Malware Analysis Report

2025-08-05 19:40

Sample ID 240317-vr39xabe61
Target d16d445722fcebd5b2c37bfe3ff79036
SHA256 fee37357fdf781f827d0c1231eadf4a30b66f6081ee04ca57cbc9a5100c7540a
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fee37357fdf781f827d0c1231eadf4a30b66f6081ee04ca57cbc9a5100c7540a

Threat Level: Known bad

The file d16d445722fcebd5b2c37bfe3ff79036 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 17:14

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 17:14

Reported

2024-03-17 17:16

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe

"C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 218.54.47.76:11120 tcp
KR 218.54.47.74:11150 tcp
KR 218.54.47.76:11170 tcp
KR 218.54.47.77:11150 tcp

Files

memory/1556-0-0x00000000001F0000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 3a34d8f9b601456c000ca2655b553c76
SHA1 ca18fb77803e0e27f212d483b1f07f8dabd5abfd
SHA256 b48ba6dc5422a03534b2b0c3b5938f1abe8cd3ca815be69627b19154fabce5aa
SHA512 68c31ca487a43773301b2272b0fbe628d6b5be62f1ccf4b6340b107023e396c436ca0d55c1ed0949e0ce43be546c677e0bc492c88c2566af601574374072e168

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 84f7ac848c93111d2cf12ba7c7c87c36
SHA1 8bfb3409486b626307c09badd688c726ca3c5b76
SHA256 3fa668132b33f643e67a76f05ab51582276d55ee5d108a1762798587aa6193c0
SHA512 7a11b6cf78abd2b10f54e17af4fa6a1746792d1ca44277a98108ae7e1dfa32923fba818dc18504e7b644f90b849c9f970a8fdd960a10bd5f32f8fa641688ce78

memory/2172-9-0x0000000000F90000-0x0000000000FC1000-memory.dmp

memory/1556-17-0x00000000001F0000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0750e4580a3e9076e82bdc6ad33ba927
SHA1 b1e526b3833feda0e3b0738c6865fdac6360bf07
SHA256 74428e568204ea0d1c31570864cb96b1c2b672880f7575220957bf5fc2b24d89
SHA512 303b2cb8e644b336d7bf0892eadc84b414afdc41216719721aa0cf27fc18ecea1a2e943f07813c41d55c4166e489f89ec61a4fcead679ed3de8b323ecb42a8d9

memory/2172-20-0x0000000000F90000-0x0000000000FC1000-memory.dmp

memory/2172-21-0x0000000000F90000-0x0000000000FC1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 17:14

Reported

2024-03-17 17:16

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biudfw.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe

"C:\Users\Admin\AppData\Local\Temp\d16d445722fcebd5b2c37bfe3ff79036.exe"

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
KR 218.54.47.76:11120 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
KR 218.54.47.74:11150 tcp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 197.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
KR 218.54.47.76:11170 tcp
US 8.8.8.8:53 19.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
KR 218.54.47.77:11150 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
GB 96.17.178.181:80 tcp

Files

memory/2064-0-0x00000000002E0000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

MD5 ca9e53442e22e11b6959830a52e3818d
SHA1 6ef53e0eda45eb13735f5b350e876f743f6db36b
SHA256 f58dbc21e606cadcc6a3f3565547cd8b5a24bbd42459e0d20d115b6012a5dd58
SHA512 29ff405ddc9e2c52b212937b52c19ce0b6b4a94648a462dbf8fe947bd2078001799e73142c5e5c92a0ff18fc152eedb707fb40192223e09abcd0704d3bc5677a

memory/2404-12-0x0000000000490000-0x00000000004C1000-memory.dmp

memory/2064-17-0x00000000002E0000-0x0000000000311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 84f7ac848c93111d2cf12ba7c7c87c36
SHA1 8bfb3409486b626307c09badd688c726ca3c5b76
SHA256 3fa668132b33f643e67a76f05ab51582276d55ee5d108a1762798587aa6193c0
SHA512 7a11b6cf78abd2b10f54e17af4fa6a1746792d1ca44277a98108ae7e1dfa32923fba818dc18504e7b644f90b849c9f970a8fdd960a10bd5f32f8fa641688ce78

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0750e4580a3e9076e82bdc6ad33ba927
SHA1 b1e526b3833feda0e3b0738c6865fdac6360bf07
SHA256 74428e568204ea0d1c31570864cb96b1c2b672880f7575220957bf5fc2b24d89
SHA512 303b2cb8e644b336d7bf0892eadc84b414afdc41216719721aa0cf27fc18ecea1a2e943f07813c41d55c4166e489f89ec61a4fcead679ed3de8b323ecb42a8d9

memory/2404-20-0x0000000000490000-0x00000000004C1000-memory.dmp

memory/2404-21-0x0000000000490000-0x00000000004C1000-memory.dmp