urelas | fe27b50ba044b933e6bf7b4c0a39bf9b175b44604d784ea6e83f86a1e8e936fb

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe
Size

430KB
MD5

eabda63709aedf897a37dba81599a9ba
SHA1

5b83a8631b27ae97b06e903db99f199f1772f965
SHA256

fe27b50ba044b933e6bf7b4c0a39bf9b175b44604d784ea6e83f86a1e8e936fb
SHA512

4f01469e07e9b385e1f996a3ea691ae9f920c71526788d56fc43770ebb78abedbe89e3795878970f8a0b15164f918e4b193087ea304625852eb417be4aeb14d8
SSDEEP

6144:iEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpd:iMpASIcWYx2U6hAJQnG

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1972	uklib.exe
3020	edsubo.exe
2496	kusog.exe

Loads dropped DLL 3 IoCs

pid	Process
2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe
1972	uklib.exe
3020	edsubo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe
2496	kusog.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1972	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	28
PID 2976 wrote to memory of 1972	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	28
PID 2976 wrote to memory of 1972	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	28
PID 2976 wrote to memory of 1972	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	28
PID 2976 wrote to memory of 2804	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	29
PID 2976 wrote to memory of 2804	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	29
PID 2976 wrote to memory of 2804	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	29
PID 2976 wrote to memory of 2804	2976	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	29
PID 1972 wrote to memory of 3020	1972	uklib.exe	31
PID 1972 wrote to memory of 3020	1972	uklib.exe	31
PID 1972 wrote to memory of 3020	1972	uklib.exe	31
PID 1972 wrote to memory of 3020	1972	uklib.exe	31
PID 3020 wrote to memory of 2496	3020	edsubo.exe	34
PID 3020 wrote to memory of 2496	3020	edsubo.exe	34
PID 3020 wrote to memory of 2496	3020	edsubo.exe	34
PID 3020 wrote to memory of 2496	3020	edsubo.exe	34
PID 3020 wrote to memory of 3000	3020	edsubo.exe	36
PID 3020 wrote to memory of 3000	3020	edsubo.exe	36
PID 3020 wrote to memory of 3000	3020	edsubo.exe	36
PID 3020 wrote to memory of 3000	3020	edsubo.exe	36

C:\Users\Admin\AppData\Local\Temp\NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\uklib.exe
  "C:\Users\Admin\AppData\Local\Temp\uklib.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\edsubo.exe
    "C:\Users\Admin\AppData\Local\Temp\edsubo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\kusog.exe
      "C:\Users\Admin\AppData\Local\Temp\kusog.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6f6e82f3b437e9f010dc7bee0e0ebf06

SHA1
09815bd7840884bb826787f62be57eb19ebf6adb

SHA256
6ae1e9f1585b357d215d22afb191b522ed70677e0371812fbdd5d2a5a6e6c7ab

SHA512
8ce3a3ec3fd4d4d6b6364cc54fed536698fb9f5b26255e1eb8eabffbd29b203748bd4a161585d681ae2c5a320e364b93ddbb63c3bb4175d05a0bee35e6b55d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6f6e82f3b437e9f010dc7bee0e0ebf06

SHA1
09815bd7840884bb826787f62be57eb19ebf6adb

SHA256
6ae1e9f1585b357d215d22afb191b522ed70677e0371812fbdd5d2a5a6e6c7ab

SHA512
8ce3a3ec3fd4d4d6b6364cc54fed536698fb9f5b26255e1eb8eabffbd29b203748bd4a161585d681ae2c5a320e364b93ddbb63c3bb4175d05a0bee35e6b55d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
298B

MD5
9d446ff84468addcb5d38549f455e887

SHA1
97b7926744e3da07f052234707501d6b35eae603

SHA256
825c4511cf1e61d2935679eb8cae0e2bc311e8a8ca6bfe9b385f7e1e3623613d

SHA512
8e50ff3fe714f9ead749d95faf19f1d6afe718331d4c6c2a4517083b5bb62039de5d64d9ad1abdfed96b13544d96bde27d67e820296cd3bb02300da26e56f383

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
298B

MD5
9d446ff84468addcb5d38549f455e887

SHA1
97b7926744e3da07f052234707501d6b35eae603

SHA256
825c4511cf1e61d2935679eb8cae0e2bc311e8a8ca6bfe9b385f7e1e3623613d

SHA512
8e50ff3fe714f9ead749d95faf19f1d6afe718331d4c6c2a4517083b5bb62039de5d64d9ad1abdfed96b13544d96bde27d67e820296cd3bb02300da26e56f383

Download Submit
C:\Users\Admin\AppData\Local\Temp\edsubo.exe

Filesize
430KB

MD5
72ab8efe4a7972cd7acfd92698d65202

SHA1
0f6c3a864e33ece4f9065a645fd1bf5baebfb7dd

SHA256
8b8c62634fc301853df06ed46374f9058e839fc967b77b2ebe2d716ea0d7617d

SHA512
5abfe9ee34e8a618718934520f0c781a19f875c7e399bdd18c2ca3cb8a451a955412a7d9d928cf68955daf82855529f43bcd851e09762ab7f545549788585142

Download Submit
C:\Users\Admin\AppData\Local\Temp\edsubo.exe

Filesize
430KB

MD5
72ab8efe4a7972cd7acfd92698d65202

SHA1
0f6c3a864e33ece4f9065a645fd1bf5baebfb7dd

SHA256
8b8c62634fc301853df06ed46374f9058e839fc967b77b2ebe2d716ea0d7617d

SHA512
5abfe9ee34e8a618718934520f0c781a19f875c7e399bdd18c2ca3cb8a451a955412a7d9d928cf68955daf82855529f43bcd851e09762ab7f545549788585142

Download Submit
C:\Users\Admin\AppData\Local\Temp\edsubo.exe

Filesize
430KB

MD5
72ab8efe4a7972cd7acfd92698d65202

SHA1
0f6c3a864e33ece4f9065a645fd1bf5baebfb7dd

SHA256
8b8c62634fc301853df06ed46374f9058e839fc967b77b2ebe2d716ea0d7617d

SHA512
5abfe9ee34e8a618718934520f0c781a19f875c7e399bdd18c2ca3cb8a451a955412a7d9d928cf68955daf82855529f43bcd851e09762ab7f545549788585142

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1b21e6a7b40cd2863bb30680ffbcf0fc

SHA1
0cc8a39b76bf8662f970c3097c3850454a5138ff

SHA256
b4a505d94e5e93a77227c8aa989d2466a4587495b13e250cf3f4d0b7ea92fdeb

SHA512
13204ea3f424f511495ab8f237b12af9f3d2b26fb428356eb227b1bfb4cc346d9f0a03a91cf56e85ef72660f90018b08e09056366a4efa1f35df7916d002cad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kusog.exe

Filesize
223KB

MD5
56af501b97bb7b2587562ce14d96b5d4

SHA1
9bed576febe3d9222367dbf31a5ee7c266a8d23e

SHA256
dc04cb248f8db7c25526641f5951929b37936bddfba9bb88e6a94cc38e73d833

SHA512
df188afbf2dd7520d67bc6f09633b3909db2c420e605fe4c7d32ba0ffcd5acbca5eee1bcbb6d0ae622104aaee592cac263df1dc47171b3bbbc6ca227d7d0490c

Download Submit
C:\Users\Admin\AppData\Local\Temp\uklib.exe

Filesize
430KB

MD5
c087c32f42589db7d0128d595c215dbd

SHA1
4cca12b3564f3d68cfe3b81fe6a61124fb90a08d

SHA256
e3144104a43023720b493df444679dceda2d7bfa35e0e99fa5618226caf12c6b

SHA512
92f28dd2db7002621480264317d64ec7ac22c934fdfbe4f7d2dcf8bfa10ed3bab026f9b0a842663de84763764d256679fd0187572f902df154da0f36fb8918cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\uklib.exe

Filesize
430KB

MD5
c087c32f42589db7d0128d595c215dbd

SHA1
4cca12b3564f3d68cfe3b81fe6a61124fb90a08d

SHA256
e3144104a43023720b493df444679dceda2d7bfa35e0e99fa5618226caf12c6b

SHA512
92f28dd2db7002621480264317d64ec7ac22c934fdfbe4f7d2dcf8bfa10ed3bab026f9b0a842663de84763764d256679fd0187572f902df154da0f36fb8918cf

Download Submit
\Users\Admin\AppData\Local\Temp\edsubo.exe

Filesize
430KB

MD5
72ab8efe4a7972cd7acfd92698d65202

SHA1
0f6c3a864e33ece4f9065a645fd1bf5baebfb7dd

SHA256
8b8c62634fc301853df06ed46374f9058e839fc967b77b2ebe2d716ea0d7617d

SHA512
5abfe9ee34e8a618718934520f0c781a19f875c7e399bdd18c2ca3cb8a451a955412a7d9d928cf68955daf82855529f43bcd851e09762ab7f545549788585142

Download Submit
\Users\Admin\AppData\Local\Temp\kusog.exe

Filesize
223KB

MD5
56af501b97bb7b2587562ce14d96b5d4

SHA1
9bed576febe3d9222367dbf31a5ee7c266a8d23e

SHA256
dc04cb248f8db7c25526641f5951929b37936bddfba9bb88e6a94cc38e73d833

SHA512
df188afbf2dd7520d67bc6f09633b3909db2c420e605fe4c7d32ba0ffcd5acbca5eee1bcbb6d0ae622104aaee592cac263df1dc47171b3bbbc6ca227d7d0490c

Download Submit
\Users\Admin\AppData\Local\Temp\uklib.exe

Filesize
430KB

MD5
c087c32f42589db7d0128d595c215dbd

SHA1
4cca12b3564f3d68cfe3b81fe6a61124fb90a08d

SHA256
e3144104a43023720b493df444679dceda2d7bfa35e0e99fa5618226caf12c6b

SHA512
92f28dd2db7002621480264317d64ec7ac22c934fdfbe4f7d2dcf8bfa10ed3bab026f9b0a842663de84763764d256679fd0187572f902df154da0f36fb8918cf

Download Submit
memory/1972-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1972-24-0x0000000001ED0000-0x0000000001F3E000-memory.dmp

Filesize
440KB

Download
memory/2496-55-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2496-47-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2496-46-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2496-54-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2496-53-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2496-52-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2496-51-0x0000000000090000-0x0000000000130000-memory.dmp

Filesize
640KB

Download
memory/2976-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2976-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3020-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3020-36-0x0000000003760000-0x0000000003800000-memory.dmp

Filesize
640KB

Download
memory/3020-45-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3020-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download