Malware Analysis Report

2025-08-05 19:40

Sample ID 240317-k2jcdaba39
Target d07ae5eb7a8e9c65fd0be420c14a0bb2
SHA256 ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d

Threat Level: Known bad

The file d07ae5eb7a8e9c65fd0be420c14a0bb2 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 09:05

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 09:05

Reported

2024-03-17 09:08

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe

"C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2352-0-0x0000000000C90000-0x0000000000CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 f44af430d6ad8e3c542b3acd781a3139
SHA1 a03a6632a2d1aad44487ad19b38adb514c5287d8
SHA256 71b5fad460ac5290dbbe3672f5dc54cf458d9eba2199f1fccff81c9915263e39
SHA512 91f6254a0f968d55f43700888704f108e079d51d7f67d1948b0e955b471ee9bf62ab957c1d1c3b72716dc3b660b27b1d4da6059d5b0f447c60a2926afd98643a

memory/4220-15-0x0000000000620000-0x0000000000652000-memory.dmp

memory/2352-17-0x0000000000C90000-0x0000000000CC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 bc1d434dffa395a95abd4d58f4d2fbdf
SHA1 f634dbbd5cd486ce545b80fcb03cdfee27f6d61f
SHA256 3399bedd7600583509c2abba117b9430dde2c884a9cb6bf86ea01a37b6b8ced5
SHA512 1a1f9d9274bb7da1287b0bf1b1cf4db1823a5ad2247644583e4e31e45307fce1ef503140f59ba11d9043701ad035c6e83ab2568b5ff0cd9fc92a7b27d76c5d1f

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1e75a7e32613b9d0b73f13b66c2c2f58
SHA1 035e2d6ab4ac34190f0e684681098188409e978c
SHA256 9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3
SHA512 e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

memory/4220-20-0x0000000000620000-0x0000000000652000-memory.dmp

memory/4220-21-0x0000000000620000-0x0000000000652000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 09:05

Reported

2024-03-17 09:08

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe

"C:\Users\Admin\AppData\Local\Temp\d07ae5eb7a8e9c65fd0be420c14a0bb2.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/2172-0-0x0000000000840000-0x0000000000872000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 d07ae5eb7a8e9c65fd0be420c14a0bb2
SHA1 ebe8e5114b9fe1f8599b69f4de189676d6624301
SHA256 ad3fdf98b8be3c2bc0f7fe96aec6df4bd686fee78f5249cb73aeffe65540b99d
SHA512 3bce4a31d8c09ec196497ff7fc5fb534f057b18c6ca291382c06286662f220e99eb89063fce1ba6bbd5826bf9df3bf01f2fe9905f8096628836286fdf1e0e095

memory/2172-6-0x00000000003A0000-0x00000000003D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 bc1d434dffa395a95abd4d58f4d2fbdf
SHA1 f634dbbd5cd486ce545b80fcb03cdfee27f6d61f
SHA256 3399bedd7600583509c2abba117b9430dde2c884a9cb6bf86ea01a37b6b8ced5
SHA512 1a1f9d9274bb7da1287b0bf1b1cf4db1823a5ad2247644583e4e31e45307fce1ef503140f59ba11d9043701ad035c6e83ab2568b5ff0cd9fc92a7b27d76c5d1f

memory/2880-18-0x00000000011F0000-0x0000000001222000-memory.dmp

memory/2172-17-0x0000000000840000-0x0000000000872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1e75a7e32613b9d0b73f13b66c2c2f58
SHA1 035e2d6ab4ac34190f0e684681098188409e978c
SHA256 9f8aa6da5d4cd4a6f17fc229bb965d1f2525d6bc7f70ffba6a13c7e3bbd2a1f3
SHA512 e8ba9e9796b506655b9432ed7036383a3eab746a948a18df6e9598e59e6830a834e30bad7455bc22d4ae19a63f051d2aaa57b435594e881130559aac385bd8cf

memory/2880-21-0x00000000011F0000-0x0000000001222000-memory.dmp

memory/2880-22-0x00000000011F0000-0x0000000001222000-memory.dmp