urelas | a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/05/2024, 02:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe
Size

137KB
MD5

33a5813e0d52f3fad7fff1f61f21716a
SHA1

9a20a1149499dc7e991ddd26ba5f381ecd9c5eca
SHA256

a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c
SHA512

b65c4b9f1b760ab3c281aa8e791b1977a8807b87ea0c1a44ecc151a8f78aa1d8094c0a26cb18f8a09c53c3764a6aba4664b135eaece14b23da56a20664ff314e
SSDEEP

1536:X2nrJLwAXDtIBcUyk+8CooNvy3GNbcq7+sWjcd2x64Tb/pe6A8:GtpCP+/oGvWSld2x64Tb/p7R

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2076	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2076	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	28
PID 2368 wrote to memory of 2076	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	28
PID 2368 wrote to memory of 2076	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	28
PID 2368 wrote to memory of 2076	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	28
PID 2368 wrote to memory of 2564	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	29
PID 2368 wrote to memory of 2564	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	29
PID 2368 wrote to memory of 2564	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	29
PID 2368 wrote to memory of 2564	2368	a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe	29

C:\Users\Admin\AppData\Local\Temp\a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe
"C:\Users\Admin\AppData\Local\Temp\a2d4f65d72692904575323c52235d7411b58a1790bf351701e624f41face8e8c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
137KB

MD5
6c0b907fca9932d047d2d62397fc77c8

SHA1
a800463237fd15e852280dc176deae20062ab04c

SHA256
ba343aa577d2f0a5a572e9d460a3522777274d4556f1aa6c739e1103bf6bfd2b

SHA512
f648ddb18664a280772ed61f084866684a525b543408b3d530a6fb11b5dcf14a3e42c0f4f8f92aedf7543309106e83a07f6cd30369a72bc786882f30c2d90c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
123487d739994edb1c87f900b7e6f8f2

SHA1
7f74a890d5dab64b8c6cda502e9d63ae715602df

SHA256
dabc2578a2a9d46c36a9d4839c5f32b659b078e0dca603beff62a2856aff96fe

SHA512
5992efcde435c7598c077e5781cece0648948f15415abaca75c3e162a57ee71bdf578cbf110f2c52341389c0eb0cf655612599d4d88efb8bbae7644c5c79bde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
e0fcf5f78ea1cc996c58dcc1e7e4ebe7

SHA1
8849d198d3cfbc5fe3a967c99d71f86503601a82

SHA256
8e3383cd0fb7791d3ba12eb423cec764ac2f5d3df61cd63f2e387cf984d0c0c7

SHA512
f48b3521358b2590dcc1c31254c914994174cd2e9738768e10a03eee47ead0745fe8c2a647bbf599697038ebd32c8678b3a09c127bb7e03cc563a8b5636bbfc8

Download Submit
memory/2076-10-0x0000000001280000-0x00000000012A6000-memory.dmp

Filesize
152KB

Download
memory/2076-21-0x0000000001280000-0x00000000012A6000-memory.dmp

Filesize
152KB

Download
memory/2368-0-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

Filesize
152KB

Download
memory/2368-18-0x0000000000CD0000-0x0000000000CF6000-memory.dmp

Filesize
152KB

Download
memory/2368-9-0x00000000002F0000-0x0000000000316000-memory.dmp

Filesize
152KB

Download