Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-n6sndshh88
Target c08c38b909af8bcd4ff86db7ce941b18
SHA256 3ed6a6178dc642ad7d4fb33f0f13561b15012d5c031424f5ee6f20ee92aef83e
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ed6a6178dc642ad7d4fb33f0f13561b15012d5c031424f5ee6f20ee92aef83e

Threat Level: Known bad

The file c08c38b909af8bcd4ff86db7ce941b18 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 12:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 12:00

Reported

2024-03-11 12:03

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe

"C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/3048-0-0x0000000000400000-0x0000000000436000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 add8f874c84f0d94e44c50d21bf24490
SHA1 6a966a0bc637828e2a8c68d20e2305f3e36be0dc
SHA256 24fcc8f0b8c21b2e1d20f6454ea1862142012b50d91c42cf71bcfae421e762b3
SHA512 253a029290c6b859964684dec2bc16d3315fdee88a7add42198a6dd46937477ce14f16d6531be9df4095f163125474ba3ba100abd27a2388d8e6e9a2a797b341

memory/3048-6-0x0000000001D80000-0x0000000001DB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 0f11887a5b30f2407e8ef79ec28901b8
SHA1 29e8234eb652ba220aafc35c0f5c3b0444d9fd43
SHA256 1fc3b2039b132ae771964254d6e3fe2a4c172374f8d865159d3ab23acfa713a3
SHA512 5f15b26b16e551ecf20d388a4a3d1554e09a7cbfdc2824877fb58457264a06c23811ec30517cdb6d6d4d60b2dc9f471f95bac81078af8474593329a1ce25631c

memory/3048-17-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/1520-20-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1520-22-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1520-28-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 12:00

Reported

2024-03-11 12:03

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe

"C:\Users\Admin\AppData\Local\Temp\c08c38b909af8bcd4ff86db7ce941b18.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1128-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 add8f874c84f0d94e44c50d21bf24490
SHA1 6a966a0bc637828e2a8c68d20e2305f3e36be0dc
SHA256 24fcc8f0b8c21b2e1d20f6454ea1862142012b50d91c42cf71bcfae421e762b3
SHA512 253a029290c6b859964684dec2bc16d3315fdee88a7add42198a6dd46937477ce14f16d6531be9df4095f163125474ba3ba100abd27a2388d8e6e9a2a797b341

memory/1128-16-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 0f11887a5b30f2407e8ef79ec28901b8
SHA1 29e8234eb652ba220aafc35c0f5c3b0444d9fd43
SHA256 1fc3b2039b132ae771964254d6e3fe2a4c172374f8d865159d3ab23acfa713a3
SHA512 5f15b26b16e551ecf20d388a4a3d1554e09a7cbfdc2824877fb58457264a06c23811ec30517cdb6d6d4d60b2dc9f471f95bac81078af8474593329a1ce25631c

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/1304-19-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1304-21-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1304-27-0x0000000000400000-0x0000000000436000-memory.dmp