urelas | 6cb90d341021fec8f16549f52e08c311b4496ea0556ffad29e72ea8f6b131b96

Analysis

max time kernel
117s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22051fe620612a3673c038469d3d0cd9.exe
Size

216KB
MD5

22051fe620612a3673c038469d3d0cd9
SHA1

84b4e1666534d3105da0df7e02e2b6b37e822ee4
SHA256

6cb90d341021fec8f16549f52e08c311b4496ea0556ffad29e72ea8f6b131b96
SHA512

c00e2c68fcfc227001b08fc49311cba39fd301fc0e34821637c2e283e9a70594c19d1032a26449571e570033d438abf4c6f120945ab875b38fd8f3c7815e5604
SSDEEP

1536:1q1utPdWHdPEzoT2/VhWbnoZSKLfiGGPgq3ePAH8PNqWxCxrR/x9sU4BH7TTg:1fPdWqV0CvL6GGCPNqWUxrR/x9sTBHU

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2200	22051fe620612a3673c038469d3d0cd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2916	2200	22051fe620612a3673c038469d3d0cd9.exe	28
PID 2200 wrote to memory of 2916	2200	22051fe620612a3673c038469d3d0cd9.exe	28
PID 2200 wrote to memory of 2916	2200	22051fe620612a3673c038469d3d0cd9.exe	28
PID 2200 wrote to memory of 2916	2200	22051fe620612a3673c038469d3d0cd9.exe	28
PID 2200 wrote to memory of 2916	2200	22051fe620612a3673c038469d3d0cd9.exe	28
PID 2200 wrote to memory of 2916	2200	22051fe620612a3673c038469d3d0cd9.exe	28
PID 2200 wrote to memory of 2916	2200	22051fe620612a3673c038469d3d0cd9.exe	28
PID 2200 wrote to memory of 2876	2200	22051fe620612a3673c038469d3d0cd9.exe	29
PID 2200 wrote to memory of 2876	2200	22051fe620612a3673c038469d3d0cd9.exe	29
PID 2200 wrote to memory of 2876	2200	22051fe620612a3673c038469d3d0cd9.exe	29
PID 2200 wrote to memory of 2876	2200	22051fe620612a3673c038469d3d0cd9.exe	29

C:\Users\Admin\AppData\Local\Temp\22051fe620612a3673c038469d3d0cd9.exe
"C:\Users\Admin\AppData\Local\Temp\22051fe620612a3673c038469d3d0cd9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8c69e006046149f40585fb3e1bfafb4

SHA1
97073fb1d116248dbecd009e4bf873ab45c6c2da

SHA256
df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

SHA512
b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
274B

MD5
12987fb074927d855d4b2060ec815796

SHA1
52cafbe309322ed20beb50060851abe3d5ae8b7b

SHA256
6443d380f8661728a9874dcd26ff8271bde238e07a038dbeeb5ad8b6466f4d88

SHA512
c838d9ff2fe6ebb7f8e94bb8a570b5210739eabc1308bf0f1dbe614a5b743a1222219de861e0a25531f15cd416e9798c64bc329c79f0cd900e52ecfecc95f024

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
216KB

MD5
bd38fbab4b6a3a45e8a82340b43739fc

SHA1
d1950d3aa17ca3d738254e917f3232fbffc1549e

SHA256
bffcbcaaaaf21c4371f6c06ab8b1a82e4abaa418ede16a5798caec9e585fd7e5

SHA512
092d7f523c3ffd349af4742706e2d199ab2c26b797a892b16690697a35514837530e16871798eae4ac3a606e0a4f2504f18043281f4bfe535132450b20ce0ad4

Download Submit
memory/2200-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2200-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2916-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2916-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download