urelas | ae130229b99f6c1e716bce2186d6a269bf9f6abbdb42c040ed0b9f910e65521f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4624632352899f5b1dde2aac8902e00.exe
Size

235KB
MD5

b4624632352899f5b1dde2aac8902e00
SHA1

07ee4519a65231da6cf5ce5673eac51cd04ea1ac
SHA256

ae130229b99f6c1e716bce2186d6a269bf9f6abbdb42c040ed0b9f910e65521f
SHA512

1cedfa8b4775d20bca40cb266eb93a7a7aa1e925b402bd16d5ebb37e71b1ebe35e3cbafb63943837189ddbb51b3161cabfe15b7a6f1be694f4a4a992ac97f834
SSDEEP

3072:K8ASpvo0LKrXEX65ezpxJ2kbJ7mv73E2o/9sY2b:ZASpvo0LKkRzpxJ2kRqroib

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2908	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	b4624632352899f5b1dde2aac8902e00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2908	2896	b4624632352899f5b1dde2aac8902e00.exe	28
PID 2896 wrote to memory of 2908	2896	b4624632352899f5b1dde2aac8902e00.exe	28
PID 2896 wrote to memory of 2908	2896	b4624632352899f5b1dde2aac8902e00.exe	28
PID 2896 wrote to memory of 2908	2896	b4624632352899f5b1dde2aac8902e00.exe	28
PID 2896 wrote to memory of 2484	2896	b4624632352899f5b1dde2aac8902e00.exe	29
PID 2896 wrote to memory of 2484	2896	b4624632352899f5b1dde2aac8902e00.exe	29
PID 2896 wrote to memory of 2484	2896	b4624632352899f5b1dde2aac8902e00.exe	29
PID 2896 wrote to memory of 2484	2896	b4624632352899f5b1dde2aac8902e00.exe	29

C:\Users\Admin\AppData\Local\Temp\b4624632352899f5b1dde2aac8902e00.exe
"C:\Users\Admin\AppData\Local\Temp\b4624632352899f5b1dde2aac8902e00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7295fb9368a0ef278de4b9755bf9fa1b

SHA1
db5fa220d77ed7824ae0a4f822e0ce46010a5d77

SHA256
dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98

SHA512
dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
0c74e8951fcf496750c60c46d884d5b9

SHA1
2ee048d8dd7883f90dd572848f93e5f5f6e031e0

SHA256
68d4d439e8a86141e109ec8c534bd437d28d1b23fb14a19ba8adc6415dc599dd

SHA512
7454c4a448cff6206a20af18b47e00737fcd2d8cb2bae8b12461ddf3f462d765537d492e0b4ef5d5570ab177ffda4a405e819ac0dcb64b843221ad84854b9f01

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
235KB

MD5
b4624632352899f5b1dde2aac8902e00

SHA1
07ee4519a65231da6cf5ce5673eac51cd04ea1ac

SHA256
ae130229b99f6c1e716bce2186d6a269bf9f6abbdb42c040ed0b9f910e65521f

SHA512
1cedfa8b4775d20bca40cb266eb93a7a7aa1e925b402bd16d5ebb37e71b1ebe35e3cbafb63943837189ddbb51b3161cabfe15b7a6f1be694f4a4a992ac97f834

Download Submit
memory/2896-0-0x0000000000E30000-0x0000000000E6D000-memory.dmp

Filesize
244KB

Download
memory/2896-10-0x0000000000DF0000-0x0000000000E2D000-memory.dmp

Filesize
244KB

Download
memory/2896-17-0x0000000000E30000-0x0000000000E6D000-memory.dmp

Filesize
244KB

Download
memory/2908-18-0x0000000000DF0000-0x0000000000E2D000-memory.dmp

Filesize
244KB

Download
memory/2908-21-0x0000000000DF0000-0x0000000000E2D000-memory.dmp

Filesize
244KB

Download
memory/2908-22-0x0000000000DF0000-0x0000000000E2D000-memory.dmp

Filesize
244KB

Download