Overview

overview

10

Static

static

10

8b5af3bfd0...21.exe

windows7-x64

10

8b5af3bfd0...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 21:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21.exe

  • Size

    343KB

  • MD5

    39d3b86f9e8cf53ae91e37b591271ea2

  • SHA1

    163cfe040644500164b2ef914cef0d00ef1225e9

  • SHA256

    8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21

  • SHA512

    cdc41c741fe321571c06bff183db762f5b74ee06b6a00afeb1335d900c4a5fb8f052930a4c77500fe5328b912dfccd0f3a8a1fecdfd2b34862b98e1f90189f2f

  • SSDEEP

    6144:SF/gEKyOAuuHcqXt96bHa+bZu0k6XCCbd2CKcwA2x9G+84AmGSncH:SF/gVyduuHv946gZ6bCbd2qspnA6g

Score
10/10
urelastrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Detects executables built or packed with MPress PE compressor 6 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21.exe
    "C:\Users\Admin\AppData\Local\Temp\8b5af3bfd0e7ee1b5755679a196c7a651397e97e26a3eccdce31a74e310e0b21.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\hyexd.exe
      "C:\Users\Admin\AppData\Local\Temp\hyexd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\taqiy.exe
        "C:\Users\Admin\AppData\Local\Temp\taqiy.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      PID:2188

Network

    No results found
  • 218.54.31.226:11120
    hyexd.exe
    152 B
     3
  • 1.234.83.146:11170
    hyexd.exe
    152 B
     3
  • 218.54.30.235:11120
    hyexd.exe
    152 B
     3
  • 133.242.129.155:11120
    hyexd.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    b0f9901cc65a6f7a0157f6e9ab2c56d4

    SHA1

    cb282e364211b9cd63bcff73a567863780e1833f

    SHA256

    b94d08c89c87f6e4fb50258c652cc9bea4d95e2cdb671cefcc0be28c00d924b5

    SHA512

    7b1fe66e76c67bc686e583d42b6a5cb8282d5ccc3f35a3668e34f4d7b7375a76e565ed2a855dc109371a0af3f38cb8176c0aee4bff302dc8bc2b61c00d616326

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    6ee3f98eaadfb4485455f53404e76606

    SHA1

    8090fbcaa1dba544ff25d653468886e301a70f3c

    SHA256

    2bada7fb47baca8bc861fe2615180e7db109e657eca1e172bbebf218e0aed6e7

    SHA512

    fd9138264b70783dd002a3f836168f08e1f7b1bc52ca50691b7be157f7f0d33d4cb9687f25ebc203d2a1044a7f84e8eade638e37e337189570ac7d1de15147a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\taqiy.exe
    Filesize

    218KB

    MD5

    d0083f7b251a9fca40e3aee40f9587b5

    SHA1

    2328179bfef00fdc94c23a72103bd2369f53f6c2

    SHA256

    8ac577f1fd53a275a249fdc090c472a03ee6dcb6b6a4de3bbd675c18a13aa1af

    SHA512

    bdb9c3b62fbadb5c37cba778c79e5e43e0142f2b905e7d9ca8b68877cef443e0df91418df800e35548f7764f0bb1086498ccef1875ad683ea0a74b6bd9fec08a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\hyexd.exe
    Filesize

    343KB

    MD5

    82f037f5b5542cf2ced17886c6fc713b

    SHA1

    191ef8b96181a6946e9560e9e7d1161b84173cd3

    SHA256

    bdc1fad1d48cf8bdf2c6c6e534352521479defd13fa71ccbaf75d6efa4f053d3

    SHA512

    13b9515fc2ddda7b4b3ef8724cfa9d7ec6efb86b15e08d4cffb85e17c89e93c5aeba93f7b309941c5198c276d6d545ce04289e95187ede4588ed32a3227a91b8

    Download Submit

  • memory/1972-17-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1972-16-0x0000000002C80000-0x0000000002D0B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/1972-0-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2348-35-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2348-18-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2348-21-0x0000000000400000-0x000000000048B000-memory.dmp

    Filesize

    556KB

    Download

  • memory/2500-37-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-38-0x00000000001C0000-0x00000000001C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2500-40-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-41-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-42-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-43-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2500-44-0x0000000000080000-0x000000000013B000-memory.dmp

    Filesize

    748KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.