Malware Analysis Report

2025-08-11 00:31

Sample ID 240310-1ehqbsce81
Target 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd
SHA256 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd

Threat Level: Known bad

The file 5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 21:33

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 21:33

Reported

2024-03-10 21:36

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoerv.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Users\Admin\AppData\Local\Temp\nypyi.exe
PID 2160 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Users\Admin\AppData\Local\Temp\nypyi.exe
PID 2160 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Users\Admin\AppData\Local\Temp\nypyi.exe
PID 2160 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Users\Admin\AppData\Local\Temp\nypyi.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Windows\SysWOW64\cmd.exe
PID 2056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nypyi.exe C:\Users\Admin\AppData\Local\Temp\wacoce.exe
PID 2056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nypyi.exe C:\Users\Admin\AppData\Local\Temp\wacoce.exe
PID 2056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nypyi.exe C:\Users\Admin\AppData\Local\Temp\wacoce.exe
PID 2056 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\nypyi.exe C:\Users\Admin\AppData\Local\Temp\wacoce.exe
PID 2732 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Users\Admin\AppData\Local\Temp\zoerv.exe
PID 2732 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Users\Admin\AppData\Local\Temp\zoerv.exe
PID 2732 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Users\Admin\AppData\Local\Temp\zoerv.exe
PID 2732 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Users\Admin\AppData\Local\Temp\zoerv.exe
PID 2732 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\wacoce.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe

"C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"

C:\Users\Admin\AppData\Local\Temp\nypyi.exe

"C:\Users\Admin\AppData\Local\Temp\nypyi.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\wacoce.exe

"C:\Users\Admin\AppData\Local\Temp\wacoce.exe" OK

C:\Users\Admin\AppData\Local\Temp\zoerv.exe

"C:\Users\Admin\AppData\Local\Temp\zoerv.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2160-2-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nypyi.exe

MD5 e4c657701f54c67afe20dca141a87c34
SHA1 7872606463daf25632a6db6be97d8a2cabd57dc2
SHA256 e57078c57a9bda166acac8a0fffd73b25dcc012e245ec49b665ade52fb70fa85
SHA512 e587742b7fdc645d49daf58674bb41ebba02799ad17c0ddb735ed201fc8b8dbdf2d2fa820e5f8191e88d6130d2688844a869823ab6b576e919e9e4de5189fc0c

memory/2056-10-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3bb3c45b0f6568746658b0623d93dede
SHA1 91cf8e0ba4dcb7217e1d561df32a4ff288bbaa04
SHA256 c5ddb2ae90c4f32427abaaf2c3b11957a1b38074b0db47e680da0ec5c5f342a2
SHA512 06a1712a4e9355ca4254e1ea403f2cc42dfc65aa268a7ae726f4c0663f5556a0204f82b95d9f86ad715d6ac0bb2e47d3bd1375625d0bf2ab588b914cb06df7d4

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 859e8ddea4d18da5ec5e50cc770b8ddd
SHA1 4ca1a12961c54ab94119940e141f0b48ad4e65b8
SHA256 138493c37190810d388269dcde50ff3ef51c9e33739a0b82e2491e11c6ca03b7
SHA512 e061b81062c49280f11af67813047de655027d19fe22c14e8522e5cd22b83b41b5fd77aa77baecef6d66cd207b1fc4ec1b25ad1649b78fcbbfd3c0c22a967e01

memory/2160-20-0x0000000000400000-0x000000000046E000-memory.dmp

\Users\Admin\AppData\Local\Temp\wacoce.exe

MD5 1e525cded488101081f6dee303d82755
SHA1 a472c1f205d124a32ed0cf5015f5c4b2ec64ce00
SHA256 64c2166259bee4a1266f89ea0c427dcaf957f06c137421168ea2673ae20c30b4
SHA512 9855f0cad8093b2ca16276d3b9456ae71255c7d49c65e9aa430deb2bb12396e2a8f6c5332117dc329e754f61be69102907aba5d93d3f73ff4f8e7755f32aaf1d

memory/2732-27-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2056-26-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1048-48-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zoerv.exe

MD5 999e719b136207014df57c9cb02314ae
SHA1 014d33bb07a8c8ca4c6600466680d0ea6a830bc3
SHA256 0a5a15d6e4bb35d25d2bca417911971814193066d7dbb481806f47be58b283ad
SHA512 c4afe067cab9ea820d870061fb6c9b264042a8a84a7ff55494695e64db6418794744fe5df0b583e725e4baa09c9332cf1b93962b88349885a13f0c63d905e9b3

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 47516a89dce61abc3ba1899a0307ea7a
SHA1 86b7046c9bb96a0d3de71302ca8a8fa11af86683
SHA256 6fe98643eff0b3107434aefae69fc34eeb8401d6103479331a4bbcb7ada59318
SHA512 9de3fd325ea7324acfefd03a622f7755a7a823340f5e831808c7f50d8b3e2192b75856d25837ed38b616d86f5a3b0c473e1da90151b050b6da49da0a2965e5d8

memory/2732-38-0x00000000035C0000-0x0000000003660000-memory.dmp

memory/2732-47-0x0000000000400000-0x000000000046E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 21:33

Reported

2024-03-10 21:36

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\izcej.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vukunu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\izcej.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vukunu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fipys.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\fipys.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Users\Admin\AppData\Local\Temp\izcej.exe
PID 3012 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Users\Admin\AppData\Local\Temp\izcej.exe
PID 3012 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Users\Admin\AppData\Local\Temp\izcej.exe
PID 3012 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\izcej.exe C:\Users\Admin\AppData\Local\Temp\vukunu.exe
PID 3988 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\izcej.exe C:\Users\Admin\AppData\Local\Temp\vukunu.exe
PID 3988 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\izcej.exe C:\Users\Admin\AppData\Local\Temp\vukunu.exe
PID 4616 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\vukunu.exe C:\Users\Admin\AppData\Local\Temp\fipys.exe
PID 4616 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\vukunu.exe C:\Users\Admin\AppData\Local\Temp\fipys.exe
PID 4616 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\vukunu.exe C:\Users\Admin\AppData\Local\Temp\fipys.exe
PID 4616 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\vukunu.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\vukunu.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\vukunu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe

"C:\Users\Admin\AppData\Local\Temp\5f0eff2c1c5e770daf710725ec3363b456d8c957e0e09cc2aeb55ba95fa5c7dd.exe"

C:\Users\Admin\AppData\Local\Temp\izcej.exe

"C:\Users\Admin\AppData\Local\Temp\izcej.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\vukunu.exe

"C:\Users\Admin\AppData\Local\Temp\vukunu.exe" OK

C:\Users\Admin\AppData\Local\Temp\fipys.exe

"C:\Users\Admin\AppData\Local\Temp\fipys.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 216

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3012-0-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\izcej.exe

MD5 f4aa09c9b2b8b01b5680ccf3a98b0be5
SHA1 5a5e1f6681a07b5695e70e789c29d89417342438
SHA256 d3cd8a8794b191a00fb1cc3016ad1d610135fc09d88b02299127d46f5525013d
SHA512 dcd7f51651cadc5a1a63ff461d745a135207197d548da4a75a8ba38581b65cd52e9894dc55106a2fecec63cb69c972704526fe2594f4411b1ca66434229c0d8b

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 be51935ebf85123e37a43984b64e4900
SHA1 b9e7d121c5e750afc9bf4cced626e28f2a2026f3
SHA256 4b03cf80ef3e3f1a36b987597ce315464eade4115e4f400d48c7033ac1657dac
SHA512 df8bfe853087b1f6006f1ccda61f21f28193d00ed013684d62c8617e823573ab0eb767bebda3fe00dd7f752f7c6ab45dec3f28da001dc5d2ceba68205fc5dafd

memory/3012-15-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 859e8ddea4d18da5ec5e50cc770b8ddd
SHA1 4ca1a12961c54ab94119940e141f0b48ad4e65b8
SHA256 138493c37190810d388269dcde50ff3ef51c9e33739a0b82e2491e11c6ca03b7
SHA512 e061b81062c49280f11af67813047de655027d19fe22c14e8522e5cd22b83b41b5fd77aa77baecef6d66cd207b1fc4ec1b25ad1649b78fcbbfd3c0c22a967e01

C:\Users\Admin\AppData\Local\Temp\vukunu.exe

MD5 2bd90ee40c6a3aa648ecb03d22776698
SHA1 2791522e25619b7417ac750b1239fb7847615879
SHA256 9892a440e7a9f3f3520663682d9f40e541cea149271d070b21dd8b65f3c3c3d3
SHA512 6f05dfa3569257cee1675a876d7f04746db73c42711f0cda200e7675a0e9b9905b1d168b8750804d6f31f1180584be0db3926a6da6e828865371b9020457181e

memory/3988-23-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fipys.exe

MD5 84454cb6049881ec1b3642c92ef0b687
SHA1 056c6d2535f8fa2281fd3a20a3650316aad65795
SHA256 a1a2d68e477c7d014a92ab064efe3dcbb7539c7d39e1dc099a1690b79a54c8c8
SHA512 869afe3e24b8c12c4fc3789526d4d7dc7d415946c9dfefc2fdaebaa3144b350a7fdb6fc4fee92bd7e756c1c125c15268c49b0a91e5c47ef57acaa0c18cd74579

memory/4732-35-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4616-37-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 ad7d70ef6ffccc27bbf845dadb98fba8
SHA1 b8397a8c53c61bb23092138bd31ff1129631668e
SHA256 73f895d1ab1cc11930937334696151a43efe8b751bfff3a8ee83241b7ed4cf92
SHA512 2b1b1539e80ab5d16159607927eca7cd5d55502033ba0c98c9d063d2db3c12b4a5d25d3fbaf2351880d181abfcd468cf02e868c66b603bbe168a8fcaeb45a1de