urelas | 10120b4a46dc17bf459945d345486831028646bce7f80939ef61bb4441ab6a73

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
06/11/2023, 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3889e8218f3c01fea26ebd8255075710.exe
Size

144KB
MD5

3889e8218f3c01fea26ebd8255075710
SHA1

4b7cfe4a483c7e086154665190096dd3d1771e88
SHA256

10120b4a46dc17bf459945d345486831028646bce7f80939ef61bb4441ab6a73
SHA512

c81fcff77fa4c9a7aff3c29d2cf801f2aca6e57e36892ad58ea950b485f83f2bf17d398e86bb92261915d38fd4932dfcc0cd54341d230594f681bc1b34298341
SSDEEP

3072:L/5FqCxiXEcO3XfGf2tMUW6o5gRwdllDf:L/5FqCxUElfQDR5gRCj

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2960	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2408	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2408	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	28
PID 2116 wrote to memory of 2408	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	28
PID 2116 wrote to memory of 2408	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	28
PID 2116 wrote to memory of 2408	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	28
PID 2116 wrote to memory of 2960	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	29
PID 2116 wrote to memory of 2960	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	29
PID 2116 wrote to memory of 2960	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	29
PID 2116 wrote to memory of 2960	2116	NEAS.3889e8218f3c01fea26ebd8255075710.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.3889e8218f3c01fea26ebd8255075710.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3889e8218f3c01fea26ebd8255075710.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
144KB

MD5
c1c2aad3af7c914205ae06605f2f4890

SHA1
a853f8792079e45f8580b662819ccaace000d45c

SHA256
607ebe492c4dd0c5f992aff5eb5942ec7a5ba84068d3eb341a663a3b3d91aacf

SHA512
fe183bfd9abba4397df0273ddebba75857789d36e0adbd303de7ae3aa4edb8e0f4b6d96885e089dea55fa94e43e11e44902ba79f2cadac7a81612d7bb40f3543

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e2d9c84d22710b94f88db5e136efd92e

SHA1
5636678dda45ea10068357a9b17878399804aea3

SHA256
91377fdab72045adb923f62c3b0b46de7360e62beaab96489eefb36dd8554f25

SHA512
11159ba71474c0fc20139e27d71e10349b486d17cdd60a1df93babf9d8f40d8ab0764a881b93472e03036a50735b2b3defc790da5519d8cf723c6de46b008f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
8db06a2e35d4dd302589f221d764a483

SHA1
75e686c50e318f16d47d60f16aedadbd52c634b0

SHA256
b60cd1121589f6fcc993ef69e1d60b8a37a82ec74df3f386015e99fc952645f8

SHA512
cb5a09347297f7e1f43e80ca1d1dd04f328ae0f6d95bad3cef37d20229cbd00fe9c99f4de7efa20281e7c43a054d01ca28415c9c0b894c8360c2bbe162c3832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
8db06a2e35d4dd302589f221d764a483

SHA1
75e686c50e318f16d47d60f16aedadbd52c634b0

SHA256
b60cd1121589f6fcc993ef69e1d60b8a37a82ec74df3f386015e99fc952645f8

SHA512
cb5a09347297f7e1f43e80ca1d1dd04f328ae0f6d95bad3cef37d20229cbd00fe9c99f4de7efa20281e7c43a054d01ca28415c9c0b894c8360c2bbe162c3832c

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
144KB

MD5
c1c2aad3af7c914205ae06605f2f4890

SHA1
a853f8792079e45f8580b662819ccaace000d45c

SHA256
607ebe492c4dd0c5f992aff5eb5942ec7a5ba84068d3eb341a663a3b3d91aacf

SHA512
fe183bfd9abba4397df0273ddebba75857789d36e0adbd303de7ae3aa4edb8e0f4b6d96885e089dea55fa94e43e11e44902ba79f2cadac7a81612d7bb40f3543

Download Submit
memory/2116-0-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/2116-6-0x0000000000360000-0x0000000000387000-memory.dmp

Filesize
156KB

Download
memory/2116-17-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/2408-20-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/2408-21-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download