urelas | b495a933d917284d9f35f1a013d9717c20a55bcea142ae03de6790071f0ea3d4

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6fbb9f08304493011c5f575281a17200.exe
Size

77KB
MD5

6fbb9f08304493011c5f575281a17200
SHA1

bcb7cdfd873dec0827f9436cfeb9e21e8af69468
SHA256

b495a933d917284d9f35f1a013d9717c20a55bcea142ae03de6790071f0ea3d4
SHA512

92d59a578e3846c8db686ab07f76c575916fddbe978428b51d8c199b271a7c289a703d1b1a0ed3e94b6316c75fc50b57c71eb0d788fa55ef6aa10dcb978395b4
SSDEEP

1536:zxKyhnAUfUiZR9G84qk+Be/HZ17hmZp2t:zLCEZTGx518E

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.28.139

121.88.5.183

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2888	poldge.exe

Loads dropped DLL 1 IoCs

pid	Process
2144	NEAS.6fbb9f08304493011c5f575281a17200.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2888	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	28
PID 2144 wrote to memory of 2888	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	28
PID 2144 wrote to memory of 2888	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	28
PID 2144 wrote to memory of 2888	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	28
PID 2144 wrote to memory of 2676	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	29
PID 2144 wrote to memory of 2676	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	29
PID 2144 wrote to memory of 2676	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	29
PID 2144 wrote to memory of 2676	2144	NEAS.6fbb9f08304493011c5f575281a17200.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.6fbb9f08304493011c5f575281a17200.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6fbb9f08304493011c5f575281a17200.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Users\Admin\AppData\Local\Temp\poldge.exe
  "C:\Users\Admin\AppData\Local\Temp\poldge.exe"
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af6f90fee60d60070d9076eba7533c76

SHA1
015da84cb0cfce8699e8b1937dfac54a15e7e792

SHA256
14360d90f621ef9e1d84b269de67f782c9f6a904cf3226c2724d4898c157b687

SHA512
53ce60ef6f9dc9241d106d4e160833430e7855a221babf9835578096313a7a8ba1285df8d5620850ffe9f41f860e04e758a2f0be6fe688a87ea13d780234c3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
77KB

MD5
f4c49e27cf11481a022a7b114fe2eb9b

SHA1
4f4a2766337f030a270a5310c9194bf4a63085ec

SHA256
36275ca356a8124eee4083d3104f67d62510ec8efcee9ae70a4c564982d07925

SHA512
7c0db411e192fa1e6a7c455db6abfa17fb70e1d7d372681bb535a27154e1743478be99149fa1b9160b34c762df8772c49d8d75cfa1ba55a2408a2d9c7f66da23

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
253b224b4b890a6141588c3af279b4cd

SHA1
2b03fb0f093da8899a4792dec24524d6ef48d47c

SHA256
7a32edda7451cca0ead58782ed1938581f697044c3b920edd631e8c3ec96dc83

SHA512
359bcdb083bfbe4ff4a47be406fc6ba6c9e36e452e646d4b4783ecb327fc1c8599ca44e0b33ce054a5b3f5f5c92d61e6f944479c9e3965b3ac4e5558fa0afcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
253b224b4b890a6141588c3af279b4cd

SHA1
2b03fb0f093da8899a4792dec24524d6ef48d47c

SHA256
7a32edda7451cca0ead58782ed1938581f697044c3b920edd631e8c3ec96dc83

SHA512
359bcdb083bfbe4ff4a47be406fc6ba6c9e36e452e646d4b4783ecb327fc1c8599ca44e0b33ce054a5b3f5f5c92d61e6f944479c9e3965b3ac4e5558fa0afcc3

Download Submit
\Users\Admin\AppData\Local\Temp\poldge.exe

Filesize
77KB

MD5
f4c49e27cf11481a022a7b114fe2eb9b

SHA1
4f4a2766337f030a270a5310c9194bf4a63085ec

SHA256
36275ca356a8124eee4083d3104f67d62510ec8efcee9ae70a4c564982d07925

SHA512
7c0db411e192fa1e6a7c455db6abfa17fb70e1d7d372681bb535a27154e1743478be99149fa1b9160b34c762df8772c49d8d75cfa1ba55a2408a2d9c7f66da23

Download Submit
memory/2144-0-0x0000000000B00000-0x0000000000B2E000-memory.dmp

Filesize
184KB

Download
memory/2144-8-0x0000000000450000-0x000000000047E000-memory.dmp

Filesize
184KB

Download
memory/2144-18-0x0000000000B00000-0x0000000000B2E000-memory.dmp

Filesize
184KB

Download
memory/2888-17-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/2888-21-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download
memory/2888-27-0x0000000000310000-0x000000000033E000-memory.dmp

Filesize
184KB

Download