Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-dshwxsah78
Target bfb2d0ba26e58380d9726ff90275fd8d
SHA256 0f09f3e21430744c3c858ea52acccae0a78e5f4877db67888907d0b524694c2b
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f09f3e21430744c3c858ea52acccae0a78e5f4877db67888907d0b524694c2b

Threat Level: Known bad

The file bfb2d0ba26e58380d9726ff90275fd8d was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Urelas family

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 03:16

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 03:16

Reported

2024-03-11 03:18

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe

"C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/1908-0-0x0000000000830000-0x000000000086D000-memory.dmp

memory/1908-8-0x0000000000410000-0x000000000044D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 9b2b6a72b0390126bd9f0c14bcbae8db
SHA1 d37185b590933823b126ccf44a019173d5d2ae30
SHA256 ab9629033942bae26ad02445573bcf94471b439859cf7074c24d11372a29a507
SHA512 aebef38a95a92b56897cd23fb4a0b72de9baeb203a86b62a923422459e7a5f4a9cb0b607e43d83273ebc795636fae2723a07f78e5476e31e6d6ca48172c58358

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 ab256c064d4f0976a2f3b2d793c537a8
SHA1 fe1884631a196957a7fc210267e2bab34d7a4ad1
SHA256 0f8b69ab136d0985dc56a6d6184d620410dec86eb37d3ed3e3f3686326e9ebad
SHA512 8130cc242e0ca5d84c7d8b4034e05231587c4cd925818f4abddd0dd52f2c0e74013d963ca4591c3d0f28487c5c48d93f4a8a6a90cfb5697d9422b4a7a6d86f05

memory/2632-18-0x00000000003D0000-0x000000000040D000-memory.dmp

memory/1908-17-0x0000000000830000-0x000000000086D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7295fb9368a0ef278de4b9755bf9fa1b
SHA1 db5fa220d77ed7824ae0a4f822e0ce46010a5d77
SHA256 dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98
SHA512 dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

memory/2632-21-0x00000000003D0000-0x000000000040D000-memory.dmp

memory/2632-22-0x00000000003D0000-0x000000000040D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 03:16

Reported

2024-03-11 03:18

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe

"C:\Users\Admin\AppData\Local\Temp\bfb2d0ba26e58380d9726ff90275fd8d.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/1932-0-0x00000000002D0000-0x000000000030D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 7c69c71697cabe4e758ed1275bae6192
SHA1 2fa83281d17947e863bd48fcff5bcce24f2f4b1e
SHA256 f3e90a7f922fda72f1007cd5ecc88e9633128af01712e724c4b9e76c765a3bf7
SHA512 27259912a900d1d2ccc3e615396a8b818c98090959b57f71a7945ac829a9bb433bd1e1cb13944667b13c9ebfc2ed4ffc4df357e0b3f186b0f2c1caa29f68281f

memory/796-10-0x0000000000A50000-0x0000000000A8D000-memory.dmp

memory/1932-14-0x00000000002D0000-0x000000000030D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 9b2b6a72b0390126bd9f0c14bcbae8db
SHA1 d37185b590933823b126ccf44a019173d5d2ae30
SHA256 ab9629033942bae26ad02445573bcf94471b439859cf7074c24d11372a29a507
SHA512 aebef38a95a92b56897cd23fb4a0b72de9baeb203a86b62a923422459e7a5f4a9cb0b607e43d83273ebc795636fae2723a07f78e5476e31e6d6ca48172c58358

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7295fb9368a0ef278de4b9755bf9fa1b
SHA1 db5fa220d77ed7824ae0a4f822e0ce46010a5d77
SHA256 dd259fcdbf04aa773ede7515d6a83e5b112ed3d9eef4632cf856771bfeaafd98
SHA512 dd1a996311188c0baa54097fc7023f13e71115265fadb9dfa35f2a8d9df8aed1e37bd00ef612577d2eb63ba1b612a7b16a765ebfce3b7c9e7efebe54890eb88a

memory/796-17-0x0000000000A50000-0x0000000000A8D000-memory.dmp

memory/796-18-0x0000000000A50000-0x0000000000A8D000-memory.dmp