Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-1a1eksed98
Target 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d
SHA256 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d

Threat Level: Known bad

The file 7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 21:27

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 21:27

Reported

2024-03-16 21:30

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe

"C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/1956-0-0x00000000010B0000-0x00000000010D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 21547521a6fd3879a82439960675de00
SHA1 b1d9197b022d8f214c69953ee8f0c1801994a563
SHA256 e7edd3eae7e3566670fa409808132264c3bb0f07d087acabe0cedf371af8b2b5
SHA512 71340bb609679abf1c1cd69dd786ed295a7d20d860a1da18912c3df796cc8bcd10cfd00930298f6f0c2358fa47c5c49e0623bed2e9f2eaad1b71d9a282fda2de

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 fdbefa0c1e752d50214d4c836107e114
SHA1 432deef8edfca72a89d2c77cc2fcbb649db6ebb8
SHA256 61d2a491d28d4cff00de84e52578ffd45047d18e5cd0b3da1f1b7a3f70d4be47
SHA512 9956007e15aa408f2971274cbc21c70e88091cc1176bfa35adc06b9cd0fcf193dfdda659b1729913056a6e0230440a79f44a20230036869430c7210e09b7e677

memory/2624-9-0x0000000000F70000-0x0000000000F98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d0eca34489c003255da2ab93c491e6ee
SHA1 a72bb0bf2f8b425f905b8357545b22db3e42821b
SHA256 a389de244b8ffcd8dcad2dc138e688439d682c61c5114ce5ef3d31f28145cedb
SHA512 a5b826a94bfae596d138a8fead4aadfa0ea7ac029e643c700485a16d014222862049efba8b9e1a4bb6a1694cab6a0c743e9b959763dd8a9d91b6bb7ae36fe670

memory/1956-17-0x00000000010B0000-0x00000000010D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d8b6fb23d659bed3f6b1cf40a104e95a
SHA1 07c9c74af6b0fe9b78bb1b3aed5bdc1e0b5de952
SHA256 f28d96334bf66f634f899c800b4d5c6195bcf407cb073761f8a4f30a4061f136
SHA512 e841cd9283c63a92395b4221492e2ae6b06d9c4108fcbbfe7d8a7928cfca405c14c0634a6388a4f18da3db611696ea797f9b825ed314d1640a17aa767593e412

memory/2624-20-0x0000000000F70000-0x0000000000F98000-memory.dmp

memory/2624-21-0x0000000000F70000-0x0000000000F98000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 21:27

Reported

2024-03-16 21:30

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe

"C:\Users\Admin\AppData\Local\Temp\7c3a4e5e2e70335a50398b338d845e0801b6977bc835bd80a6e7eddd5380a18d.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp

Files

memory/3036-0-0x0000000000600000-0x0000000000628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 36bd298f96e4aaab5bb2c302b35fb2a5
SHA1 221755e11cbff8be720bb18bbde999137c63c49e
SHA256 144e727fd30c96907af7e7c3dc8f76af4c448ade28fa6c545dc6c2d456534763
SHA512 0014820647403fa713902f13936cd7ce340dc07840db3a92f5c696f513b170fb9d50e10089581eb0eeeb5d0a259a411a89d5aea06100726b02390b67c113fa5a

memory/5008-15-0x0000000000F00000-0x0000000000F28000-memory.dmp

memory/3036-17-0x0000000000600000-0x0000000000628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d0eca34489c003255da2ab93c491e6ee
SHA1 a72bb0bf2f8b425f905b8357545b22db3e42821b
SHA256 a389de244b8ffcd8dcad2dc138e688439d682c61c5114ce5ef3d31f28145cedb
SHA512 a5b826a94bfae596d138a8fead4aadfa0ea7ac029e643c700485a16d014222862049efba8b9e1a4bb6a1694cab6a0c743e9b959763dd8a9d91b6bb7ae36fe670

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d8b6fb23d659bed3f6b1cf40a104e95a
SHA1 07c9c74af6b0fe9b78bb1b3aed5bdc1e0b5de952
SHA256 f28d96334bf66f634f899c800b4d5c6195bcf407cb073761f8a4f30a4061f136
SHA512 e841cd9283c63a92395b4221492e2ae6b06d9c4108fcbbfe7d8a7928cfca405c14c0634a6388a4f18da3db611696ea797f9b825ed314d1640a17aa767593e412

memory/5008-20-0x0000000000F00000-0x0000000000F28000-memory.dmp

memory/5008-21-0x0000000000F00000-0x0000000000F28000-memory.dmp