urelas | 2c695742e32b4e45aa28c317336953fcff6d55d3ad095dbd51df68e0ce84af96

General

Target

058036f22cf856674f4167a53296a7bf_JC.exe
Size

439KB
MD5

058036f22cf856674f4167a53296a7bf
SHA1

bb99e0c12b6fedf7e128cb4222c603278a31520c
SHA256

2c695742e32b4e45aa28c317336953fcff6d55d3ad095dbd51df68e0ce84af96
SHA512

1da0553339bd2b385c4b183fddef7fec3aafac908f7a5afb290e039b091a34908c7dc3639b40aaee74166cd56abc4db886eb6d4cb1e65e7334f9720c627f34b3
SSDEEP

6144:g9XG4oXs663ypJL9fWPEmGy3AiWd3tWlRjiJEZ8yJt0TfC29qcV:gMPs663ypJ5WPyy3pWd3tWDea5t0TfHP

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2152	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1296	pyavh.exe
2508	coykc.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	058036f22cf856674f4167a53296a7bf_JC.exe
1296	pyavh.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-0-0x0000000001200000-0x0000000001271000-memory.dmp	upx
behavioral1/files/0x000c00000001226a-4.dat	upx
behavioral1/files/0x000c00000001226a-9.dat	upx
behavioral1/memory/1296-10-0x00000000012A0000-0x0000000001311000-memory.dmp	upx
behavioral1/memory/2064-18-0x0000000001200000-0x0000000001271000-memory.dmp	upx
behavioral1/memory/1296-21-0x00000000012A0000-0x0000000001311000-memory.dmp	upx
behavioral1/memory/1296-28-0x00000000012A0000-0x0000000001311000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-27.dat	upx
behavioral1/files/0x0004000000004ed7-24.dat	upx
behavioral1/memory/2508-31-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/files/0x000c00000001226a-32.dat	upx
behavioral1/memory/2508-33-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2508-34-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2508-35-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2508-36-0x0000000000400000-0x000000000049C000-memory.dmp	upx
behavioral1/memory/2508-37-0x0000000000400000-0x000000000049C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe
2508	coykc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1296	2064	058036f22cf856674f4167a53296a7bf_JC.exe	28
PID 2064 wrote to memory of 1296	2064	058036f22cf856674f4167a53296a7bf_JC.exe	28
PID 2064 wrote to memory of 1296	2064	058036f22cf856674f4167a53296a7bf_JC.exe	28
PID 2064 wrote to memory of 1296	2064	058036f22cf856674f4167a53296a7bf_JC.exe	28
PID 2064 wrote to memory of 2152	2064	058036f22cf856674f4167a53296a7bf_JC.exe	29
PID 2064 wrote to memory of 2152	2064	058036f22cf856674f4167a53296a7bf_JC.exe	29
PID 2064 wrote to memory of 2152	2064	058036f22cf856674f4167a53296a7bf_JC.exe	29
PID 2064 wrote to memory of 2152	2064	058036f22cf856674f4167a53296a7bf_JC.exe	29
PID 1296 wrote to memory of 2508	1296	pyavh.exe	33
PID 1296 wrote to memory of 2508	1296	pyavh.exe	33
PID 1296 wrote to memory of 2508	1296	pyavh.exe	33
PID 1296 wrote to memory of 2508	1296	pyavh.exe	33

C:\Users\Admin\AppData\Local\Temp\058036f22cf856674f4167a53296a7bf_JC.exe
"C:\Users\Admin\AppData\Local\Temp\058036f22cf856674f4167a53296a7bf_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\pyavh.exe
  "C:\Users\Admin\AppData\Local\Temp\pyavh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\coykc.exe
    "C:\Users\Admin\AppData\Local\Temp\coykc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
b88e894e8f3cb0849391da552436f2fc

SHA1
d96e0e690b52b8f2b7f798fd19a7961e4410cfc9

SHA256
1102bb5f6b2c1de103d86cda1a857e17a908cadf1a9c7f8d70056be7e8ac633c

SHA512
d53a6da7506d13a17bbfbf0c5cd40ea7e1e51fbeec1353adba0d425205719cdeca05b461c7dd5e4b9a3b9012da05727d6848937f9db7db649285bf01d8bef773

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
282B

MD5
b88e894e8f3cb0849391da552436f2fc

SHA1
d96e0e690b52b8f2b7f798fd19a7961e4410cfc9

SHA256
1102bb5f6b2c1de103d86cda1a857e17a908cadf1a9c7f8d70056be7e8ac633c

SHA512
d53a6da7506d13a17bbfbf0c5cd40ea7e1e51fbeec1353adba0d425205719cdeca05b461c7dd5e4b9a3b9012da05727d6848937f9db7db649285bf01d8bef773

Download Submit
C:\Users\Admin\AppData\Local\Temp\coykc.exe

Filesize
164KB

MD5
84f997e4d53fbedcf855c1f3875fc213

SHA1
875ceb4cb7bcb1b616c3f74703d4ff3d493438ed

SHA256
17f3f5d3b11dfdb652a2d1c450d6fc2504a17a558dbdcdf409c990dcc8e4017a

SHA512
96952191d051872cdb410b727a82574570c5d5f392c5298deca01f6e29eae7838a02cc129eee97e29352ec9b47c1d56a25bbddde00c2802d9bb3964553688cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dbb2bcf089e6a02b67304c9ab2efd687

SHA1
3d220fc7cc3787bc51a2c1a74c8cd36141fd46e6

SHA256
d9ccec47862e8d722ce5e1dea5f81f2146e6de8cd1e906ed0729fc14ab595327

SHA512
7c52076254d9a8f02277b0dc1f8bcff52f7a0f7da0edb76e815abe538c1a8a170d2481c5576ec22661032fa7265241c926e0d6c080cf72446501b226b2ff09ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyavh.exe

Filesize
439KB

MD5
584356d64cddcdba1fb8d3671e3ba822

SHA1
86aa61ec229d946fa9537c706cb83834e8f77e50

SHA256
4b7249930fb3bdb0632d2ad4dc6467ebebf33dc8c57c09308dc73be7d921fc2a

SHA512
d28dffce4c8d92669e8ea7da993ca02ce1112bb6aac7c73179b88a965ceb28e0b25e2d36a26bb5e2aae6b5e67bfcfa5d21c8faec7e6e3fbb02785f74cd4209a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pyavh.exe

Filesize
439KB

MD5
584356d64cddcdba1fb8d3671e3ba822

SHA1
86aa61ec229d946fa9537c706cb83834e8f77e50

SHA256
4b7249930fb3bdb0632d2ad4dc6467ebebf33dc8c57c09308dc73be7d921fc2a

SHA512
d28dffce4c8d92669e8ea7da993ca02ce1112bb6aac7c73179b88a965ceb28e0b25e2d36a26bb5e2aae6b5e67bfcfa5d21c8faec7e6e3fbb02785f74cd4209a9

Download Submit
\Users\Admin\AppData\Local\Temp\coykc.exe

Filesize
164KB

MD5
84f997e4d53fbedcf855c1f3875fc213

SHA1
875ceb4cb7bcb1b616c3f74703d4ff3d493438ed

SHA256
17f3f5d3b11dfdb652a2d1c450d6fc2504a17a558dbdcdf409c990dcc8e4017a

SHA512
96952191d051872cdb410b727a82574570c5d5f392c5298deca01f6e29eae7838a02cc129eee97e29352ec9b47c1d56a25bbddde00c2802d9bb3964553688cc6

Download Submit
\Users\Admin\AppData\Local\Temp\pyavh.exe

Filesize
439KB

MD5
584356d64cddcdba1fb8d3671e3ba822

SHA1
86aa61ec229d946fa9537c706cb83834e8f77e50

SHA256
4b7249930fb3bdb0632d2ad4dc6467ebebf33dc8c57c09308dc73be7d921fc2a

SHA512
d28dffce4c8d92669e8ea7da993ca02ce1112bb6aac7c73179b88a965ceb28e0b25e2d36a26bb5e2aae6b5e67bfcfa5d21c8faec7e6e3fbb02785f74cd4209a9

Download Submit
memory/1296-28-0x00000000012A0000-0x0000000001311000-memory.dmp

Filesize
452KB

Download
memory/1296-21-0x00000000012A0000-0x0000000001311000-memory.dmp

Filesize
452KB

Download
memory/1296-10-0x00000000012A0000-0x0000000001311000-memory.dmp

Filesize
452KB

Download
memory/2064-0-0x0000000001200000-0x0000000001271000-memory.dmp

Filesize
452KB

Download
memory/2064-18-0x0000000001200000-0x0000000001271000-memory.dmp

Filesize
452KB

Download
memory/2064-8-0x0000000000E90000-0x0000000000F01000-memory.dmp

Filesize
452KB

Download
memory/2508-31-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2508-33-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2508-34-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2508-35-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2508-36-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2508-37-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing