urelas | 571a83935f655bebd154e20b639493e5b1df5802756cff2cbb0889487be7186d

Analysis

max time kernel
90s
max time network
82s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5272bc5f1c4a7b86a4cf34549854fbd0N.exe
Size

274KB
MD5

5272bc5f1c4a7b86a4cf34549854fbd0
SHA1

0f505f135bc475e68be4252dc8d7e3cb67f9b90f
SHA256

571a83935f655bebd154e20b639493e5b1df5802756cff2cbb0889487be7186d
SHA512

7793cccd00cd9c7bec08741a21a0cba22b6ef3675ffafc4d0599cad68f7263441a7a00310ec2b65eb1df8fa3bbba534b439b21bdbc33463a61e5aa3e0d7c4e26
SSDEEP

3072:pp56zRJ83+OJ7NoGvdwWy6k04yW/KME0jj0wA4:pOzRWu27dlOd5W0I4

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2180	biudfw.exe

Loads dropped DLL 1 IoCs

pid	Process
1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 2180	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	30
PID 1140 wrote to memory of 2180	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	30
PID 1140 wrote to memory of 2180	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	30
PID 1140 wrote to memory of 2180	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	30
PID 1140 wrote to memory of 2940	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	31
PID 1140 wrote to memory of 2940	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	31
PID 1140 wrote to memory of 2940	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	31
PID 1140 wrote to memory of 2940	1140	5272bc5f1c4a7b86a4cf34549854fbd0N.exe	31

C:\Users\Admin\AppData\Local\Temp\5272bc5f1c4a7b86a4cf34549854fbd0N.exe
"C:\Users\Admin\AppData\Local\Temp\5272bc5f1c4a7b86a4cf34549854fbd0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Users\Admin\AppData\Local\Temp\biudfw.exe
  "C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ac5e84ed8031d66a9fcd5e472ba8091b

SHA1
06303add604104d6abbb69458f89773c066b470c

SHA256
3a3cfa6f4786dab0ac8bc76204948f32a3a2cbd094922f87c251ec80d22baae5

SHA512
7bf829102a70a1304dae435b8ae3c9ef9a925af7e995fe381d80730f4f702e1fd2a0a1b6a3a4b4667925f5bb95c897166a8fc0f52d3171d9cdba0bf09b53f152

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
38afe14e71e56513bcaa24ebb82a5702

SHA1
e314c4eccf629dbd89ad70a645213195adc24862

SHA256
e5973a3692cb61b42c285c58fdf88f542acfe9878021ee9f9b03191b7ae73248

SHA512
90648ad1db68839707ee87631925206a7297c0b604d0ba17b9da0fdbb41d2bca63bf2a2fde9322b18b42b7e8754e1baeeeb4b6914afa807efaf5b9c5a230af11

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
274KB

MD5
9f22f0877493f957c1fd57d4f2cc99ff

SHA1
8b6d80d40b1463d655e83c2169fe118c17401884

SHA256
ea157f6bdc5716c50026cd1200affc9e90cc86a0859085d316d9605e98affc50

SHA512
c0d8ba4de009b7a567f852fed01785ee7a842d460ba05775566feb7fd92cbfa5fbe3b0bd43495360ea15909bb8af1ad71e3fbdc48ff990f18c4486813ab9345c

Download Submit
memory/1140-0-0x0000000000960000-0x00000000009A6000-memory.dmp

Filesize
280KB

Download
memory/1140-6-0x0000000001E10000-0x0000000001E56000-memory.dmp

Filesize
280KB

Download
memory/1140-17-0x0000000000960000-0x00000000009A6000-memory.dmp

Filesize
280KB

Download
memory/2180-20-0x00000000012E0000-0x0000000001326000-memory.dmp

Filesize
280KB

Download