Malware Analysis Report

2025-08-05 19:40

Sample ID 240317-asnkmaaa43
Target d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f
SHA256 d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f

Threat Level: Known bad

The file d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Detects executables built or packed with MPress PE compressor

Urelas family

Urelas

Detects executables built or packed with MPress PE compressor

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 00:28

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 00:28

Reported

2024-03-17 00:31

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"

Signatures

Urelas

trojan urelas

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe

"C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2236-0-0x0000000000400000-0x0000000000437000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 472e3caef3bbbcfb3c5557ad0ab7712b
SHA1 f4014dd25726d000ccddc384ecebeb29e725fa96
SHA256 74a38c32d59b8410348a59a67f385ae7f69be591776c9bc1db551b7aadb8bb8f
SHA512 6bd3ff8cf3962e955b5610a48f6f8c9360b9949ba9678fe554bd536d53aa735420d15baa83e0ce74407cb2d9cc93a0dca12d28533b626790dc657f614855b3cb

memory/2236-6-0x0000000002900000-0x0000000002937000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 20cf6fe7f4dc07e81666477c903c3c09
SHA1 09c8c28016bf5f5d1f211a3dd493d3e006c56fbd
SHA256 40d62f674f70fbb3dd457ee4a0684bc3588b23672ca955cf0d089390ebc1bfc7
SHA512 a778c816053a6286cd0f8a7b0690b9e439511a998276b3d5b62df2d7c84f5ea73f072a9537655e221baeb5c6c98267e568426e75512c6fbdee7ba5fed9295f02

memory/1584-11-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2236-18-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/1584-21-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1584-22-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 00:28

Reported

2024-03-17 00:31

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"

Signatures

Urelas

trojan urelas

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe

"C:\Users\Admin\AppData\Local\Temp\d67414b57b7b10f52caffc8007ef909b11b2234799d520f92390654cd7d77d3f.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
KR 112.175.88.208:11150 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
KR 112.175.88.209:11170 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
KR 112.175.88.207:11150 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2356-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 d5e639216e74edd75ba4618b87e9f072
SHA1 68f07610f910541de7830d13f7b9674ebb7a3810
SHA256 e56eb2c8081ba76609fcd2a0c7f77969793c8818b843db01c06d4053e77d59c2
SHA512 e8ab9cf930aae4c70e86820e533ebdf0fab0f212cf01d9a37770e35db66ce2b45531763ecbefaf2f54338d5b97573e351dc52661f305479cb178dcca1051c9d2

memory/2356-16-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 20cf6fe7f4dc07e81666477c903c3c09
SHA1 09c8c28016bf5f5d1f211a3dd493d3e006c56fbd
SHA256 40d62f674f70fbb3dd457ee4a0684bc3588b23672ca955cf0d089390ebc1bfc7
SHA512 a778c816053a6286cd0f8a7b0690b9e439511a998276b3d5b62df2d7c84f5ea73f072a9537655e221baeb5c6c98267e568426e75512c6fbdee7ba5fed9295f02

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 02167b944a214fee3d34f9a7e356dc6a
SHA1 ca5b3f38a7151268726401593eb35f9b67bdde97
SHA256 77fcdadc9ba56daa81edb3f0ef876e38a8c7de56187c28c7d02992cd9e0a243d
SHA512 c8976c66724d737105a66699673052d7bc7f1e1941c91e03f97452aaba714d35b1d55434e950b00c58626b8bcf16186a731cccc503b7ba08f080ead3eaca5817

memory/4568-19-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4568-20-0x0000000000400000-0x0000000000437000-memory.dmp