Malware Analysis Report

2025-08-05 19:40

Sample ID 240317-cd5xgabg43
Target f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0
SHA256 f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0

Threat Level: Known bad

The file f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 01:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 01:58

Reported

2024-03-17 02:01

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe

"C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/1964-0-0x0000000000990000-0x00000000009C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 cfe18579a47456ecea45bdf185f79fa1
SHA1 9bb2fe282c0f61f15b2dd180ba82e544780e689b
SHA256 574d65b8af3759b29c233e7823707829f359f617a03e546f7710684533c09233
SHA512 0b12961dd911194dbd0c36b72f0905390c1eff25702060a88501c184c5fc7f73f64ee84d71e41626f47513e75b0a8327c774b59b8de7537fd8d9153a2130f2ae

memory/1964-6-0x0000000000670000-0x00000000006A0000-memory.dmp

memory/2972-16-0x00000000012A0000-0x00000000012D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 b3262c8533a67d54004ef6e527d9bb24
SHA1 45b6b9786078b1a8d283f9cadfebd3167180b66d
SHA256 6a6f9142af4836797f9217a61eb81d67c461f87a404ef8e3be6bcc5913023b38
SHA512 cdb44109ce3a23121c05d14369c9a856f3e52ac3a932b59689d361f0974348ac3388b03cc5f4008a6950d090ef8e1f90658e29486f101f39a4c0a5fa07116a30

memory/1964-18-0x0000000000990000-0x00000000009C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ad66dcc3e4d62e8844a34f8e570fc21d
SHA1 5ae300786796af39a81a5f96daddbb5fd6d7ad0a
SHA256 b7b165b08c5e5fff025ada3ba0b814d0e1323567a23ecd89d7b6f264e48c74b1
SHA512 24ed5e4361ac13ae419cfcabed2650eb07e646f61b3d9e4d6c67d3a3ca31d7a504c015dde6e9b859d20edf03e90698fa879c4fe1c62b26238736cd8dcf390105

memory/2972-21-0x00000000012A0000-0x00000000012D0000-memory.dmp

memory/2972-23-0x00000000012A0000-0x00000000012D0000-memory.dmp

memory/2972-29-0x00000000012A0000-0x00000000012D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 01:58

Reported

2024-03-17 02:01

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe

"C:\Users\Admin\AppData\Local\Temp\f86aef09f97fc8ce44d0eb7826a92845c74688aad8aec11d80ab6d8632b388b0.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2228,i,521073434451423547,2311651514500527526,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
KR 112.175.88.209:11120 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.213.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2052-0-0x0000000000C60000-0x0000000000C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 f1bb7b7298b5e9ab07837d5d42ebd3a1
SHA1 4dcb0f694132ba983e4180b7691e3f5ed76add4a
SHA256 bb234f548d5328e219355ea9533e93526932c71a7eff2f59145db77914b323b6
SHA512 2af1da38ebd9bea09c22aa7966bdc3530126caa0e4b838f52894c32d5a7d591f8b331e8f9ac5d377eeb5b6d6a121eb5a4420fc75ab26e297e9e5e78861f9cf5b

memory/2052-10-0x0000000000C60000-0x0000000000C90000-memory.dmp

memory/4396-12-0x00000000002F0000-0x0000000000320000-memory.dmp

memory/2052-15-0x0000000000C60000-0x0000000000C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 b3262c8533a67d54004ef6e527d9bb24
SHA1 45b6b9786078b1a8d283f9cadfebd3167180b66d
SHA256 6a6f9142af4836797f9217a61eb81d67c461f87a404ef8e3be6bcc5913023b38
SHA512 cdb44109ce3a23121c05d14369c9a856f3e52ac3a932b59689d361f0974348ac3388b03cc5f4008a6950d090ef8e1f90658e29486f101f39a4c0a5fa07116a30

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ad66dcc3e4d62e8844a34f8e570fc21d
SHA1 5ae300786796af39a81a5f96daddbb5fd6d7ad0a
SHA256 b7b165b08c5e5fff025ada3ba0b814d0e1323567a23ecd89d7b6f264e48c74b1
SHA512 24ed5e4361ac13ae419cfcabed2650eb07e646f61b3d9e4d6c67d3a3ca31d7a504c015dde6e9b859d20edf03e90698fa879c4fe1c62b26238736cd8dcf390105

memory/4396-18-0x00000000002F0000-0x0000000000320000-memory.dmp

memory/4396-20-0x00000000002F0000-0x0000000000320000-memory.dmp

memory/4396-26-0x00000000002F0000-0x0000000000320000-memory.dmp