urelas | ce089fe865d47c7a4b5dbb399229e35b30a939e52797d316fd0ec6f130cf46c8

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b45f931cf10857580e832601b463bc3.exe
Size

187KB
MD5

3b45f931cf10857580e832601b463bc3
SHA1

b1c1c1c9cd8a832204fbf09cd673af7a1fee04dc
SHA256

ce089fe865d47c7a4b5dbb399229e35b30a939e52797d316fd0ec6f130cf46c8
SHA512

5f2ad53658bb9d139e99e0b6b6d64565414a691b75fb180624f836a2d131767e9c91dd5086879f5dec851a5b909f5c227b04a6afe869a45f8312e318c934b245
SSDEEP

3072:u3mvqCDm+W03RB5eUp6UlD/mUKissApfA6y4YHFad3:2mvqeP33AYFIN9treHy3

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2252	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2140	3b45f931cf10857580e832601b463bc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2320	2140	3b45f931cf10857580e832601b463bc3.exe	28
PID 2140 wrote to memory of 2320	2140	3b45f931cf10857580e832601b463bc3.exe	28
PID 2140 wrote to memory of 2320	2140	3b45f931cf10857580e832601b463bc3.exe	28
PID 2140 wrote to memory of 2320	2140	3b45f931cf10857580e832601b463bc3.exe	28
PID 2140 wrote to memory of 2252	2140	3b45f931cf10857580e832601b463bc3.exe	29
PID 2140 wrote to memory of 2252	2140	3b45f931cf10857580e832601b463bc3.exe	29
PID 2140 wrote to memory of 2252	2140	3b45f931cf10857580e832601b463bc3.exe	29
PID 2140 wrote to memory of 2252	2140	3b45f931cf10857580e832601b463bc3.exe	29

C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe
"C:\Users\Admin\AppData\Local\Temp\3b45f931cf10857580e832601b463bc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1e75a7e32613b9d0b73f13b66c2c2f58

SHA1
035e2d6ab4ac34190f0e684681098188409e978c

SHA256
9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3

SHA512
e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
cb0a8830fbf20a8d3908fbb84303c4ec

SHA1
a0f81f41530ee0c1aa27378475fa2e7a8569f015

SHA256
cec8c307ddf35cbe00de0d1c397d1db046fb119bcf55912895087db5e46b5e63

SHA512
842f9bf101c568a3731476474f4a7403ffcedf9f68385e57110ff656bf84f6d037eecf8d703acc70389d0cc9a14fb3fcfc0a7548d2c61affa52c4c572e163bf3

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
187KB

MD5
00c43448ec9819dc95fbd9328c604f77

SHA1
b5db96bb07d73e30084f775039f73efca5f184f3

SHA256
91eecd03a5550f0ee6d190c6356e5275ae1e0d3ce0fc3fded535d268ff4622df

SHA512
fc7caf17b95ea0bedb08517c488ef4792d7263ff67fd00daaeab514e8d9d91e3f69fd9c766ce376f098e6db786382ff38b627922543bcfb957112b07cd246b26

Download Submit
memory/2140-0-0x0000000001270000-0x00000000012A2000-memory.dmp

Filesize
200KB

Download
memory/2140-9-0x00000000002D0000-0x0000000000302000-memory.dmp

Filesize
200KB

Download
memory/2140-17-0x0000000001270000-0x00000000012A2000-memory.dmp

Filesize
200KB

Download
memory/2320-18-0x0000000000BD0000-0x0000000000C02000-memory.dmp

Filesize
200KB

Download
memory/2320-21-0x0000000000BD0000-0x0000000000C02000-memory.dmp

Filesize
200KB

Download
memory/2320-22-0x0000000000BD0000-0x0000000000C02000-memory.dmp

Filesize
200KB

Download