Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-smq3nsaa59
Target c0ea1f02d98705fa23f0f37da08b0b14
SHA256 69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec

Threat Level: Known bad

The file c0ea1f02d98705fa23f0f37da08b0b14 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 15:14

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 15:14

Reported

2024-03-11 15:17

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe

"C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2856-0-0x0000000000400000-0x0000000000437000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 c0ea1f02d98705fa23f0f37da08b0b14
SHA1 5a688d0be7e642aa3d7541252b9b59cf0ba217f2
SHA256 69e8d0b8e0fc8511858eabb85e1d4b5d23eaa9b3dd8adbf96b681aa1476b9cec
SHA512 3d445a1a2234affe526ce3c6f119291fb731c846706e1b0c7d6608c9bc0ce8864f167e552761cba109015576c95b9cdf152d35a3d3734649cf3c785ce496ea3e

memory/2968-10-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e0fd68b180ca3b880f1253ea525cd8a7
SHA1 2455eb699ff3fdd82160f752d48fe86ddc7462f6
SHA256 3be0e7364b79421b9f0ce4189d9131cf63d9563968912eb438b3e6af528d7631
SHA512 789099ae0edf8d5b33be0b52c6272a9f893145594ddef40e918a63bdd39e03832c8040be0cbfeeb41b7ad847acf8133af08bb6ac92a381cd0ef85144726c5021

memory/2856-17-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/2968-20-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2968-21-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 15:14

Reported

2024-03-11 15:17

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe

"C:\Users\Admin\AppData\Local\Temp\c0ea1f02d98705fa23f0f37da08b0b14.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

memory/624-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 2d8d926236c18f2f6bdabc62eb8f63b6
SHA1 754492fda4e35ea4896ffebfb82db2fda8a9d55f
SHA256 9d283031712325b95d21b4238738ad0d3f517948f404523dcdc107ae77d666c6
SHA512 b0e2de6f5f1c810d28e35f0044f721134c08752b79b09d10d6142a8b065479e0a264cf33a7c25d7daf1813d7da5303f7db6ad868f59bae67c8ef08d2bba0d34c

memory/624-16-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 e0fd68b180ca3b880f1253ea525cd8a7
SHA1 2455eb699ff3fdd82160f752d48fe86ddc7462f6
SHA256 3be0e7364b79421b9f0ce4189d9131cf63d9563968912eb438b3e6af528d7631
SHA512 789099ae0edf8d5b33be0b52c6272a9f893145594ddef40e918a63bdd39e03832c8040be0cbfeeb41b7ad847acf8133af08bb6ac92a381cd0ef85144726c5021

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/1128-19-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1128-20-0x0000000000400000-0x0000000000437000-memory.dmp