urelas | 064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 17:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe
Size

96KB
MD5

055a10c26ed741ddd588841a7764b644
SHA1

975552ccfc6fa602ab7c6125806a9a784167fe36
SHA256

064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6
SHA512

45423e44995d7a2e9610d2ed0ad56193e939cb81360678755e9186c3b8e4c999b34978918c4afdb8bd06d86d3c8c6fbcbcce5b5b483febaf6ccfce31bf47be45
SSDEEP

1536:mOyB1D+5nK6FVGFHN5yzB4ZefwlQsOmr2U+hd:mPv+5nbF8NwVouwMnX

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2092	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2996	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2996	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	28
PID 2392 wrote to memory of 2996	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	28
PID 2392 wrote to memory of 2996	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	28
PID 2392 wrote to memory of 2996	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	28
PID 2392 wrote to memory of 2092	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	29
PID 2392 wrote to memory of 2092	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	29
PID 2392 wrote to memory of 2092	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	29
PID 2392 wrote to memory of 2092	2392	064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe	29

C:\Users\Admin\AppData\Local\Temp\064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe
"C:\Users\Admin\AppData\Local\Temp\064550e5e497d204364bca7e5f6e385b213cd14c8609f2eb3d25bb0ae58764d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8ef729b9fd84e7cfa197cf9032304b05

SHA1
9d1adeae2d5fe4c825058839466ff6a498960dae

SHA256
060924129c632fd43d3bdff8f6684f85e42d2c5369a3aadc9c24a6300bbb166a

SHA512
2d7ddd088e658cb0f21f284ad30390ac053aeff20dcf541aa891f50c0fe6276af54349bbdf31fcfe4d34125814011335040469fe21513f11750e2c4b9f855e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
aea192f4f3cfb470c28fc8c69a255bad

SHA1
051f3b1532f1d8a5d383200441944d672fa770b4

SHA256
41e7295856766595efd1baa9c9ba7c93d0b59231271c0d513754222ec73900dd

SHA512
d3929db768b9676aef96ed192e4b5d162dbda8f8b00472d067eb2e35a717722f0c968cdb2d4c65ecb129e55c91372202849d71e3328a2ab24b461fab18bf2f31

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
96KB

MD5
084291c2aee063defd27820e7b174d00

SHA1
8e8f1c43ac0dae91b0c8cd58d85cf643b9a1a158

SHA256
95ccd1454fa0767acaab8f5800f8972dc50788f7696e82d309af928c609dd540

SHA512
db0ed43790ffdc976f2e1c7cf033c111045557fee9ecfe1f1e2b8cee46b82c8e1a4c9cefa7e50c26c565bbafccb11b19118c9732e90445c5c66cd11e3d597e12

Download Submit
memory/2392-0-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download
memory/2392-6-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/2392-18-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download
memory/2996-16-0x0000000000D40000-0x0000000000D70000-memory.dmp

Filesize
192KB

Download
memory/2996-21-0x0000000000D40000-0x0000000000D70000-memory.dmp

Filesize
192KB

Download
memory/2996-23-0x0000000000D40000-0x0000000000D70000-memory.dmp

Filesize
192KB

Download
memory/2996-29-0x0000000000D40000-0x0000000000D70000-memory.dmp

Filesize
192KB

Download