urelas | 019d71fb4d55abe035b657292e0ddd89e3c827b9654337cab1dbd30583320a44

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2023 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a9f576a29aa60e35acfc621638239434_JC.exe
Size

418KB
MD5

a9f576a29aa60e35acfc621638239434
SHA1

3cf23e9c7446c0203c83be7770d42605d6816764
SHA256

019d71fb4d55abe035b657292e0ddd89e3c827b9654337cab1dbd30583320a44
SHA512

82c8269344cc12932afa11d8a2e3cfac3eaf0e854bf9e910d7359d3a052ba7e53b1d8f693413b26cf5fbcc4697854bfda9dc7230ddb649c6e23e77a118979630
SSDEEP

6144:XxiqjFBwbGbGQfkOuuGDblGE2OeMfqP3mOa2cBlBPAsEh:XhjQK3f/utLeMfBnBch

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	fuete.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	jopuac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
1984	fuete.exe
4708	jopuac.exe
1088	viboe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe
1088	viboe.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 1984	4400	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	88
PID 4400 wrote to memory of 1984	4400	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	88
PID 4400 wrote to memory of 1984	4400	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	88
PID 4400 wrote to memory of 5036	4400	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	89
PID 4400 wrote to memory of 5036	4400	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	89
PID 4400 wrote to memory of 5036	4400	NEAS.a9f576a29aa60e35acfc621638239434_JC.exe	89
PID 1984 wrote to memory of 4708	1984	fuete.exe	91
PID 1984 wrote to memory of 4708	1984	fuete.exe	91
PID 1984 wrote to memory of 4708	1984	fuete.exe	91
PID 4708 wrote to memory of 1088	4708	jopuac.exe	103
PID 4708 wrote to memory of 1088	4708	jopuac.exe	103
PID 4708 wrote to memory of 1088	4708	jopuac.exe	103
PID 4708 wrote to memory of 2200	4708	jopuac.exe	104
PID 4708 wrote to memory of 2200	4708	jopuac.exe	104
PID 4708 wrote to memory of 2200	4708	jopuac.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.a9f576a29aa60e35acfc621638239434_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a9f576a29aa60e35acfc621638239434_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Users\Admin\AppData\Local\Temp\fuete.exe
  "C:\Users\Admin\AppData\Local\Temp\fuete.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\jopuac.exe
    "C:\Users\Admin\AppData\Local\Temp\jopuac.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Users\Admin\AppData\Local\Temp\viboe.exe
      "C:\Users\Admin\AppData\Local\Temp\viboe.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
e0a7469a29220a6f7a8d0252aec5bd31

SHA1
b61e94e550409fafff7710795965267c79f320f6

SHA256
e5a70a45e004fe2266dcf669f3895181284cedda5af971c66c5eb20bf5c7e82f

SHA512
0c8be620ebb11f71fd85d53338bcecb93ee31444704b317f69472827029398d16004f82a0c02167a14d7bcddd47d461317934b93d7125ddae852c74a8995974a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e53a0894c2bf432cd054ccaa833443c2

SHA1
78cb224c42b593438676d45a51f70be8e825cf93

SHA256
2623c63a1b021e44d90cdd83be9f97ec6a24cc8f7c7dcf9253a01b8cd2dbd6c8

SHA512
ac2dd46641eaf19f721d3fef92376883a1a00b8eb29838e8b8bcb6e356edac988ec8ea0a7bc3bde96a04b47dc340a1893b009d8dc4e6f0fef163f452db4df9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuete.exe

Filesize
418KB

MD5
f4b69b7f41b2e54ecec698b1c28ec87e

SHA1
7436c5f9d6c673825d17323a2a38075f07c81eec

SHA256
8525aaee3a2f1dc913d2ca4d319e9495faf2c2332d71ba472e09bda50574e642

SHA512
17d54658c42a5c26282388b10f53f8b3a4c5cd53d58d81fc460c07e3f4b09e47742da3350620b2c1e867f882854e9bb4cf093b3ab7e2ef76b9a613d268fa6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuete.exe

Filesize
418KB

MD5
f4b69b7f41b2e54ecec698b1c28ec87e

SHA1
7436c5f9d6c673825d17323a2a38075f07c81eec

SHA256
8525aaee3a2f1dc913d2ca4d319e9495faf2c2332d71ba472e09bda50574e642

SHA512
17d54658c42a5c26282388b10f53f8b3a4c5cd53d58d81fc460c07e3f4b09e47742da3350620b2c1e867f882854e9bb4cf093b3ab7e2ef76b9a613d268fa6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuete.exe

Filesize
418KB

MD5
f4b69b7f41b2e54ecec698b1c28ec87e

SHA1
7436c5f9d6c673825d17323a2a38075f07c81eec

SHA256
8525aaee3a2f1dc913d2ca4d319e9495faf2c2332d71ba472e09bda50574e642

SHA512
17d54658c42a5c26282388b10f53f8b3a4c5cd53d58d81fc460c07e3f4b09e47742da3350620b2c1e867f882854e9bb4cf093b3ab7e2ef76b9a613d268fa6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c4aa85005a1862a3fcc87aaf639e5715

SHA1
d61a4ad218d0a0160d4dbaa904133beca5ddfb7c

SHA256
9a87485e5511ae8aca689621d322a035a88932ad39d6d6cac7ed1ad0e2ee93f4

SHA512
91c2fd401833b34ca2ce94a4724d3fd81956397d4b5a12e8c22c1ead0e9edea512fdc38441465f663223dd49cff8f40d733233210d3589b7d8704a92b7b3c45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jopuac.exe

Filesize
418KB

MD5
f4b69b7f41b2e54ecec698b1c28ec87e

SHA1
7436c5f9d6c673825d17323a2a38075f07c81eec

SHA256
8525aaee3a2f1dc913d2ca4d319e9495faf2c2332d71ba472e09bda50574e642

SHA512
17d54658c42a5c26282388b10f53f8b3a4c5cd53d58d81fc460c07e3f4b09e47742da3350620b2c1e867f882854e9bb4cf093b3ab7e2ef76b9a613d268fa6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jopuac.exe

Filesize
418KB

MD5
f4b69b7f41b2e54ecec698b1c28ec87e

SHA1
7436c5f9d6c673825d17323a2a38075f07c81eec

SHA256
8525aaee3a2f1dc913d2ca4d319e9495faf2c2332d71ba472e09bda50574e642

SHA512
17d54658c42a5c26282388b10f53f8b3a4c5cd53d58d81fc460c07e3f4b09e47742da3350620b2c1e867f882854e9bb4cf093b3ab7e2ef76b9a613d268fa6a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\viboe.exe

Filesize
189KB

MD5
be5b8932992ad57e02be177d2692c617

SHA1
d503cbf1008816ce9066a9962c657fa6f0c46922

SHA256
4755c7b25d75d9c0201983264c9f7c421d2eb351415835e55b69850456c40c9c

SHA512
2d10ef1d14cee5eb134dde082a7d050cb4179a3dec4fa919b14ab743f553cc3347765a36443539aae11edee6c26a977d55c8aa20fc699101b91b20e78029b9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\viboe.exe

Filesize
189KB

MD5
be5b8932992ad57e02be177d2692c617

SHA1
d503cbf1008816ce9066a9962c657fa6f0c46922

SHA256
4755c7b25d75d9c0201983264c9f7c421d2eb351415835e55b69850456c40c9c

SHA512
2d10ef1d14cee5eb134dde082a7d050cb4179a3dec4fa919b14ab743f553cc3347765a36443539aae11edee6c26a977d55c8aa20fc699101b91b20e78029b9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\viboe.exe

Filesize
189KB

MD5
be5b8932992ad57e02be177d2692c617

SHA1
d503cbf1008816ce9066a9962c657fa6f0c46922

SHA256
4755c7b25d75d9c0201983264c9f7c421d2eb351415835e55b69850456c40c9c

SHA512
2d10ef1d14cee5eb134dde082a7d050cb4179a3dec4fa919b14ab743f553cc3347765a36443539aae11edee6c26a977d55c8aa20fc699101b91b20e78029b9fc

Download Submit
memory/1088-42-0x0000000000F50000-0x0000000000FEB000-memory.dmp

Filesize
620KB

Download
memory/1088-44-0x0000000000F50000-0x0000000000FEB000-memory.dmp

Filesize
620KB

Download
memory/1088-43-0x0000000000F50000-0x0000000000FEB000-memory.dmp

Filesize
620KB

Download
memory/1088-39-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1088-37-0x0000000000F50000-0x0000000000FEB000-memory.dmp

Filesize
620KB

Download
memory/1088-45-0x0000000000F50000-0x0000000000FEB000-memory.dmp

Filesize
620KB

Download
memory/1984-24-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4400-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4400-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4708-40-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4708-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download