urelas | 75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe
Size

149KB
MD5

2161d47a13edf72c40953d0ce04f5c5e
SHA1

aa5b325b66b6ea3b4e02e0a35225431b61b454c7
SHA256

75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18
SHA512

cc8b6d148d6ca7044a5093fe3683e345a6d190e992abc75b794ce79677efd816978c5e8a051bdfb1a3c0f3cd8308353ce41dae673b94a3dad0c67f160d9df570
SSDEEP

1536:m8BpTjAdbGbp9WbtGnQb2fVO2zcpsbLo9ruUWpal3nHPPfTIX65zCtkBSsGu/QyK:m8sSpvo0LKrXEX65etu7v0

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

1856 huter.exe
Loads dropped DLL 1 IoCs

Processes:

75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe

pid process

2416 75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1704	cmd.exe

pid	process
1856	huter.exe

pid	process
2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe

description	pid	process	target process
PID 2416 wrote to memory of 1856	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	huter.exe
PID 2416 wrote to memory of 1856	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	huter.exe
PID 2416 wrote to memory of 1856	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	huter.exe
PID 2416 wrote to memory of 1856	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	huter.exe
PID 2416 wrote to memory of 1704	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	cmd.exe
PID 2416 wrote to memory of 1704	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	cmd.exe
PID 2416 wrote to memory of 1704	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	cmd.exe
PID 2416 wrote to memory of 1704	2416	75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe
"C:\Users\Admin\AppData\Local\Temp\75bb7e05ffc7fe06b9ca1948ea4ed32607cb56b29ccaaf65fd288deb159d3f18.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f9565536e11b7fe8d014b281c88ed06f

SHA1
066d4ceb3e1ca8e2500f7378c04a62fdac3eedcb

SHA256
827b6e2869972d3123239400011ece7bb74aa3d569468db74eaaf41339d375c3

SHA512
410e7c0cc2fc62470dee0398a5865ba4e408ae89b3d6b3479a60674bc2ebbddc155d6f5484779b114f281a34635a9ab65e0b6d41cb86c0bf78de444bb6b2bca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
476eeebed0ba822077ce6f76e592c793

SHA1
3812b43b50a78df88c36eaf8396598fb786fb651

SHA256
d481694b2cf6093cb875d5005bc77f243d4a1e49da82baf5a309157e6357ba64

SHA512
42459b8e7517816747868a3017b095f871df1d555e856e7d3566e023354a8a3d82e08f50c2d310bd77fca035fb0cf42274264c57de9b547754209934f4b5d870

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
149KB

MD5
5234256fe34d0c9244fc2f5d327ee2b9

SHA1
7d26c54134cf87dac29626515d7749acedb347d6

SHA256
1353fd8a917fb1c7df0af903111d794a7a680cdf05bfc373265768eebaa4c1e8

SHA512
1e4d298661191cf5fcd6963849c267161306f7d6f81a81b4503bb073c50d77c495ed5edc50f2836ff9aaf7c19739d20eea16eb81d662fbd9f0367936dd2440be

Download Submit
memory/1856-17-0x0000000001270000-0x000000000129C000-memory.dmp

Filesize
176KB

Download
memory/1856-21-0x0000000001270000-0x000000000129C000-memory.dmp

Filesize
176KB

Download
memory/2416-0-0x0000000000C30000-0x0000000000C5C000-memory.dmp

Filesize
176KB

Download
memory/2416-8-0x0000000000920000-0x000000000094C000-memory.dmp

Filesize
176KB

Download
memory/2416-18-0x0000000000C30000-0x0000000000C5C000-memory.dmp

Filesize
176KB

Download