Overview

overview

10

Static

static

3

528e1b3584...3N.exe

windows7-x64

10

528e1b3584...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe

  • Size

    338KB

  • MD5

    10e2fa8201897abe94ee8145b99d11a0

  • SHA1

    e2621ba40292cd86e116ebc7901b2de8c60de459

  • SHA256

    528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313

  • SHA512

    f88c73f5a06bbb54424aa508f3891abe1ab015524aa858364cbf84d358bb630518db999db9b715ca2bfc700ce3568767f23eea3509044e4f234e5b251ac9ecea

  • SSDEEP

    6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKoJ8:vHW138/iXWlK885rKlGSekcj66ciT

Score
10/10
urelasdiscoverytrojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

  • Urelas

    Urelas is a trojan targeting card games.

    trojanurelas
  • Urelas family
    urelas
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe
    "C:\Users\Admin\AppData\Local\Temp\528e1b35841ecf52deb513f19caf0f60f471eb631e3effc4ca1ff660cf308313N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\zebuf.exe
      "C:\Users\Admin\AppData\Local\Temp\zebuf.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Users\Admin\AppData\Local\Temp\ujmoy.exe
        "C:\Users\Admin\AppData\Local\Temp\ujmoy.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2964
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
    Filesize

    342B

    MD5

    7b071ac6037265e10c825e8e9bc3e7fd

    SHA1

    2a32815c173e776bf6924d4528af35e946a1f255

    SHA256

    5221050afb0f70db89a4d643ace6b3cf55767cd99757c1df997143cc9bd2ce03

    SHA512

    d1701eb5519014eaab6e472724fc83399121ff537ead521bff0dcdefac746d5bff690380063ba55373850a56134a46a8e5c19595a9e9cc7e91c2c58d0add1a84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
    Filesize

    512B

    MD5

    1301cfcd81b5605d3234de1c50d007f2

    SHA1

    05ab0fa84ccb97cffd985fe7f901f9a48e429242

    SHA256

    b2c56f659f7e5d1f60b1c6e4fbc7d92ec2c54a12706b24ec4062753a65d08e20

    SHA512

    22af6d4e0068ac51ecd93d31194af1d24743fae39d93e2b4ebc3a28826fb0860066c40c2609bca46c18850801dcf5baf6d9a6750cd22e05a583410b8e5b8bbb6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ujmoy.exe
    Filesize

    172KB

    MD5

    69e131938d8e1230ed3463f67ad1e789

    SHA1

    a23c1b631ea24fa3146f9003d6fdf745039909ba

    SHA256

    0b8e51773c77df2fbef8d7378e134b716bf0d171983f6f0ba6401c6b3acd989a

    SHA512

    078aba14c8b4bc9362fce781bac43b8b7f7f4bc1217be023ccafe83314ef63345ebb00b5f5bab7dd8083a2e7919903963c2a8c39230d476263614353637a14d5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\zebuf.exe
    Filesize

    338KB

    MD5

    ada543e069e32e57dabe9e60319290b7

    SHA1

    f1fe9606e1b4f70c15259f301162fd2c9f57e336

    SHA256

    97a021021d1ae47b5fccc0ed4ccc61f183510ed134ec7e5b7a299b82b409b32c

    SHA512

    eef0dbe53a16ac786511fda50cc596f858ee5a973332e4dec4b9f079c8cb50032ba10dfa93f28bd1930e0de3daaebe0b136fc38fa20a1ad51e3f861798ebabaf

    Download Submit

  • memory/1892-12-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1892-11-0x00000000001F0000-0x0000000000271000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1892-23-0x00000000001F0000-0x0000000000271000-memory.dmp

    Filesize

    516KB

    Download

  • memory/1892-37-0x0000000002E20000-0x0000000002EB9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/1892-41-0x00000000001F0000-0x0000000000271000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2100-0-0x0000000000300000-0x0000000000381000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2100-20-0x0000000000300000-0x0000000000381000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2100-8-0x00000000026C0000-0x0000000002741000-memory.dmp

    Filesize

    516KB

    Download

  • memory/2100-1-0x0000000000020000-0x0000000000021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2964-40-0x0000000000CF0000-0x0000000000D89000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2964-42-0x0000000000CF0000-0x0000000000D89000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2964-46-0x0000000000CF0000-0x0000000000D89000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2964-47-0x0000000000CF0000-0x0000000000D89000-memory.dmp

    Filesize

    612KB

    Download