Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-1d5hpsee86
Target 7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52
SHA256 7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52

Threat Level: Known bad

The file 7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Urelas family

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 21:32

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 21:32

Reported

2024-03-16 21:35

Platform

win7-20240215-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 1764 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 1764 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 1764 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 1764 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 1764 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 1764 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Users\Admin\AppData\Local\Temp\huter.exe
PID 1764 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Windows\SysWOW64\cmd.exe
PID 1764 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe

"C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 211.57.201.131:11120 tcp
KR 211.57.201.131:11170 tcp

Files

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 55e10a94b3902e34a4658d89ba65c088
SHA1 e267b0f05a9b8f080383b0636e830828b34bf0d8
SHA256 7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52
SHA512 b581928c7cefd72d5980e272c136b668059b769146c44e8940bd12ab17cb912fdfd9c25770357f5207a904ec98a19ff9f4243c1d4cc2839340690fd4e3f000d2

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d388148d77b8449ac1a2587cf34a5167
SHA1 adea710e690f9a619e0bbd4a0e4d4f5195992c48
SHA256 e1ef321bd4e6fe5ec34a1719d9e79ceac6400e8867953d92b35565f9c7f50d76
SHA512 e9acbd7d167d43aac80d5e88e8be7fb31b43ac326b2fc0400f565f505908a5be8835a28c72464021ad1c915ffbd7d29f01cda102f7c90445d6ad34c9c2a886cb

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55d2fdd1432483e3ba86ebeccfe130b6
SHA1 7280b14d708800fd15303b2caa8628a0fbd7aa08
SHA256 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb
SHA512 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 21:32

Reported

2024-03-16 21:35

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe

"C:\Users\Admin\AppData\Local\Temp\7f02d1ddec3408e30540d23cb5c1c52b87cad76c81b8bdb01c0c109b2110ea52.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 211.57.201.131:11120 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
KR 211.57.201.131:11170 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 eb4db9ef9bf87764a8a1bd6a63305c93
SHA1 91d8ed1077f2d7a7d7e3e3129d7d22ed8aafbaf9
SHA256 7f6f2bbfb713f8f1d8c2231c8f97d917ffce815aeb7bdea0eca989a81e5947d6
SHA512 f084f105e30297e7a5f02727ab2e90cac248973edda80ac904e5646192e777f6937badd317dd9dd3931f3b931b36614ef99d2cb821dfa8e74499f9876ed3bab5

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d388148d77b8449ac1a2587cf34a5167
SHA1 adea710e690f9a619e0bbd4a0e4d4f5195992c48
SHA256 e1ef321bd4e6fe5ec34a1719d9e79ceac6400e8867953d92b35565f9c7f50d76
SHA512 e9acbd7d167d43aac80d5e88e8be7fb31b43ac326b2fc0400f565f505908a5be8835a28c72464021ad1c915ffbd7d29f01cda102f7c90445d6ad34c9c2a886cb

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 55d2fdd1432483e3ba86ebeccfe130b6
SHA1 7280b14d708800fd15303b2caa8628a0fbd7aa08
SHA256 5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb
SHA512 36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3