urelas | 2fb6c8260c621bd6a84c7a7d07b677a68d92f324e653161166e524c882cdcc70

General

Target

b59748f984aea7069b73c1f854df52be.exe
Size

488KB
MD5

b59748f984aea7069b73c1f854df52be
SHA1

beee66a85cc9db1c9a627ff99f74466f8f9b12e2
SHA256

2fb6c8260c621bd6a84c7a7d07b677a68d92f324e653161166e524c882cdcc70
SHA512

3143a1603f566293be91cf82353e8be910fd4a9d7b366ec45fa4674b8da52c225c921774653a10bb557ccb0e11eea45a57ced49cd26f002efe6e11b77a71fbf9
SSDEEP

6144:KxBWeMRygxDLbHxlSBxzJb6B6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDq+8:63MQIDKJxq+Xxvo0U+d3s/fCX0b

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2756	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	kukeb.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	b59748f984aea7069b73c1f854df52be.exe
2068	b59748f984aea7069b73c1f854df52be.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2068-0-0x00000000010E0000-0x0000000001187000-memory.dmp	upx
behavioral1/files/0x00090000000120eb-4.dat	upx
behavioral1/files/0x00090000000120eb-9.dat	upx
behavioral1/files/0x00090000000120eb-12.dat	upx
behavioral1/files/0x00090000000120eb-7.dat	upx
behavioral1/memory/2068-6-0x0000000002730000-0x00000000027D7000-memory.dmp	upx
behavioral1/memory/2068-20-0x00000000010E0000-0x0000000001187000-memory.dmp	upx
behavioral1/memory/2588-23-0x0000000000E20000-0x0000000000EC7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2068	b59748f984aea7069b73c1f854df52be.exe
2588	kukeb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2588	2068	b59748f984aea7069b73c1f854df52be.exe	28
PID 2068 wrote to memory of 2588	2068	b59748f984aea7069b73c1f854df52be.exe	28
PID 2068 wrote to memory of 2588	2068	b59748f984aea7069b73c1f854df52be.exe	28
PID 2068 wrote to memory of 2588	2068	b59748f984aea7069b73c1f854df52be.exe	28
PID 2068 wrote to memory of 2756	2068	b59748f984aea7069b73c1f854df52be.exe	29
PID 2068 wrote to memory of 2756	2068	b59748f984aea7069b73c1f854df52be.exe	29
PID 2068 wrote to memory of 2756	2068	b59748f984aea7069b73c1f854df52be.exe	29
PID 2068 wrote to memory of 2756	2068	b59748f984aea7069b73c1f854df52be.exe	29

C:\Users\Admin\AppData\Local\Temp\b59748f984aea7069b73c1f854df52be.exe
"C:\Users\Admin\AppData\Local\Temp\b59748f984aea7069b73c1f854df52be.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\kukeb.exe
  "C:\Users\Admin\AppData\Local\Temp\kukeb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
277B

MD5
f452676fe73e0e457c5aba4a58c04b40

SHA1
edacf202942b01005dacc550c8d92a07df50039d

SHA256
b9a5bdacc7ea8150f59cfcdcafcb54ddc83299570cc20d13421b163840b25218

SHA512
9e0116bc98e2c6366ad363b08359b7acc9d8492d46140b399815fac96814d4a40b6f07e57f9c136073690a2428ad8d29a04d93d58a960b41f17f075cdcc6dc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
277B

MD5
f452676fe73e0e457c5aba4a58c04b40

SHA1
edacf202942b01005dacc550c8d92a07df50039d

SHA256
b9a5bdacc7ea8150f59cfcdcafcb54ddc83299570cc20d13421b163840b25218

SHA512
9e0116bc98e2c6366ad363b08359b7acc9d8492d46140b399815fac96814d4a40b6f07e57f9c136073690a2428ad8d29a04d93d58a960b41f17f075cdcc6dc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a825e846bca79b347b009639a68353bd

SHA1
bb2d7fb6f918674676a92cc57eb61b0ca915ff8d

SHA256
625c16f33192595cb558d08a9019ee95731e51785b504fba2c829757c2ef94aa

SHA512
dd288f3d741d9bb87a5b2598839fa6b3763a4fc85c0a004d9bd8aacde37914c8e2ec8b56effbfe328d6ae7c905f65b8272efd07336999a4e9c028d035c681a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukeb.exe

Filesize
488KB

MD5
f72473a5aa525c4d7a1b869a8e37850c

SHA1
cf3679ae501127947d8834183a65e1aa919a7157

SHA256
ad0b4def19c84280d750056a95828791b761ee3fbf414fdcd846a77bb0496e24

SHA512
fd50f139bce04abf5660a3842bbd1c79c2f5b5266d4cbd9c739372d89ebb29dab2619a0a321c35216933658b2aebb0f5324ee31a108e0d210ec1cf5988a3e459

Download Submit
C:\Users\Admin\AppData\Local\Temp\kukeb.exe

Filesize
488KB

MD5
f72473a5aa525c4d7a1b869a8e37850c

SHA1
cf3679ae501127947d8834183a65e1aa919a7157

SHA256
ad0b4def19c84280d750056a95828791b761ee3fbf414fdcd846a77bb0496e24

SHA512
fd50f139bce04abf5660a3842bbd1c79c2f5b5266d4cbd9c739372d89ebb29dab2619a0a321c35216933658b2aebb0f5324ee31a108e0d210ec1cf5988a3e459

Download Submit
\Users\Admin\AppData\Local\Temp\kukeb.exe

Filesize
488KB

MD5
f72473a5aa525c4d7a1b869a8e37850c

SHA1
cf3679ae501127947d8834183a65e1aa919a7157

SHA256
ad0b4def19c84280d750056a95828791b761ee3fbf414fdcd846a77bb0496e24

SHA512
fd50f139bce04abf5660a3842bbd1c79c2f5b5266d4cbd9c739372d89ebb29dab2619a0a321c35216933658b2aebb0f5324ee31a108e0d210ec1cf5988a3e459

Download Submit
\Users\Admin\AppData\Local\Temp\kukeb.exe

Filesize
488KB

MD5
f72473a5aa525c4d7a1b869a8e37850c

SHA1
cf3679ae501127947d8834183a65e1aa919a7157

SHA256
ad0b4def19c84280d750056a95828791b761ee3fbf414fdcd846a77bb0496e24

SHA512
fd50f139bce04abf5660a3842bbd1c79c2f5b5266d4cbd9c739372d89ebb29dab2619a0a321c35216933658b2aebb0f5324ee31a108e0d210ec1cf5988a3e459

Download Submit
memory/2068-0-0x00000000010E0000-0x0000000001187000-memory.dmp

Filesize
668KB

Download
memory/2068-6-0x0000000002730000-0x00000000027D7000-memory.dmp

Filesize
668KB

Download
memory/2068-20-0x00000000010E0000-0x0000000001187000-memory.dmp

Filesize
668KB

Download
memory/2588-23-0x0000000000E20000-0x0000000000EC7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing