urelas | fe1234bba5afb9fc0c7f6abb4a45220fed9468da934c26e7217e3bc8c3b8029a

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 18:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

adf3aab71c184a8a1ae41811796d0c77_JC.exe
Size

460KB
MD5

adf3aab71c184a8a1ae41811796d0c77
SHA1

d97fb23ebd15b5307327c63e65e8a8fcf1e84106
SHA256

fe1234bba5afb9fc0c7f6abb4a45220fed9468da934c26e7217e3bc8c3b8029a
SHA512

170eccf9835ed72e11e98d2683fd3f448861b9f3053d8132f3e5c1e1abfdabe61675ee71869a639ab823d336a2ce511a59109dbbddb584b9592b48236936959d
SSDEEP

6144:LEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhVOpdFRdmp:LMpASIcWYx2U6hAJV/

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3060	qukut.exe
2624	kohydi.exe
2476	vywyj.exe

Loads dropped DLL 4 IoCs

pid	Process
2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe
3060	qukut.exe
2624	kohydi.exe
2624	kohydi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3060	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	28
PID 2160 wrote to memory of 3060	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	28
PID 2160 wrote to memory of 3060	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	28
PID 2160 wrote to memory of 3060	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	28
PID 2160 wrote to memory of 2648	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	30
PID 2160 wrote to memory of 2648	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	30
PID 2160 wrote to memory of 2648	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	30
PID 2160 wrote to memory of 2648	2160	adf3aab71c184a8a1ae41811796d0c77_JC.exe	30
PID 3060 wrote to memory of 2624	3060	qukut.exe	31
PID 3060 wrote to memory of 2624	3060	qukut.exe	31
PID 3060 wrote to memory of 2624	3060	qukut.exe	31
PID 3060 wrote to memory of 2624	3060	qukut.exe	31
PID 2624 wrote to memory of 2476	2624	kohydi.exe	34
PID 2624 wrote to memory of 2476	2624	kohydi.exe	34
PID 2624 wrote to memory of 2476	2624	kohydi.exe	34
PID 2624 wrote to memory of 2476	2624	kohydi.exe	34
PID 2624 wrote to memory of 1496	2624	kohydi.exe	35
PID 2624 wrote to memory of 1496	2624	kohydi.exe	35
PID 2624 wrote to memory of 1496	2624	kohydi.exe	35
PID 2624 wrote to memory of 1496	2624	kohydi.exe	35

C:\Users\Admin\AppData\Local\Temp\adf3aab71c184a8a1ae41811796d0c77_JC.exe
"C:\Users\Admin\AppData\Local\Temp\adf3aab71c184a8a1ae41811796d0c77_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\qukut.exe
  "C:\Users\Admin\AppData\Local\Temp\qukut.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\kohydi.exe
    "C:\Users\Admin\AppData\Local\Temp\kohydi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\vywyj.exe
      "C:\Users\Admin\AppData\Local\Temp\vywyj.exe"
      4⤵
      Executes dropped EXE
      PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
282B

MD5
cc31b078999657d2aaacea7880e3f220

SHA1
977d09e641d13a458985a02d18969aae834fb111

SHA256
6fd5ea02d944d17bb2ed0198f308c96433fa33e0ef9a9edf2b8a71ec621b17ad

SHA512
183a483f0205a3ff008ae3a7e807d95705984f6d063473461ba26623465c4fa44dca20c362779c1e0a628c7d3c54f756ef505924723fd5cc62900fec00bc3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
282B

MD5
cc31b078999657d2aaacea7880e3f220

SHA1
977d09e641d13a458985a02d18969aae834fb111

SHA256
6fd5ea02d944d17bb2ed0198f308c96433fa33e0ef9a9edf2b8a71ec621b17ad

SHA512
183a483f0205a3ff008ae3a7e807d95705984f6d063473461ba26623465c4fa44dca20c362779c1e0a628c7d3c54f756ef505924723fd5cc62900fec00bc3c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
54e06f471bea9961825e0595a1da55bf

SHA1
72a7bb147c2f4bbcbd33041dfb8bb702f51cb577

SHA256
7e3b23605d6ec32088e1c5a5da1fe8c95d3bd31efd4b8d0d6860178777da4297

SHA512
485cc205815029aa4f7aa8ebd09067cdfcb2a3e8ad938b4eddcdf3bf478b000fbb4c5dc721c0e861c73314637139b026f1ec14ab704e427f173f7d10daed6b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
54e06f471bea9961825e0595a1da55bf

SHA1
72a7bb147c2f4bbcbd33041dfb8bb702f51cb577

SHA256
7e3b23605d6ec32088e1c5a5da1fe8c95d3bd31efd4b8d0d6860178777da4297

SHA512
485cc205815029aa4f7aa8ebd09067cdfcb2a3e8ad938b4eddcdf3bf478b000fbb4c5dc721c0e861c73314637139b026f1ec14ab704e427f173f7d10daed6b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
87287c4e7ca13016d759501eaeb0a6ae

SHA1
fd9861cca3172a433095fd6a1ec18140b3a5d917

SHA256
f0601b63d8cce2bfe473372f9730a2b1b2ed6d598f1e242820d083e68b473231

SHA512
b5ed1339ff7abfa8734931ee8a51d4f703a8e812351ad0c372efa6f245b2b4fdd980189dd08f514551ccf2576fad3c829a95de2eacb005c00c9a68cd25e21e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\kohydi.exe

Filesize
460KB

MD5
c612d6ee769d96dd463e7d5a0be99a66

SHA1
8de206765e5a88a48bc5beb5ade46c613bcaf0c2

SHA256
c796b792724d2b37e6ec77fd4b90ace8bc1f911da5d179d2b4f2db1cd9f7934c

SHA512
725bda91946da6a3db09b7acac4feaf152cd6042ba594784ec9673ba3461ba4dd9b6fd9dc298ffaa21e9a3d464e352b066c859f7d216e98bcd992719574e819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kohydi.exe

Filesize
460KB

MD5
c612d6ee769d96dd463e7d5a0be99a66

SHA1
8de206765e5a88a48bc5beb5ade46c613bcaf0c2

SHA256
c796b792724d2b37e6ec77fd4b90ace8bc1f911da5d179d2b4f2db1cd9f7934c

SHA512
725bda91946da6a3db09b7acac4feaf152cd6042ba594784ec9673ba3461ba4dd9b6fd9dc298ffaa21e9a3d464e352b066c859f7d216e98bcd992719574e819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kohydi.exe

Filesize
460KB

MD5
c612d6ee769d96dd463e7d5a0be99a66

SHA1
8de206765e5a88a48bc5beb5ade46c613bcaf0c2

SHA256
c796b792724d2b37e6ec77fd4b90ace8bc1f911da5d179d2b4f2db1cd9f7934c

SHA512
725bda91946da6a3db09b7acac4feaf152cd6042ba594784ec9673ba3461ba4dd9b6fd9dc298ffaa21e9a3d464e352b066c859f7d216e98bcd992719574e819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qukut.exe

Filesize
460KB

MD5
e89fceb67235ccd97038acf54e4219e2

SHA1
2084776910d13965360effe22b037dd34665dad4

SHA256
d01c28e4c837d8f6cf9c0cf4587e24e65e6b40a12798c993591fea63259d4e61

SHA512
4d3878654c6e35ef0d3c905886c0ac786231f0c38414f84a650bd13296352e7b96d24e3533c0c9480b82e1f73a66031caf80da94d28733d9b7af38590e17466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qukut.exe

Filesize
460KB

MD5
e89fceb67235ccd97038acf54e4219e2

SHA1
2084776910d13965360effe22b037dd34665dad4

SHA256
d01c28e4c837d8f6cf9c0cf4587e24e65e6b40a12798c993591fea63259d4e61

SHA512
4d3878654c6e35ef0d3c905886c0ac786231f0c38414f84a650bd13296352e7b96d24e3533c0c9480b82e1f73a66031caf80da94d28733d9b7af38590e17466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vywyj.exe

Filesize
223KB

MD5
e49f854e89efccdd4ad6da27017f31fb

SHA1
55009eb84c9db1fcca3057740cfffe277a6faf35

SHA256
a485edde5cae476bc7d32b3e4d49929c18a0514b1d3d264b61bbc407cdb81417

SHA512
d3b2791cfe81a696debca0d0ca0b88f9357dad25a2a24b8863db9d6a408f4b6077eed33d8e424ad81d6087b7d44e48c303ef69f8fb961d62f2f25db7a4110ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vywyj.exe

Filesize
223KB

MD5
e49f854e89efccdd4ad6da27017f31fb

SHA1
55009eb84c9db1fcca3057740cfffe277a6faf35

SHA256
a485edde5cae476bc7d32b3e4d49929c18a0514b1d3d264b61bbc407cdb81417

SHA512
d3b2791cfe81a696debca0d0ca0b88f9357dad25a2a24b8863db9d6a408f4b6077eed33d8e424ad81d6087b7d44e48c303ef69f8fb961d62f2f25db7a4110ec3

Download Submit
\Users\Admin\AppData\Local\Temp\kohydi.exe

Filesize
460KB

MD5
c612d6ee769d96dd463e7d5a0be99a66

SHA1
8de206765e5a88a48bc5beb5ade46c613bcaf0c2

SHA256
c796b792724d2b37e6ec77fd4b90ace8bc1f911da5d179d2b4f2db1cd9f7934c

SHA512
725bda91946da6a3db09b7acac4feaf152cd6042ba594784ec9673ba3461ba4dd9b6fd9dc298ffaa21e9a3d464e352b066c859f7d216e98bcd992719574e819b

Download Submit
\Users\Admin\AppData\Local\Temp\qukut.exe

Filesize
460KB

MD5
e89fceb67235ccd97038acf54e4219e2

SHA1
2084776910d13965360effe22b037dd34665dad4

SHA256
d01c28e4c837d8f6cf9c0cf4587e24e65e6b40a12798c993591fea63259d4e61

SHA512
4d3878654c6e35ef0d3c905886c0ac786231f0c38414f84a650bd13296352e7b96d24e3533c0c9480b82e1f73a66031caf80da94d28733d9b7af38590e17466b

Download Submit
\Users\Admin\AppData\Local\Temp\vywyj.exe

Filesize
223KB

MD5
e49f854e89efccdd4ad6da27017f31fb

SHA1
55009eb84c9db1fcca3057740cfffe277a6faf35

SHA256
a485edde5cae476bc7d32b3e4d49929c18a0514b1d3d264b61bbc407cdb81417

SHA512
d3b2791cfe81a696debca0d0ca0b88f9357dad25a2a24b8863db9d6a408f4b6077eed33d8e424ad81d6087b7d44e48c303ef69f8fb961d62f2f25db7a4110ec3

Download Submit
\Users\Admin\AppData\Local\Temp\vywyj.exe

Filesize
223KB

MD5
e49f854e89efccdd4ad6da27017f31fb

SHA1
55009eb84c9db1fcca3057740cfffe277a6faf35

SHA256
a485edde5cae476bc7d32b3e4d49929c18a0514b1d3d264b61bbc407cdb81417

SHA512
d3b2791cfe81a696debca0d0ca0b88f9357dad25a2a24b8863db9d6a408f4b6077eed33d8e424ad81d6087b7d44e48c303ef69f8fb961d62f2f25db7a4110ec3

Download Submit
memory/2160-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2160-8-0x00000000026F0000-0x000000000275E000-memory.dmp

Filesize
440KB

Download
memory/2160-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2476-50-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2624-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-49-0x0000000003510000-0x00000000035B0000-memory.dmp

Filesize
640KB

Download
memory/2624-41-0x0000000003510000-0x00000000035B0000-memory.dmp

Filesize
640KB

Download
memory/2624-51-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2624-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3060-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3060-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download