urelas | 70e6e6f84b71fec7635872cbd68134670a6ecae3a0b2a281aeeb7e152491df66

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1954b0fb6a8388cc2fe8d8eadab303d0N.exe
Size

79KB
MD5

1954b0fb6a8388cc2fe8d8eadab303d0
SHA1

bac3d773a7a2284fa43bb7910eb8655d78534131
SHA256

70e6e6f84b71fec7635872cbd68134670a6ecae3a0b2a281aeeb7e152491df66
SHA512

102b7dfb080df68bc7c52f3bab1ec5c3210008c4bf3945c347de672d76c1e11d9a8a931876f05443e16bcf8c877c50d260fb2e8da8cd793b3d35c44add94e286
SSDEEP

1536:9HxkDvWdB7O9dKymMyCMGni2Lz1LaRQLDE+:9RkjWjK9ABpGzlaRQLR

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2680 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2792 huter.exe
Loads dropped DLL 1 IoCs

Processes:

1954b0fb6a8388cc2fe8d8eadab303d0N.exe

pid process

1936 1954b0fb6a8388cc2fe8d8eadab303d0N.exe

pid	process
2680	cmd.exe

pid	process
2792	huter.exe

pid	process
1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1936-0-0x0000000000080000-0x00000000000B1000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral1/memory/2792-15-0x0000000000B00000-0x0000000000B31000-memory.dmp	upx
behavioral1/memory/1936-18-0x0000000000080000-0x00000000000B1000-memory.dmp	upx
behavioral1/memory/2792-21-0x0000000000B00000-0x0000000000B31000-memory.dmp	upx
behavioral1/memory/2792-23-0x0000000000B00000-0x0000000000B31000-memory.dmp	upx
behavioral1/memory/2792-26-0x0000000000B00000-0x0000000000B31000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1954b0fb6a8388cc2fe8d8eadab303d0N.exe

description	pid	process	target process
PID 1936 wrote to memory of 2792	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	huter.exe
PID 1936 wrote to memory of 2792	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	huter.exe
PID 1936 wrote to memory of 2792	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	huter.exe
PID 1936 wrote to memory of 2792	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	huter.exe
PID 1936 wrote to memory of 2792	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	huter.exe
PID 1936 wrote to memory of 2792	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	huter.exe
PID 1936 wrote to memory of 2792	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	huter.exe
PID 1936 wrote to memory of 2680	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	cmd.exe
PID 1936 wrote to memory of 2680	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	cmd.exe
PID 1936 wrote to memory of 2680	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	cmd.exe
PID 1936 wrote to memory of 2680	1936	1954b0fb6a8388cc2fe8d8eadab303d0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1954b0fb6a8388cc2fe8d8eadab303d0N.exe
"C:\Users\Admin\AppData\Local\Temp\1954b0fb6a8388cc2fe8d8eadab303d0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55d2fdd1432483e3ba86ebeccfe130b6

SHA1
7280b14d708800fd15303b2caa8628a0fbd7aa08

SHA256
5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb

SHA512
36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
a8b85ef3a79832fd8a3eb263811b45f9

SHA1
a65228f5ea1cb7b82195e7dabf2bb52e7a90f82d

SHA256
5253bbb6e612d545b0cb646ac41cb676410ee355fafb089adafbf35159a006b2

SHA512
9e9fead22f318f20032e43aae8c7cb37a54cd3e4cad47a8097262cd7bc9dec21c3fe0246b12848c260ab95c501dec96f7481a0f1a57438b91143f4b14f2499f5

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
79KB

MD5
5d768c1b837886ebdea5d8113af1493b

SHA1
88b080c89dc1f9ba3b68a32318e51cbfb74c121f

SHA256
0152b04b7d21b6f31d67844ea6f12e06fd444ca9bcea3fb074a194b1a5967fcd

SHA512
fd6ec98e19702b689f1c155fdf34cba7a1714d570fac03d875581a6bc7d83626059ed261ac236af4382b6a419e9e183c92a8f3351fe786812a810c25d7763cb1

Download Submit
memory/1936-0-0x0000000000080000-0x00000000000B1000-memory.dmp

Filesize
196KB

Download
memory/1936-18-0x0000000000080000-0x00000000000B1000-memory.dmp

Filesize
196KB

Download
memory/2792-15-0x0000000000B00000-0x0000000000B31000-memory.dmp

Filesize
196KB

Download
memory/2792-21-0x0000000000B00000-0x0000000000B31000-memory.dmp

Filesize
196KB

Download
memory/2792-23-0x0000000000B00000-0x0000000000B31000-memory.dmp

Filesize
196KB

Download
memory/2792-26-0x0000000000B00000-0x0000000000B31000-memory.dmp

Filesize
196KB

Download