Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-cq3b4saa43
Target bf94e9ea9e34e9e1d313b0b2ca4a5efa
SHA256 ac08ece39621233dc5293169ab545261c29b1039e4571f4c4d828628068797d2
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac08ece39621233dc5293169ab545261c29b1039e4571f4c4d828628068797d2

Threat Level: Known bad

The file bf94e9ea9e34e9e1d313b0b2ca4a5efa was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 02:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 02:17

Reported

2024-03-11 02:20

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe

"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3852 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 216.58.214.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/2104-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 89b09ed901ca8069e336823839364e5b
SHA1 d193d341cab80a7c912c40d8b22507e504b9417c
SHA256 ff88c8292d1bf90ca4dd94a4439a0922c18e5c1924ad5059248bc8122e4d6daa
SHA512 91bed91116727e666600cb31558f0742be2b575759932d1b566340176b5c66019ee4b8e6a8b7a1a0968491ef6f7c981f1f4c56f34c64ed6724f59506650aa316

memory/2104-16-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 7a4af96776b496c36957275df6376e0b
SHA1 84650387d66aefa18e3cba6197f74ffd70843b55
SHA256 89ace4585665c644dba1d8f2d5c8154553446eebb3e51ce2aa472b6e66e59cce
SHA512 1103bbb151a725cdb1616c4756391ba34af23a855cceb222dc14fd80b293a9f334971a9db22f75ec92adb9355c91ccc73709537f78cc500ac62d91d7f1a6864f

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/3196-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3196-21-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3196-27-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 02:17

Reported

2024-03-11 02:20

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe

"C:\Users\Admin\AppData\Local\Temp\bf94e9ea9e34e9e1d313b0b2ca4a5efa.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2976-0-0x0000000000400000-0x0000000000436000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 32b2f5dca650a5e555785c84a087f5ea
SHA1 c5a07f2c78295ce30321c1deeaf4dc0a95f7e8e7
SHA256 85d1b629c97ca44f467e537d1d06fc85f8916a7a45748683674d9fa76ab14777
SHA512 aa2c4fb9d557abbf4cd16ee7a6f303e7ecd67d9f8909e81a23f1e8fa2d68e1ad127419cc2ee7dda283a1a97f7b217a293d7b99eba2221db369eba9fbb455feaa

memory/2976-8-0x00000000027C0000-0x00000000027F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 7a4af96776b496c36957275df6376e0b
SHA1 84650387d66aefa18e3cba6197f74ffd70843b55
SHA256 89ace4585665c644dba1d8f2d5c8154553446eebb3e51ce2aa472b6e66e59cce
SHA512 1103bbb151a725cdb1616c4756391ba34af23a855cceb222dc14fd80b293a9f334971a9db22f75ec92adb9355c91ccc73709537f78cc500ac62d91d7f1a6864f

memory/2544-17-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2976-18-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/2544-21-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2544-23-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2544-29-0x0000000000400000-0x0000000000436000-memory.dmp