urelas | 78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-06-2024 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe
Size

94KB
MD5

3121f8930cb0e5744b1840e92e33737d
SHA1

385361bc3174d7492a218c2b2ad939661633b931
SHA256

78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93
SHA512

720d14fc8a420bb3a8738eeab80d59a538471c5c6fb2d707e81499593237ba519329cded2e2b284024e7b337c4dad19ed6c139620349d205ce5a5004dd0d5bf6
SSDEEP

1536:h7OvGm5eIEV6BJNEOk10Q6iYHmlmUO/+oRhjv3eLFJA1a:h7JmwILKr10y2p92JLF4a

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.209

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2620 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2944 huter.exe
Loads dropped DLL 1 IoCs

Processes:

78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe

pid process

1984 78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2620	cmd.exe

pid	process
2944	huter.exe

pid	process
1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe

description	pid	process	target process
PID 1984 wrote to memory of 2944	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	huter.exe
PID 1984 wrote to memory of 2944	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	huter.exe
PID 1984 wrote to memory of 2944	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	huter.exe
PID 1984 wrote to memory of 2944	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	huter.exe
PID 1984 wrote to memory of 2620	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	cmd.exe
PID 1984 wrote to memory of 2620	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	cmd.exe
PID 1984 wrote to memory of 2620	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	cmd.exe
PID 1984 wrote to memory of 2620	1984	78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe
"C:\Users\Admin\AppData\Local\Temp\78aeef8587aa0b02578525edd61a294079f674f0eb75c766f0741fed0f06ba93.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b11ee6960b3807d119948e9eb5b82cb1

SHA1
2901ef0072deccd2d364dfc8bf791d1f0656ca42

SHA256
bdce2a8184d13f0eecbcc5201685ca0b733f393aad9b271c028976eb826a9f34

SHA512
a2e55fcc2ea42b3e415751c437ae3dcb1d7a1cb703c56fd07d93a9a1222cd275ed4b2a34f85d92a412c085a1b042c6f9cccfc1c61d60a34a3f6ada1e498b9e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
4cec24464a4728dbda620023af7531ec

SHA1
40ad3a4489d0b79115965be58b44b1a50e62fbdd

SHA256
30063e3b570da8dde37a6319bdffc4643e9358e67d855cf15f4dbf404fb8db7f

SHA512
5ec87571e6360d0dae38f47a5fb69ef8b09b86eb7d6702c97f0253ad04bc5c2646c4a28826c807b890e38e98ccae76172b505c12cdb1399bf10c0c2345e84829

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
94KB

MD5
132c8f5acf898a0d89b62b9483ab563f

SHA1
66eb9e1a17e140c3feaca636a0a581d04ad4a5c8

SHA256
2b2f5af6e2b6476de5f78dd100d9bbf2ee8c0aa50f8b489c05e0a6194a60c92e

SHA512
ff3b0d3ec2874dc48969346e3cee80f0323cd7fb64aee3f3ccb3108e1005c41afc15983863023c7f67d7df264928d605d1d5d1c08030739f6c6e32bc0c5d8156

Download Submit
memory/1984-0-0x0000000000110000-0x0000000000141000-memory.dmp

Filesize
196KB

Download
memory/1984-6-0x0000000000700000-0x0000000000731000-memory.dmp

Filesize
196KB

Download
memory/1984-19-0x0000000000110000-0x0000000000141000-memory.dmp

Filesize
196KB

Download
memory/2944-10-0x0000000000DF0000-0x0000000000E21000-memory.dmp

Filesize
196KB

Download
memory/2944-22-0x0000000000DF0000-0x0000000000E21000-memory.dmp

Filesize
196KB

Download
memory/2944-24-0x0000000000DF0000-0x0000000000E21000-memory.dmp

Filesize
196KB

Download
memory/2944-31-0x0000000000DF0000-0x0000000000E21000-memory.dmp

Filesize
196KB

Download