urelas | fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe
Size

284KB
MD5

1c083559ae757b8bc7e1b71d628080f7
SHA1

5a43db9d579c7684788472bc1282474c9386d2e6
SHA256

fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008
SHA512

a78136baeadf4eba2fdefb8b3471c5896bd1275bf9f32f378f585d3ff8d64e6a0eed5fd20f7e76e39233dbcbdf02494672822ee15b3fc0442843f2e45f84ce53
SSDEEP

6144:2ZibQcmlVD+BgotLvTtehd1wLIE92FJ1wZycpaiTV:20q+BgotLvTtehd1wd92FJ1yV

Score

10^/10

urelas trojan

Malware Config

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2312	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2312	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	28
PID 1300 wrote to memory of 2312	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	28
PID 1300 wrote to memory of 2312	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	28
PID 1300 wrote to memory of 2312	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	28
PID 1300 wrote to memory of 2548	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	29
PID 1300 wrote to memory of 2548	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	29
PID 1300 wrote to memory of 2548	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	29
PID 1300 wrote to memory of 2548	1300	fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe	29

C:\Users\Admin\AppData\Local\Temp\fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe
"C:\Users\Admin\AppData\Local\Temp\fd85c9d92b997414dabf102065a8057c5c5e7cca2bb8ce7c542470251c947008.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a2de452e45db47c817b5ada178bd2e83

SHA1
44b16b5c0e400a2af95299d0c08a6a4fda14bc4c

SHA256
516ba3f510ebfd821b47f63ac2c47faa15d5f2ba8732c79c0265fa8aa3ad8fd4

SHA512
8799d95d502764a4266c37c1c5fbb24fb9ab94983310962deafd5e246c5900993dffb2c2b06ab6709cc4141aab3346a9cf65b2a62744dbf11c7d381af654be85

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
7f000adfb7d130c1d0b7fffe89f8d915

SHA1
4ce2cd609f53d8dbc33df1fd6f99ad64d90438f4

SHA256
93d55e40be36c82c6c2ee541c5f2c7f9b1c7cfed9cce8e608845799d4ba1bc5d

SHA512
5a6fe4b8184069df2dc409a3068301ce5024935f7ae91cafffae8901254af463dd2f92536f3871c9ebb314bf2903004ab02089bc084fe16a19734e7c6a2a222a

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
284KB

MD5
d328a1e960d7ad7fd80ce80390ba5438

SHA1
2674ba8e3fe24f593751506431e2bec22beeb906

SHA256
35869568bae494627437769145a6cfaf6ba53bd536ff5b9fbf2101ae7507aa25

SHA512
d78abca424b2ef0a93a4252d7805904433c43d1e8518ac7a653d2fc537434ffa0c92228e2807a72f74db6b32a9dfac47e07b6b25d4b00755be6883326926a392

Download Submit