Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-2h3qcafg84
Target 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08
SHA256 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08

Threat Level: Known bad

The file 9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 22:35

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 22:35

Reported

2024-03-16 22:38

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe

"C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 6b134de347829004a74ab81d52d64b69
SHA1 ed2b4aa0ac81ef6e85dc6ade7b8ec88db2869e5a
SHA256 2580e02f2dcb893fcd5389a8cd73c8269de1844254cf914b357f83340703733d
SHA512 839e84b4e1d105df724ecb47ec9596f0efc430e823a449df6d9578c8b1964a62b0ee3c62a7254330da7a35eb2ba987353739d5e898564905281bee92bd02ed91

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 868e95bbc0c9998d8dfe3e1f80431636
SHA1 06cf6850d8448eb5b2ef1333a724881813322165
SHA256 e46e57c26b2079a85858b9e44b98e4efb6d3bfcea2c54f7e912aa8346ee9de4c
SHA512 209468d8fb982a21b02da9dadfadc2406b247aee2998de57f0e3ed7a3520936683f1a880cd38b749404750298b74cc3efb53ba4c3f3ffe881156924c9ad495e3

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a250860c0687ed9dda488805c025a2d2
SHA1 0c181ed3b46463d35631ca169f0928c33a1da389
SHA256 3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37
SHA512 0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 22:35

Reported

2024-03-16 22:38

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe

"C:\Users\Admin\AppData\Local\Temp\9bf52f89312939e6e2d6c86c1479692a3c68698a78d46d900c37e1afc589ba08.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 3cbb37662c0688e8869a6e3102ba30f9
SHA1 272a4482a7f9c9263249037363722fc29b112539
SHA256 eee755f3a379b0ca03a0850b7722fe2dd4057c7345a58ffccec0ef94c43d05d9
SHA512 5cd5087a46a69c65e3f5db97e62fedf78925af21f460620be43730bc3a0f059e411defcc985565f74fb3f061bdccebb15ae97276157cc890efc0b687e3570330

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 868e95bbc0c9998d8dfe3e1f80431636
SHA1 06cf6850d8448eb5b2ef1333a724881813322165
SHA256 e46e57c26b2079a85858b9e44b98e4efb6d3bfcea2c54f7e912aa8346ee9de4c
SHA512 209468d8fb982a21b02da9dadfadc2406b247aee2998de57f0e3ed7a3520936683f1a880cd38b749404750298b74cc3efb53ba4c3f3ffe881156924c9ad495e3

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a250860c0687ed9dda488805c025a2d2
SHA1 0c181ed3b46463d35631ca169f0928c33a1da389
SHA256 3947c34dfc780b424a3207c6ebe12f667bcb839733107f7a94fe495ec705cb37
SHA512 0286fcd24203ef574c9fc37200e4b0e65d58296162aa89b5424ab48b814bd237e609ab7eaf42a69bdad2ab6414bfbbfaec4757e28b29c69752e0e65a653f665a