urelas | 23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/03/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe
Size

125KB
MD5

e9643d13888c52f4a10e634f78598cb3
SHA1

91c7e770b1a6f591c6c34fb5b36faa71c890e361
SHA256

23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5
SHA512

3b73426292f0a2b53d22369066ed58cf063585ed2f9bf0ebedf205d424dc69119f82fd698ff9e6b39f11fa478373b5ce24f567cf9c7ad6a53ec94c5d04152b7d
SSDEEP

1536:Ko6JdvxttIBcXISDPV2Mhg3GkFceersWjcd06UsfqW2vxq6UU/Hp1:iHC6D92O8n7eU06UsfUpqCb

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.209

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2536	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2248	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2248	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	28
PID 2208 wrote to memory of 2248	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	28
PID 2208 wrote to memory of 2248	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	28
PID 2208 wrote to memory of 2248	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	28
PID 2208 wrote to memory of 2536	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	29
PID 2208 wrote to memory of 2536	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	29
PID 2208 wrote to memory of 2536	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	29
PID 2208 wrote to memory of 2536	2208	23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe	29

C:\Users\Admin\AppData\Local\Temp\23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe
"C:\Users\Admin\AppData\Local\Temp\23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8b6fb23d659bed3f6b1cf40a104e95a

SHA1
07c9c74af6b0fe9b78bb1b3aed5bdc1e0b5de952

SHA256
f28d96334bf66f634f899c800b4d5c6195bcf407cb073761f8a4f30a4061f136

SHA512
e841cd9283c63a92395b4221492e2ae6b06d9c4108fcbbfe7d8a7928cfca405c14c0634a6388a4f18da3db611696ea797f9b825ed314d1640a17aa767593e412

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
5492d6664c1c33e56fbdd1f83b97aed9

SHA1
a4fa1e446746dfc627467009f262217f1ec80fb6

SHA256
8b8645e86a01794124b570debddb72b2072a312c3b371813a66987c725de423a

SHA512
a6e6a87b60049ee0af42f61cdffbd3752a6ce323e7603d345259ef93ea09a3a0bbf83085d94cb9f0fde455081db1e40a548ca4611341422a574ed1a6a5009c6f

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
125KB

MD5
e9643d13888c52f4a10e634f78598cb3

SHA1
91c7e770b1a6f591c6c34fb5b36faa71c890e361

SHA256
23cae92bd27356896882641779791ffa4a62f63027b0f2a36bb2c08e04816ca5

SHA512
3b73426292f0a2b53d22369066ed58cf063585ed2f9bf0ebedf205d424dc69119f82fd698ff9e6b39f11fa478373b5ce24f567cf9c7ad6a53ec94c5d04152b7d

Download Submit
memory/2208-0-0x0000000000130000-0x0000000000158000-memory.dmp

Filesize
160KB

Download
memory/2208-6-0x0000000000990000-0x00000000009B8000-memory.dmp

Filesize
160KB

Download
memory/2208-18-0x0000000000130000-0x0000000000158000-memory.dmp

Filesize
160KB

Download
memory/2248-10-0x0000000000F00000-0x0000000000F28000-memory.dmp

Filesize
160KB

Download
memory/2248-21-0x0000000000F00000-0x0000000000F28000-memory.dmp

Filesize
160KB

Download
memory/2248-22-0x0000000000F00000-0x0000000000F28000-memory.dmp

Filesize
160KB

Download