urelas | fe27b50ba044b933e6bf7b4c0a39bf9b175b44604d784ea6e83f86a1e8e936fb

Analysis

max time kernel
186s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe
Size

430KB
MD5

eabda63709aedf897a37dba81599a9ba
SHA1

5b83a8631b27ae97b06e903db99f199f1772f965
SHA256

fe27b50ba044b933e6bf7b4c0a39bf9b175b44604d784ea6e83f86a1e8e936fb
SHA512

4f01469e07e9b385e1f996a3ea691ae9f920c71526788d56fc43770ebb78abedbe89e3795878970f8a0b15164f918e4b193087ea304625852eb417be4aeb14d8
SSDEEP

6144:iEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpd:iMpASIcWYx2U6hAJQnG

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	woyrf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	tuluxe.exe

Executes dropped EXE 3 IoCs

pid	Process
636	woyrf.exe
4056	tuluxe.exe
2860	polob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe
2860	polob.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 636	1912	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	88
PID 1912 wrote to memory of 636	1912	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	88
PID 1912 wrote to memory of 636	1912	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	88
PID 1912 wrote to memory of 2992	1912	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	89
PID 1912 wrote to memory of 2992	1912	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	89
PID 1912 wrote to memory of 2992	1912	NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe	89
PID 636 wrote to memory of 4056	636	woyrf.exe	91
PID 636 wrote to memory of 4056	636	woyrf.exe	91
PID 636 wrote to memory of 4056	636	woyrf.exe	91
PID 4056 wrote to memory of 2860	4056	tuluxe.exe	104
PID 4056 wrote to memory of 2860	4056	tuluxe.exe	104
PID 4056 wrote to memory of 2860	4056	tuluxe.exe	104
PID 4056 wrote to memory of 1560	4056	tuluxe.exe	105
PID 4056 wrote to memory of 1560	4056	tuluxe.exe	105
PID 4056 wrote to memory of 1560	4056	tuluxe.exe	105

C:\Users\Admin\AppData\Local\Temp\NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.eabda63709aedf897a37dba81599a9baexe_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\woyrf.exe
  "C:\Users\Admin\AppData\Local\Temp\woyrf.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\tuluxe.exe
    "C:\Users\Admin\AppData\Local\Temp\tuluxe.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\polob.exe
      "C:\Users\Admin\AppData\Local\Temp\polob.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cbf3b3da093830c2888a0f32d3f1d21f

SHA1
df878ab4c30d7db2d096f31d009b7c10299b56d3

SHA256
619740d28eb7ec2e12e1f46ab45ac9461e2cb5fb42ffec16e2426c9982ade66f

SHA512
78afa0bb56b4f215107eee643af1a2fb5b407e9dd71fce18ec20582e45567f459abf217de541b2a2f7cc5f1e0c98fc9eee291553bc782bc607c94ce19b65591f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
298B

MD5
9d446ff84468addcb5d38549f455e887

SHA1
97b7926744e3da07f052234707501d6b35eae603

SHA256
825c4511cf1e61d2935679eb8cae0e2bc311e8a8ca6bfe9b385f7e1e3623613d

SHA512
8e50ff3fe714f9ead749d95faf19f1d6afe718331d4c6c2a4517083b5bb62039de5d64d9ad1abdfed96b13544d96bde27d67e820296cd3bb02300da26e56f383

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
85501758a9ebe51e51616f8417791c23

SHA1
b936126d5a58cf5aad64897343a3f6968105f835

SHA256
be76f6719dd6048a6e3a846afd7a212eb37ea12dd7142d9881984555cfdd0eee

SHA512
3fab9e712a17435a73fef1f9aa3aaad2a373c8fe74791200fdc7a9f60b35c7db67c7c391d03205e60a1082167307dbacf3bccd3fe16180bff7baec3374043773

Download Submit
C:\Users\Admin\AppData\Local\Temp\polob.exe

Filesize
223KB

MD5
a48cd1cad1e39281e5ebb99cc85b5f19

SHA1
5a900006cc7daabd2a12875abbad05de399fe044

SHA256
a39895ea25804d086bc75b7cb90143ac17bee38ff0c8c8f23f9e8408fb147c5d

SHA512
84664559667953bef70cf8d09a265fdec7695280b6a1318c10720a35cd679c3c6acd8ec9afd983ee5bacda7e827a5211984ba2c3e2ea6e63773f3b9dad9362de

Download Submit
C:\Users\Admin\AppData\Local\Temp\polob.exe

Filesize
223KB

MD5
a48cd1cad1e39281e5ebb99cc85b5f19

SHA1
5a900006cc7daabd2a12875abbad05de399fe044

SHA256
a39895ea25804d086bc75b7cb90143ac17bee38ff0c8c8f23f9e8408fb147c5d

SHA512
84664559667953bef70cf8d09a265fdec7695280b6a1318c10720a35cd679c3c6acd8ec9afd983ee5bacda7e827a5211984ba2c3e2ea6e63773f3b9dad9362de

Download Submit
C:\Users\Admin\AppData\Local\Temp\polob.exe

Filesize
223KB

MD5
a48cd1cad1e39281e5ebb99cc85b5f19

SHA1
5a900006cc7daabd2a12875abbad05de399fe044

SHA256
a39895ea25804d086bc75b7cb90143ac17bee38ff0c8c8f23f9e8408fb147c5d

SHA512
84664559667953bef70cf8d09a265fdec7695280b6a1318c10720a35cd679c3c6acd8ec9afd983ee5bacda7e827a5211984ba2c3e2ea6e63773f3b9dad9362de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuluxe.exe

Filesize
430KB

MD5
43699a5461fb1e00a951f338daa5432d

SHA1
f88991529a6a2c906f073d9892c9d1fee23d90c4

SHA256
ff42ab7d7c8f42f6f1fc73d1f1cc09db097856f303289010c2056708a535113c

SHA512
feeb2a306a98481d38dfadf47b7490ca173b3a56a257c0fdda238cb6a2165aca7b07c2302fc08a58e1ac08935fd1dc53b84c5bfae56481fceaa750319d97ffe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuluxe.exe

Filesize
430KB

MD5
43699a5461fb1e00a951f338daa5432d

SHA1
f88991529a6a2c906f073d9892c9d1fee23d90c4

SHA256
ff42ab7d7c8f42f6f1fc73d1f1cc09db097856f303289010c2056708a535113c

SHA512
feeb2a306a98481d38dfadf47b7490ca173b3a56a257c0fdda238cb6a2165aca7b07c2302fc08a58e1ac08935fd1dc53b84c5bfae56481fceaa750319d97ffe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\woyrf.exe

Filesize
430KB

MD5
f32f56dbb545b5c6e2fc958c79e790bf

SHA1
67a70c2d529d7463e60cf77af03fe1c25004546a

SHA256
379222cbe42dba2a9ab4752f9f664ccef98c463cbf034fcabbc830f7bf4d9e55

SHA512
8c8aadd0642cc5a1cf8da1180b051a0fe91101d57ce27869bc7acdaeab0c1f6928e9b0ed77a4c9c835bc27dc4c87ab2037aa2c77682471efe7974b3ef516c913

Download Submit
C:\Users\Admin\AppData\Local\Temp\woyrf.exe

Filesize
430KB

MD5
f32f56dbb545b5c6e2fc958c79e790bf

SHA1
67a70c2d529d7463e60cf77af03fe1c25004546a

SHA256
379222cbe42dba2a9ab4752f9f664ccef98c463cbf034fcabbc830f7bf4d9e55

SHA512
8c8aadd0642cc5a1cf8da1180b051a0fe91101d57ce27869bc7acdaeab0c1f6928e9b0ed77a4c9c835bc27dc4c87ab2037aa2c77682471efe7974b3ef516c913

Download Submit
C:\Users\Admin\AppData\Local\Temp\woyrf.exe

Filesize
430KB

MD5
f32f56dbb545b5c6e2fc958c79e790bf

SHA1
67a70c2d529d7463e60cf77af03fe1c25004546a

SHA256
379222cbe42dba2a9ab4752f9f664ccef98c463cbf034fcabbc830f7bf4d9e55

SHA512
8c8aadd0642cc5a1cf8da1180b051a0fe91101d57ce27869bc7acdaeab0c1f6928e9b0ed77a4c9c835bc27dc4c87ab2037aa2c77682471efe7974b3ef516c913

Download Submit
memory/636-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/636-13-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1912-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1912-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2860-37-0x00000000007B0000-0x0000000000850000-memory.dmp

Filesize
640KB

Download
memory/2860-42-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2860-44-0x00000000007B0000-0x0000000000850000-memory.dmp

Filesize
640KB

Download
memory/4056-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4056-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4056-41-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download