urelas | 89dc0cc9be07384b6ae8bbec07875410f8972bd508d3aa19e61741ed1028090f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18c2542101709ce63a0fd8dc15e7f750N.exe
Size

52KB
MD5

18c2542101709ce63a0fd8dc15e7f750
SHA1

f2fbbfa8c02377192c7bcbfcd257c0f14fe79d4c
SHA256

89dc0cc9be07384b6ae8bbec07875410f8972bd508d3aa19e61741ed1028090f
SHA512

36f3a4e9690b817c9ea6e64bd14ce22050c4316735c63d6024d57ead7ede61d6ca38164e3b4f5a8feee200c3613bc44525347cac430472a910cd457167d533ca
SSDEEP

1536:TlnBzGPEdPJpUI4QP4BDK3XmbPfKJ97ifx:JnBGPUMQwBDamb3a7iZ

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.47.76

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2120 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

biudfw.exe

pid process

632 biudfw.exe
Loads dropped DLL 1 IoCs

Processes:

18c2542101709ce63a0fd8dc15e7f750N.exe

pid process

1944 18c2542101709ce63a0fd8dc15e7f750N.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2120	cmd.exe

pid	process
632	biudfw.exe

pid	process
1944	18c2542101709ce63a0fd8dc15e7f750N.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

18c2542101709ce63a0fd8dc15e7f750N.exe

description	pid	process	target process
PID 1944 wrote to memory of 632	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	biudfw.exe
PID 1944 wrote to memory of 632	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	biudfw.exe
PID 1944 wrote to memory of 632	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	biudfw.exe
PID 1944 wrote to memory of 632	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	biudfw.exe
PID 1944 wrote to memory of 2120	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	cmd.exe
PID 1944 wrote to memory of 2120	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	cmd.exe
PID 1944 wrote to memory of 2120	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	cmd.exe
PID 1944 wrote to memory of 2120	1944	18c2542101709ce63a0fd8dc15e7f750N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\18c2542101709ce63a0fd8dc15e7f750N.exe
"C:\Users\Admin\AppData\Local\Temp\18c2542101709ce63a0fd8dc15e7f750N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\biudfw.exe
"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"
2⤵
- Executes dropped EXE
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b4a86880004da8726288d7ec954885a8

SHA1
1bab1cfbdc2c540246210bc7852f8fe7e8357b31

SHA256
c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46

SHA512
22758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
268fbfcadf3c20fe58c1bbc7e790ce3e

SHA1
7d533addd3e51cbdcd31273ddd31060edc96633b

SHA256
1f4e8723700bd769416527755e6a9b00d8a0e71fda0276756efdc4cdfa992c2f

SHA512
cc951cecf086b4de002b02b70f5783d3b30751ea903b841abcb4cc77d23d1340d06cbdcb8e753013b8a131d4a19ec688169930480ba3b06475a2d961282796ef

Download Submit
\Users\Admin\AppData\Local\Temp\biudfw.exe

Filesize
52KB

MD5
66511b2432b83616556aadf84c5fe0f4

SHA1
518636bbefc054fef1d26e57d5e0573b77f1a1ec

SHA256
3e7a372e3958d0e877df9a204a9f051183b02288afbb7362c05a19b29bcb3e60

SHA512
a8836866d4025bf27a3f0427c176a83890918eccd346c908f745840da928fb5de6335c01eb672c50b10c9d811fb68d5d7033e002cb7730ef67562bf60f99495b

Download Submit
memory/632-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/632-21-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/632-23-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/632-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1944-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1944-18-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1944-16-0x0000000003230000-0x0000000003258000-memory.dmp

Filesize
160KB

Download