Malware Analysis Report

2025-08-11 00:31

Sample ID 240310-2fcq5sdd6x
Target 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59
SHA256 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59

Threat Level: Known bad

The file 7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Urelas family

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 22:31

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 22:31

Reported

2024-03-10 22:33

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe

"C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2812-0-0x0000000000960000-0x0000000000987000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e5451e5ffeb42e63dc77fefdb5ce1487
SHA1 d3970fedddbee411a7fc69ee25380b32d9ba55df
SHA256 c04c3704bd14b3cd4b8dcef9a5b5a6f7a4ae017f82de70e11c34477ebf729c8b
SHA512 a62cebc57608e9cd22a523a21048ff7383b532abbfc89cf6c27d71158ae8c492b455f241e73c3808b8726a13904d2158d6d48e836190aaf329b5f21a8716981f

memory/1496-18-0x0000000000E00000-0x0000000000E27000-memory.dmp

memory/2812-17-0x0000000000960000-0x0000000000987000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 b8177da482e6871be0a7f46509b194bf
SHA1 d8e101d7d995ad5779a00514db9de0019fd17656
SHA256 65567a41de60d406a6d14fa0c6adda4245550c2b4f3f4ef6f8ca3dd9e3bcdcbd
SHA512 a7b1035a267c055365e2ba403ec87313b991535c117512e69997fc15cc11331c3c82d3327ced0ffe7fe94381e38fa8cf8fdef93e5ed8b1667ed0841b7deb1f11

memory/2812-10-0x0000000000530000-0x0000000000557000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f0d42f2e44d35f66afa6c7a98d053021
SHA1 f874284acb7ed4b80e2733ed4f66656bd2c5447d
SHA256 d2060822260cd38f5fc68b1f3b9f9b787b250e1a9fa417be79cdc692ca066f8d
SHA512 d5b9a5e504276623574ba2c16e6d305c86b20ff3e6353dbe251e04287583c27d825fddfe4325530c249cc95ddd3e0674c86acdf2e7f4bd3c3404eab51c022a94

memory/1496-21-0x0000000000E00000-0x0000000000E27000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 22:31

Reported

2024-03-10 22:33

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe

"C:\Users\Admin\AppData\Local\Temp\7fbb1b93f12e970445568a995b26b2327d14e64e4683082844719734fa56fe59.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3536-0-0x0000000000090000-0x00000000000B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 718e19a1c0f7a9eb39023bd7da27793e
SHA1 8d723737df763f87d5ef84747c0afbde9e5fbbce
SHA256 03c53026e0e2510836ad1a59371236f25718917b8fabf928b2cb0edbf68ddc0f
SHA512 6dd6e6f9fd5378db799bba789df641567a391e62d393eccba8ec36143cdc6017d317307e050c7f0a583b22b3b977eac1e120e96f268be140aa4b00b0f492ce4b

memory/4876-14-0x00000000009A0000-0x00000000009C7000-memory.dmp

memory/3536-17-0x0000000000090000-0x00000000000B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e5451e5ffeb42e63dc77fefdb5ce1487
SHA1 d3970fedddbee411a7fc69ee25380b32d9ba55df
SHA256 c04c3704bd14b3cd4b8dcef9a5b5a6f7a4ae017f82de70e11c34477ebf729c8b
SHA512 a62cebc57608e9cd22a523a21048ff7383b532abbfc89cf6c27d71158ae8c492b455f241e73c3808b8726a13904d2158d6d48e836190aaf329b5f21a8716981f

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f0d42f2e44d35f66afa6c7a98d053021
SHA1 f874284acb7ed4b80e2733ed4f66656bd2c5447d
SHA256 d2060822260cd38f5fc68b1f3b9f9b787b250e1a9fa417be79cdc692ca066f8d
SHA512 d5b9a5e504276623574ba2c16e6d305c86b20ff3e6353dbe251e04287583c27d825fddfe4325530c249cc95ddd3e0674c86acdf2e7f4bd3c3404eab51c022a94

memory/4876-20-0x00000000009A0000-0x00000000009C7000-memory.dmp