urelas | 913620a98a10345fcc0f402c78d8b606d24f5ceeb3849e9ab7b305f5ad639b24

General

Target

NEAS.445772b099d5513e1f0b9b649d443370.exe
Size

425KB
MD5

445772b099d5513e1f0b9b649d443370
SHA1

cee8b3fe48da93d80cb2c44bc50ab97762206d02
SHA256

913620a98a10345fcc0f402c78d8b606d24f5ceeb3849e9ab7b305f5ad639b24
SHA512

95e461ae4f330ddc2a7883ccc8f12424b8d7f1b28db65567d86f011b0c7d74f5182dd8183bb9969ce28c457a8823894dd63fbd0b04004f93b5d6721d75294f5b
SSDEEP

6144:UzU7blKaP2iCWhWapKRaRXOkN4Swel6f3IuODGLxJ:uU7M5ijWh0XOW4sEfHOOJ

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	mogop.exe

Loads dropped DLL 2 IoCs

pid	Process
2024	NEAS.445772b099d5513e1f0b9b649d443370.exe
2024	NEAS.445772b099d5513e1f0b9b649d443370.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2588	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	28
PID 2024 wrote to memory of 2588	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	28
PID 2024 wrote to memory of 2588	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	28
PID 2024 wrote to memory of 2588	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	28
PID 2024 wrote to memory of 2860	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	29
PID 2024 wrote to memory of 2860	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	29
PID 2024 wrote to memory of 2860	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	29
PID 2024 wrote to memory of 2860	2024	NEAS.445772b099d5513e1f0b9b649d443370.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.445772b099d5513e1f0b9b649d443370.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.445772b099d5513e1f0b9b649d443370.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\mogop.exe
  "C:\Users\Admin\AppData\Local\Temp\mogop.exe"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
a9feb726f918f911f3aee9aff1383f8e

SHA1
fbe810d186c358858e119bae16aeb70db6ad8d86

SHA256
8ad2dd4fbfabd78bff081291b73c15671c1112a230b86dd2e1070e5fa3888065

SHA512
3e1b0e5755fe2aedd01cceb637295ece2b901e73fac544a3cd45197cd24c43dbdcb3901a3fc75c88cce6013e6fc66fc939a8b3ad04485eab2d6e5b6b02a7696b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
a9feb726f918f911f3aee9aff1383f8e

SHA1
fbe810d186c358858e119bae16aeb70db6ad8d86

SHA256
8ad2dd4fbfabd78bff081291b73c15671c1112a230b86dd2e1070e5fa3888065

SHA512
3e1b0e5755fe2aedd01cceb637295ece2b901e73fac544a3cd45197cd24c43dbdcb3901a3fc75c88cce6013e6fc66fc939a8b3ad04485eab2d6e5b6b02a7696b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2a8e5886e92e55db157b7d3fb24d87bf

SHA1
6b72908ced6b08d3e048c60096d97545f3eb4a8d

SHA256
9052ebbff4c0f4638ae866637840ad7ec17b1f1bd61387fabcfede633ed3c876

SHA512
7df5919713e0054d678834070ab37a33b759b15ba59ff89fc8567a8832d832e3e0db2f1d7318a05fdf8f3808598ce0be54fb1457b342b33222d708eaa9a68087

Download Submit
C:\Users\Admin\AppData\Local\Temp\mogop.exe

Filesize
425KB

MD5
619b512eed797e997187405a6a87efdd

SHA1
9f99c832cbee0a27baa5e635f78447f31a52d187

SHA256
c606852603066ce1617e381b51403481cff329dba4c67a7273527b342566f186

SHA512
c80fdd2ddb67bc457cdd27f2b54ff8177d2c0c921f84efcef65b112984beee0c523aafbbae88501549aa49f98e132f03b2eae11cc7ef78289dc35f2252199fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\mogop.exe

Filesize
425KB

MD5
619b512eed797e997187405a6a87efdd

SHA1
9f99c832cbee0a27baa5e635f78447f31a52d187

SHA256
c606852603066ce1617e381b51403481cff329dba4c67a7273527b342566f186

SHA512
c80fdd2ddb67bc457cdd27f2b54ff8177d2c0c921f84efcef65b112984beee0c523aafbbae88501549aa49f98e132f03b2eae11cc7ef78289dc35f2252199fc1

Download Submit
\Users\Admin\AppData\Local\Temp\mogop.exe

Filesize
425KB

MD5
619b512eed797e997187405a6a87efdd

SHA1
9f99c832cbee0a27baa5e635f78447f31a52d187

SHA256
c606852603066ce1617e381b51403481cff329dba4c67a7273527b342566f186

SHA512
c80fdd2ddb67bc457cdd27f2b54ff8177d2c0c921f84efcef65b112984beee0c523aafbbae88501549aa49f98e132f03b2eae11cc7ef78289dc35f2252199fc1

Download Submit
\Users\Admin\AppData\Local\Temp\mogop.exe

Filesize
425KB

MD5
619b512eed797e997187405a6a87efdd

SHA1
9f99c832cbee0a27baa5e635f78447f31a52d187

SHA256
c606852603066ce1617e381b51403481cff329dba4c67a7273527b342566f186

SHA512
c80fdd2ddb67bc457cdd27f2b54ff8177d2c0c921f84efcef65b112984beee0c523aafbbae88501549aa49f98e132f03b2eae11cc7ef78289dc35f2252199fc1

Download Submit
memory/2024-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2024-10-0x00000000026E0000-0x0000000002745000-memory.dmp

Filesize
404KB

Download
memory/2024-21-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2588-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2588-24-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Analysis

Sharing