urelas | 41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe
Size

97KB
MD5

5b57ac4842220141fcf111864cb0ae70
SHA1

1d33474614f857342667eb4e85344adba6ee4e59
SHA256

41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac
SHA512

d01049a835ccbb2524062b493bf12972e112fa59367a0de9d3a0a139ac0f5207e591b04783de927558b0169fde16ed071663c9c59b62d0c80151e3106ae45503
SSDEEP

768:7sT6mIV9UQ/r5LU31iBool1viTneodsAqqQBsyxcStEngPFoDVmMiWFPUSGqyD0S:QT4VVJUkk4z5s8pagFoDqsWqSn4aiu

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2848 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

shoste.exe

pid process

2236 shoste.exe
Loads dropped DLL 1 IoCs

Processes:

41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe

pid process

1356 41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2848	cmd.exe

pid	process
2236	shoste.exe

pid	process
1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe

description	pid	process	target process
PID 1356 wrote to memory of 2236	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	shoste.exe
PID 1356 wrote to memory of 2236	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	shoste.exe
PID 1356 wrote to memory of 2236	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	shoste.exe
PID 1356 wrote to memory of 2236	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	shoste.exe
PID 1356 wrote to memory of 2848	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	cmd.exe
PID 1356 wrote to memory of 2848	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	cmd.exe
PID 1356 wrote to memory of 2848	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	cmd.exe
PID 1356 wrote to memory of 2848	1356	41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe
"C:\Users\Admin\AppData\Local\Temp\41e5a5dab793c74e131b2ec313be492f84031bfc90a9a20ff3addb1b768b48ac.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
84755d526a89b1cec68d6091abfbcb6d

SHA1
c75a1553266458d5d4d6fb18291ea44563fa130f

SHA256
4485e73b8e2dd2346284b33156fcb30f8d6ab41c194933246803f1ab1b62665b

SHA512
78666508a3b72e65f9b1ec5736c88e3557023a7469be40e0a4b9e489e3b37fa6f50e87cc70779b66de19338b867e8037d572e965c4cf569dc9ef417d010f0f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
9b7db4593efc85bf2dd4c49004a3ec57

SHA1
846e187ef05beb900061d153f12391aa62dfb3b2

SHA256
cc581ce97037f4e4656e2776a8a7c0eda79fc798828d5e910ce643a7ed8ecb30

SHA512
75faab8f0d90efcac40d1a2e9d9aa18ca59cef37dcc8e8bc2a4395fc1986cdbfdfc2421f95722c9e50b80237d22d2c69c8aa3e790c0d811772dcfd2dfd3f3cd8

Download Submit
\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
97KB

MD5
d32af794477f069c9b62c78effafbd94

SHA1
d095784c65816cd2a358eaa84e2f5a4abe4c9048

SHA256
3936f9ca4379634f619f9d97bd9fccc3a1079502bcfefaf2144eda9f4d906a87

SHA512
11a3cfe4c51f781696fa483952eae7035c74a414f85908381eaa35064e53aa490d6172169886bf45283e9753cf68086da27798a0061a2ac76d7e28a0981ddf78

Download Submit
memory/1356-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1356-9-0x0000000002590000-0x00000000025D6000-memory.dmp

Filesize
280KB

Download
memory/1356-19-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2236-10-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2236-22-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2236-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download