urelas | f6fa648ddfbb82204eea3c91882ea8daeef16273814954fd0df863bc79ff643f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8babe6101d1521de02ba298a97568e37.exe
Size

466KB
MD5

8babe6101d1521de02ba298a97568e37
SHA1

c850af801d79cace908b20e3008febe5ea8b14a6
SHA256

f6fa648ddfbb82204eea3c91882ea8daeef16273814954fd0df863bc79ff643f
SHA512

295b9994606838abb0fa9f4cd40c139fd796efd66f9034e9adcfba0f24c8245ea08435e78baccd17f7b8937051f2c09ccc0ca123b277aad34ad89c7b1ca98ac7
SSDEEP

12288:93CtSokfFGUMKwlTIU/b37dJ75WEe+eKTxB6mP:9x9GzHlTv/b35tecFB6S

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2708	sander.exe

Loads dropped DLL 1 IoCs

pid	Process
848	8babe6101d1521de02ba298a97568e37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2708	848	8babe6101d1521de02ba298a97568e37.exe	28
PID 848 wrote to memory of 2708	848	8babe6101d1521de02ba298a97568e37.exe	28
PID 848 wrote to memory of 2708	848	8babe6101d1521de02ba298a97568e37.exe	28
PID 848 wrote to memory of 2708	848	8babe6101d1521de02ba298a97568e37.exe	28
PID 848 wrote to memory of 2908	848	8babe6101d1521de02ba298a97568e37.exe	30
PID 848 wrote to memory of 2908	848	8babe6101d1521de02ba298a97568e37.exe	30
PID 848 wrote to memory of 2908	848	8babe6101d1521de02ba298a97568e37.exe	30
PID 848 wrote to memory of 2908	848	8babe6101d1521de02ba298a97568e37.exe	30

C:\Users\Admin\AppData\Local\Temp\8babe6101d1521de02ba298a97568e37.exe
"C:\Users\Admin\AppData\Local\Temp\8babe6101d1521de02ba298a97568e37.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
277B

MD5
66a5376dfa2747b33008bc7a14791e76

SHA1
a3ceeb63f267d266790a75b819e4ea55950a3b74

SHA256
41978a6eb291f34ac5e9ff51bf116d88001cfa6811302d80255d87635c537ed8

SHA512
f1dfa8ba758aabaf76f7d56c80f3da7b086c73f957a59ae904df6dcbf561514f57b2130718a85bbaee0bdc9cd66e5bbdcc4ea99eb8d3625b9068003fe38173d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
145cec05d8d704ff7aa3d812b1aff628

SHA1
097ae09965ed3804359803708b8af87b5b90fcbb

SHA256
66c8ae290d7cf992faf67b10d1ef8ad91857f3709f459af69b6a11f521a3aeea

SHA512
1037d7926aec2831c8b084cc19aa38ce91bc8dcff15af731ce0e7cea79fa7806d4d341a9535c39b0ccb8d6f19bc2badf6d20d3b4ab1c931cd5be6994c4323b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
298KB

MD5
3f2e5f928f7690e35be35ae7b26d6f46

SHA1
f2421537fbb4f4593ae28c044ec5067a093e09ae

SHA256
d39d53b5675fecd6dc286c117f859e1f8e03e50dffcc751c7426172ac7fe2ee7

SHA512
ffc28ada77c2f1996e5411bcc7fb464b85342c644e3ecbba87e71e1bd8c0d0c2ffad29124a9e1801146fb49a9911a4569c05e1deda16aafa268e08df7c9a9aa3

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
332KB

MD5
294dfc5cf906d095a4c4db430f820c35

SHA1
0ad9f1dba527bbe734e21843ec5d4f24f01b3f8e

SHA256
ed19c21296aaaa3d57dc7f9e47fd8f57caff56a34fe2d8c5ec032c062af61cf3

SHA512
07046e07b1284ad42e8ca82215106e634094157d8da0a33a7b4431aadfa4e231977af690a5de7dd62231a7ceaff77d3b612af8b312727d371caae20db4f8e6b1

Download Submit
memory/848-1-0x00000000010A0000-0x0000000001122000-memory.dmp

Filesize
520KB

Download
memory/848-0-0x00000000010A0000-0x0000000001122000-memory.dmp

Filesize
520KB

Download
memory/848-20-0x00000000010A0000-0x0000000001122000-memory.dmp

Filesize
520KB

Download
memory/848-17-0x0000000002630000-0x00000000026B2000-memory.dmp

Filesize
520KB

Download
memory/2708-10-0x0000000000F10000-0x0000000000F92000-memory.dmp

Filesize
520KB

Download
memory/2708-19-0x0000000000F10000-0x0000000000F92000-memory.dmp

Filesize
520KB

Download
memory/2708-23-0x0000000000F10000-0x0000000000F92000-memory.dmp

Filesize
520KB

Download
memory/2708-24-0x0000000000F10000-0x0000000000F92000-memory.dmp

Filesize
520KB

Download