Malware Analysis Report

2025-08-05 19:40

Sample ID 240317-aj3m7aaa2y
Target d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610
SHA256 d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610

Threat Level: Known bad

The file d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 00:15

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 00:15

Reported

2024-03-17 00:17

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nyrin.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe

"C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"

C:\Users\Admin\AppData\Local\Temp\nyrin.exe

"C:\Users\Admin\AppData\Local\Temp\nyrin.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

Network

N/A

Files

memory/1380-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nyrin.exe

MD5 562a70e375581b0366eb230d673804e2
SHA1 02508ef528589514b4b4222a9afc5694d272c0e8
SHA256 aeeb067361a045ae4f0e828ba8d574bd7366336f4fe025e84c03fb20618f8011
SHA512 35a2397e338d230b7d3a6425e089feae7403bf5ad0b3c32d1c98096ced9b5498109f796882bfa04943a64fe48b4b89ecde35254ed8455550c3ba63a5469e01d8

memory/1380-20-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2956-21-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1380-18-0x0000000002590000-0x00000000025C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 efe3a284e74e73225b2f37295f7f8c32
SHA1 b66161ff254687c688abcf92338a38f7b1caf0fe
SHA256 71d5c10547bba70a33b5ef3ce30d69ccd639a9a667e465214db686a83b00309a
SHA512 dc2811b0477b9d8d5afeda41cc93aa7dd3225da067e99e16aefbe236c9d9f8478667869f5d7d5d2230e87f7699c89e2bd128d77ed635928730eb23d080f55928

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 70c39d5317c368dc065cf2572ab555ee
SHA1 e6608ee151cd5a0d512afebd7c1ff1f5559cc936
SHA256 3a65468115898a153bd2aa172a373101becd8615478f941705924ab60f3f48bd
SHA512 4c1e85e81a28e9809b726ce63b8dd1251edfe05f47afd8cdf1897e46c2de5aca731b2a1b42718a1e80040d321a2ce6727dc187e3e623f3e27928f4201f3708bc

memory/2956-24-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 00:15

Reported

2024-03-17 00:18

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dufih.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe

"C:\Users\Admin\AppData\Local\Temp\d0c5877e5e1b83822ee1b4168df029f261ce414bc941ead51c1b176625af9610.exe"

C:\Users\Admin\AppData\Local\Temp\dufih.exe

"C:\Users\Admin\AppData\Local\Temp\dufih.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3876 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4500-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dufih.exe

MD5 2352b71a879a806cba7bec60575759da
SHA1 f95e742946571477a45942a2a20a5b4c3aa08298
SHA256 591c48118e6f6a3134254f535b16d254fe5e22384499529d24dc1fbccdbaf36d
SHA512 3b9fb1d3c3c18603e0883c13cf106d195c6dd2ffa4e8028318d5f160ccc8af5f758b94fee2fce1c3efd9167150f8ddbb81fd91ae3bfdf18b45bc063afaee2bcd

C:\Users\Admin\AppData\Local\Temp\dufih.exe

MD5 617c289ddac8b0d5f78d19eb6a3edeca
SHA1 c04959333c2e96131c8b591149a55e6bcd789f84
SHA256 d975a861d233b486e7ecc125a2049e3f1a351842e2b37dd4fbf56ee200853b5f
SHA512 9571c63b02ad49c6d98f3d479d7e2b0aa143a9c529d418ce272bdfd5931f4dbb4ad6645420c8f8e84f175e4ca88f34ba57fde9a50b30a9cf64ce48d8a2975ea0

memory/4500-13-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 efe3a284e74e73225b2f37295f7f8c32
SHA1 b66161ff254687c688abcf92338a38f7b1caf0fe
SHA256 71d5c10547bba70a33b5ef3ce30d69ccd639a9a667e465214db686a83b00309a
SHA512 dc2811b0477b9d8d5afeda41cc93aa7dd3225da067e99e16aefbe236c9d9f8478667869f5d7d5d2230e87f7699c89e2bd128d77ed635928730eb23d080f55928

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2072-16-0x0000000000400000-0x0000000000436000-memory.dmp