urelas | 69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0ea1f02d98705fa23f0f37da08b0b14.exe
Size

207KB
MD5

c0ea1f02d98705fa23f0f37da08b0b14
SHA1

5a688d0be7e642aa3d7541252b9b59cf0ba217f2
SHA256

69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec
SHA512

3d445a1a2234affe526ce3c6f119291fb731c846706e1b0c7d6608c9bc0ce8864f167e552761cba109015576c95b9cdf152d35a3d3734649cf3c785ce496ea3e
SSDEEP

1536:1BucKHs7K2HEG7BpoWiZBYHs977q+7INVdU2Aneb61TVcz+3MJb6rcR6:PuchogM57bIL+eb61TVa+3MJb61

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3020	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2856	c0ea1f02d98705fa23f0f37da08b0b14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2968	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	28
PID 2856 wrote to memory of 2968	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	28
PID 2856 wrote to memory of 2968	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	28
PID 2856 wrote to memory of 2968	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	28
PID 2856 wrote to memory of 3020	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	29
PID 2856 wrote to memory of 3020	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	29
PID 2856 wrote to memory of 3020	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	29
PID 2856 wrote to memory of 3020	2856	c0ea1f02d98705fa23f0f37da08b0b14.exe	29

C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe
"C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
02167b944a214fee3d34f9a7e356dc6a

SHA1
ca5b3f38a7151268726401593eb35f9b67bdde97

SHA256
77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d

SHA512
c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
e0fd68b180ca3b880f1253ea525cd8a7

SHA1
2455eb699ff3fdd82160f752d48fe86ddc7462f6

SHA256
3be0e7364b79421b9f0ce4189d9131cf63d9563968912eb438b3e6af528d7631

SHA512
789099ae0edf8d5b33be0b52c6272a9f893145594ddef40e918a63bdd39e03832c8040be0cbfeeb41b7ad847acf8133af08bb6ac92a381cd0ef85144726c5021

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
207KB

MD5
c0ea1f02d98705fa23f0f37da08b0b14

SHA1
5a688d0be7e642aa3d7541252b9b59cf0ba217f2

SHA256
69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec

SHA512
3d445a1a2234affe526ce3c6f119291fb731c846706e1b0c7d6608c9bc0ce8864f167e552761cba109015576c95b9cdf152d35a3d3734649cf3c785ce496ea3e

Download Submit
memory/2856-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2856-17-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2968-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2968-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2968-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download