69c7f350b678068c12289d297

SHA256
cd55f45a858a9ba600d2e10eb0eae9762e7bf9ba18d9958b8a7a19104290bc9e

SHA512
e2751f21329b8566a8397fdc7b86a4e3fdc562e43b3c6716b09b4911efa5abd2dcac199d2bc8dbed408a217af2a2c36be8adc54bf2fb532448c84c9a63beb579

Download Submit
memory/1496-9-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/1496-20-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/2508-0-0x0000000000DD0000-0x0000000000DFD000-memory.dmp

Filesize
180KB

Download
memory/2508-17-0x0000000000DD0000-0x0000000000DFD000-memory.dmp

Filesize
180KB

Download