urelas | 293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
21-06-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe
Size

58KB
MD5

69f61954dc6135d6aba3417742f0b73c
SHA1

127bcff9611f2449e8fd84cd93e8672b1862bd0c
SHA256

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913
SHA512

ba47712fafd18e8755ec2af667e86a4b5d466210cbe0b959da9f88a7d3d61804f2e3a07c2de16ac7398c82cd7a04b1cc9bbddb93928fed999540235162cb32b2
SSDEEP

1536:l7X2lykmUO2drIYfdQ3W8PTZEd4Ejf/kE/Q6mhnDxMmKy6:VXmykmU9If3h1O4Eb/eOX

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

112.175.88.208

112.175.88.207

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2532 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2536 huter.exe
Loads dropped DLL 1 IoCs

Processes:

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe

pid process

2860 293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2532	cmd.exe

pid	process
2536	huter.exe

pid	process
2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe

description	pid	process	target process
PID 2860 wrote to memory of 2536	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	huter.exe
PID 2860 wrote to memory of 2536	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	huter.exe
PID 2860 wrote to memory of 2536	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	huter.exe
PID 2860 wrote to memory of 2536	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	huter.exe
PID 2860 wrote to memory of 2532	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	cmd.exe
PID 2860 wrote to memory of 2532	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	cmd.exe
PID 2860 wrote to memory of 2532	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	cmd.exe
PID 2860 wrote to memory of 2532	2860	293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe
"C:\Users\Admin\AppData\Local\Temp\293eeedb32e6129fb148455d5027117539456d767e898baba9b2549abee17913.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
14ab4579b6f3a97ff1099d4591f166c1

SHA1
9379aa65d3bfd4f819f06417b90dbc9ec7bc1354

SHA256
1bf9ad4eb9a6ec73fdd5bd94de5ffca1d94a48707f5a2818d5fcd68033cf1101

SHA512
a6342bf2172f65e4541230f91249c77e5ef2e558acaa91caec520fc4b2ca2f57a4f687c62227a7d20b0264b41bd88f6ad3d38d23bcf571165693b861232c4ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat
Filesize
338B

MD5
44d252b1ec954ab24c1b4faa5cf7c92b

SHA1
e0017dc235a1257bfa7299811188c37c7594d064

SHA256
34d2403b03da79cc2431d7cddd11aa04e8036cfc4c696c59d6d7c642f94e16b6

SHA512
a86408cd8eca2fdf43d442537154d6c5bc557a045e471f700b8ac4797ec31beabbb2c54e380f393bf94dad6472ecc9acb63dc60ee3d3883decbe596fc43728ee

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe
Filesize
58KB

MD5
6f53c021e260976dbe8043251b18accd

SHA1
b5c9290b77aba9f751b5fa3caa3fbb63792cb1e8

SHA256
2b2164a8b38936afa5275c1825b79db7cd7fe2b3ecf596773c2252177aefa10d

SHA512
af8c62d8c94c3a7b08817d3920eb06d43800de67b8ed912f6e28e63a8d924d625915a8edf85bc9575287434f6651070d26ecf8791a3c727b59173e2e0b286ad0

Download Submit
memory/2536-16-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2536-21-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2536-23-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2536-30-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/2860-0-0x00000000008F0000-0x0000000000927000-memory.dmp

Filesize
220KB

Download
memory/2860-6-0x0000000000830000-0x0000000000867000-memory.dmp

Filesize
220KB

Download
memory/2860-18-0x00000000008F0000-0x0000000000927000-memory.dmp

Filesize
220KB

Download