Overview

overview

10

Static

static

10

b3b641b811...c1.exe

windows7-x64

10

b3b641b811...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 08:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1.exe

  • Size

    592KB

  • MD5

    e0f1f0356574f89c4f18cb6e0bc85d47

  • SHA1

    23fbdb249badb0c65cbec60a6e776d19d332d2fb

  • SHA256

    b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1

  • SHA512

    085d2cfbc2791bc97ac701e915f1d42b7bc7ceba58723b74a67825a426a05e718fbecc0ac8861c7f155d0377d02aa7a5bf2489ce4303ade0980d30e3772b9559

  • SSDEEP

    6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRo:C4jm0Sat7Az/gZvTIq2WKkw0F6

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1.exe
    "C:\Users\Admin\AppData\Local\Temp\b3b641b81125521ba0a1ac4581e950a7a4abe6ed4be07d79ffa1715043eb85c1.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\Users\Admin\AppData\Local\Temp\kevez.exe
      "C:\Users\Admin\AppData\Local\Temp\kevez.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\qyxuz.exe
        "C:\Users\Admin\AppData\Local\Temp\qyxuz.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2544
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    340B

    MD5

    d7e63a39a234e8a281437e79d22dc1b7

    SHA1

    f054205d879db10d0cce25ac13125dfd0c1e7456

    SHA256

    3c6bca6741e99b40635ff1921300e44e5f26788c1248bf883903223135db29ad

    SHA512

    a1beefd9bd66aaa6ea66f0b88d96289827b47d8d060196daef6254d2419cd336ce842bead32e2d4cbddebb8cc6007f8200283027b36fc73c8c09eccdc498fda1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    fa7de742fe8edbb783e47e7e8f6433d2

    SHA1

    d369987ebe8bdf5a2e6979ece73a374d51928c97

    SHA256

    cb33aa71d852568399a70104938a4b8ee0df0f1c67c2e49aba2a0a330258449e

    SHA512

    65ca16fafc7c64d343814cc81da78e3ca58d932db1ff433a78b15a998789b11a5a7cdca38fad6f83ed26fda9a1f49d83f6225c50babcbbd76de6aa8738571504

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kevez.exe
    Filesize

    593KB

    MD5

    5ee0f211c4671a36bce73d689d153a67

    SHA1

    c16a4320af22859c2d3f5d5dd2331880da2de074

    SHA256

    ca7da1629737ad67b623d6363341c38b1cf52202bfaa955aaf11315c200fd9fe

    SHA512

    eae7ceb1b6b17823ea0ba1912b54ebaaf3fd8d83e4bed881b822282c359422f044231f450627ed169c4a0b14846e646556cdcae2b3e9506846749a9a1be1dbe6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\kevez.exe
    Filesize

    593KB

    MD5

    ea068beeed7224841c88f589c56fe5d5

    SHA1

    ef4c4e84c781368970b8d3b833a793f40e5c2c1e

    SHA256

    ca255190b8b74735bf67226a654eb51d2979136dfe490ca104caf6c19acd7453

    SHA512

    1d82741c16f9c805870d736b75ede98776507296c7748cedd924155dc58326ab05b6afe2bf70c07dada85abf16149089bb31f376859098d2825f4a2dd1ccd743

    Download Submit

  • \Users\Admin\AppData\Local\Temp\qyxuz.exe
    Filesize

    323KB

    MD5

    d0cfa12b70855dba6795f26d6fb80689

    SHA1

    2a5fdbb485e4660844d99619dba99dd7f707f3e7

    SHA256

    2fe962d28347e921347c91396b00dab89f78e1f082fe301e01c3c3bea26e8718

    SHA512

    f39c63fdb95b9e2f63e019f2796834bd42263cae2d2ec6052a817a9b0d0eaaee45c7a0f900ea30c8d71dc361af051ad6d5a9b7220939a8fde30e780fa0f16410

    Download Submit

  • memory/2544-31-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2544-30-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/2544-33-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/2544-34-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmp

    Filesize

    604KB

    Download

  • memory/2836-24-0x0000000002E70000-0x0000000002F07000-memory.dmp

    Filesize

    604KB

    Download

  • memory/2900-0-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download