Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-3s2fpshc43
Target c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e
SHA256 c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e

Threat Level: Known bad

The file c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Urelas family

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 23:47

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 23:47

Reported

2024-03-16 23:50

Platform

win7-20240221-en

Max time kernel

122s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe

"C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1764-0-0x0000000000F30000-0x0000000000F57000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 2748a90c81fa5adfbc5c40c2c996e607
SHA1 3190da332d1ebb8cb699f7f09b42a4bc0033f43f
SHA256 5c77dd975ef53413f868a0e92a70eb20711a19ae70a6f3e47cf9dddcd5958e94
SHA512 93d99186d7fae6b25a4a7cd29d4ed5910745e37ec394a24fa3442c47008bc0ccbae934bd32f3e4f7fd91e6c6b83597fc6c098a838fca2dfeb4576bd085e66dfa

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d732eaa281de751ba31a94485d3ec3ba
SHA1 0fa7f872ef8cef20902ddbf368e1675e8e6bf3de
SHA256 346a210530638d2ad77b850382def437e7667c212ec9c864ce5f092c0783a60b
SHA512 383396611aaec52532bd022e998c397814fbcfa5953c390aeafd5e4a99c71a9a4dcd622a2b53f1cd7d936f7a3093a0d97e6306cb5e36d534fee2e0798e87f02f

memory/1748-9-0x0000000000E70000-0x0000000000E97000-memory.dmp

memory/1764-17-0x0000000000F30000-0x0000000000F57000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e2d9c84d22710b94f88db5e136efd92e
SHA1 5636678dda45ea10068357a9b17878399804aea3
SHA256 91377fdab72045adb923f62c3b0b46de7360e62beaab96489eefb36dd8554f25
SHA512 11159ba71474c0fc20139e27d71e10349b486d17cdd60a1df93babf9d8f40d8ab0764a881b93472e03036a50735b2b3defc790da5519d8cf723c6de46b008f3d

memory/1748-20-0x0000000000E70000-0x0000000000E97000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 23:47

Reported

2024-03-16 23:50

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe

"C:\Users\Admin\AppData\Local\Temp\c3c50a5e04cf999e097087219f291c86ded5368a5134d2d6613939768ce2b03e.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

memory/3472-0-0x0000000000B20000-0x0000000000B47000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 7f2e47a3e13d0de1d873024a6615453b
SHA1 922b437c6e166b6e29c3afa3e98b85880ecaef8f
SHA256 3955b655862b5ebbdfb835a4f1d50c624a0db93b3d9d96747ddf23b889af54f7
SHA512 ad9e047738cb9a913082da15291592a2c699bfbedfcaa036f4c6c898d865e202fe07e4797f0f9906a4c6a0cc7754680e4ef8851c3cb45aa2c84d25875f1fe01c

memory/804-13-0x0000000000DE0000-0x0000000000E07000-memory.dmp

memory/3472-17-0x0000000000B20000-0x0000000000B47000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 d732eaa281de751ba31a94485d3ec3ba
SHA1 0fa7f872ef8cef20902ddbf368e1675e8e6bf3de
SHA256 346a210530638d2ad77b850382def437e7667c212ec9c864ce5f092c0783a60b
SHA512 383396611aaec52532bd022e998c397814fbcfa5953c390aeafd5e4a99c71a9a4dcd622a2b53f1cd7d936f7a3093a0d97e6306cb5e36d534fee2e0798e87f02f

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e2d9c84d22710b94f88db5e136efd92e
SHA1 5636678dda45ea10068357a9b17878399804aea3
SHA256 91377fdab72045adb923f62c3b0b46de7360e62beaab96489eefb36dd8554f25
SHA512 11159ba71474c0fc20139e27d71e10349b486d17cdd60a1df93babf9d8f40d8ab0764a881b93472e03036a50735b2b3defc790da5519d8cf723c6de46b008f3d

memory/804-20-0x0000000000DE0000-0x0000000000E07000-memory.dmp