urelas | 2cd4a2228255be8ca927503ca7cb65eaef592eba2738742e889291dfde872d62

Analysis

max time kernel
154s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe
Size

331KB
MD5

8fbfc597ee04d6b9472abe360d5827f0
SHA1

eda2059dbd659cba40089d552a031737e25b1408
SHA256

2cd4a2228255be8ca927503ca7cb65eaef592eba2738742e889291dfde872d62
SHA512

b84ea699d581e610457edf746e82da2557726466d5721ee1fe99fff5114c0aec6fb05541cd86552b5a3f9cdb9da295db8552fa0f435d7f788f7aad90f93e6850
SSDEEP

6144:GLtOexihqv4m+lXD6betiTuBMTWjIDIiUBAkW9UOKMOtzWO8CatspdZ:GL1D+IatauBML42MykRak

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2600	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1576	guefu.exe
2644	joxihi.exe
524	efkot.exe

Loads dropped DLL 3 IoCs

pid	Process
1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe
1576	guefu.exe
2644	joxihi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe
524	efkot.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1576	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	28
PID 1376 wrote to memory of 1576	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	28
PID 1376 wrote to memory of 1576	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	28
PID 1376 wrote to memory of 1576	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	28
PID 1376 wrote to memory of 2600	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	29
PID 1376 wrote to memory of 2600	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	29
PID 1376 wrote to memory of 2600	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	29
PID 1376 wrote to memory of 2600	1376	NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe	29
PID 1576 wrote to memory of 2644	1576	guefu.exe	31
PID 1576 wrote to memory of 2644	1576	guefu.exe	31
PID 1576 wrote to memory of 2644	1576	guefu.exe	31
PID 1576 wrote to memory of 2644	1576	guefu.exe	31
PID 2644 wrote to memory of 524	2644	joxihi.exe	34
PID 2644 wrote to memory of 524	2644	joxihi.exe	34
PID 2644 wrote to memory of 524	2644	joxihi.exe	34
PID 2644 wrote to memory of 524	2644	joxihi.exe	34
PID 2644 wrote to memory of 572	2644	joxihi.exe	35
PID 2644 wrote to memory of 572	2644	joxihi.exe	35
PID 2644 wrote to memory of 572	2644	joxihi.exe	35
PID 2644 wrote to memory of 572	2644	joxihi.exe	35

C:\Users\Admin\AppData\Local\Temp\NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.8fbfc597ee04d6b9472abe360d5827f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\guefu.exe
  "C:\Users\Admin\AppData\Local\Temp\guefu.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\joxihi.exe
    "C:\Users\Admin\AppData\Local\Temp\joxihi.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\efkot.exe
      "C:\Users\Admin\AppData\Local\Temp\efkot.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4ce20686fa916c05930d6f695f969da1

SHA1
9ff6948308c27db6d8f43e9c92d7e5d4cf320ac6

SHA256
afb25f3968695fa0deb0c5223dd104f7220b794c07846c4aeddae4afb54f7fd5

SHA512
55ca75e7c0258b58aab31ee30bfd91056203dedf01088f243b926990096c571d1f13656ec51d528c9031dab630dee14ee3b2ed3915e5438b4cc5fd6a5ece9a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4ce20686fa916c05930d6f695f969da1

SHA1
9ff6948308c27db6d8f43e9c92d7e5d4cf320ac6

SHA256
afb25f3968695fa0deb0c5223dd104f7220b794c07846c4aeddae4afb54f7fd5

SHA512
55ca75e7c0258b58aab31ee30bfd91056203dedf01088f243b926990096c571d1f13656ec51d528c9031dab630dee14ee3b2ed3915e5438b4cc5fd6a5ece9a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
448f457f897a2f9e1d5de34c36d99b15

SHA1
69e1cbca2104f95c68aaa776400554af4815982f

SHA256
d8cb895dc81c3ab0235a942df6af7eb9fa2a378ebb616a42e9a090ee0b6eb232

SHA512
786ad7fa9ae972c76129a63383d34ba5f1cf6fb32481a397edf2bb9424d4f0e4b85b99a9be82475de66b7bd2f9b59e085aae8d2b0dd461620ba3984eb0721b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
448f457f897a2f9e1d5de34c36d99b15

SHA1
69e1cbca2104f95c68aaa776400554af4815982f

SHA256
d8cb895dc81c3ab0235a942df6af7eb9fa2a378ebb616a42e9a090ee0b6eb232

SHA512
786ad7fa9ae972c76129a63383d34ba5f1cf6fb32481a397edf2bb9424d4f0e4b85b99a9be82475de66b7bd2f9b59e085aae8d2b0dd461620ba3984eb0721b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\efkot.exe

Filesize
223KB

MD5
d3185c2d6e6e57e1a8922349bc6ffd51

SHA1
8cf600939cf82fdc88a9d687b9e699b5f553cf36

SHA256
61989b483718c7c80011bc0e77afce077ddb685580a900d2afae65dad7bc3151

SHA512
a681af02edea521c9533a40bdd12074d977f82ba89471ed4735b9de7ebce344fc1c16739c367b74b7f659b7b0bcf36b553e9f32266dbc4811b13735c7bf1a45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
872aba10d9f4664604f01c80beba5c4a

SHA1
8961d05a1d37c0c1f2daaa8a421e4a5be7037c50

SHA256
255fb94ebdaca9184a4965af4e6308f7914cf860c4311bd2bdea2affb664a0c3

SHA512
0fd13054df809a89d2d9bb3ec48df8bd7c33ef60f47f4861dbb41c694f97eebb4ab7cd76fa9c1847dc02047922fd325eda8cccbf4e4e6675972170e78267eeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\guefu.exe

Filesize
331KB

MD5
0bb68f7aae077929b1d686a5bf4bde02

SHA1
fe7c135d51b74e5ebae212cca265a99024c8a31d

SHA256
edfc07d129166005ca70a97542214f4ab7e3c7f8bc8cd749f74b5eeef1b3d80b

SHA512
ab6ac8a8845595b060c76463610d2d9f8730ba6afc389a8af1279918354a4ff533c6c22f1e88613daeb4cf944c7258fa08d43d1b7576c2a9e8e6f6a1f9772191

Download Submit
C:\Users\Admin\AppData\Local\Temp\guefu.exe

Filesize
331KB

MD5
0bb68f7aae077929b1d686a5bf4bde02

SHA1
fe7c135d51b74e5ebae212cca265a99024c8a31d

SHA256
edfc07d129166005ca70a97542214f4ab7e3c7f8bc8cd749f74b5eeef1b3d80b

SHA512
ab6ac8a8845595b060c76463610d2d9f8730ba6afc389a8af1279918354a4ff533c6c22f1e88613daeb4cf944c7258fa08d43d1b7576c2a9e8e6f6a1f9772191

Download Submit
C:\Users\Admin\AppData\Local\Temp\joxihi.exe

Filesize
331KB

MD5
e737ca0cef5d6fb315ea53b8afd71f2b

SHA1
e9277919e55cc1c0c1a227bd781d4ca57f7fd161

SHA256
bf78d87dc5ab7eafcb25840f63069bcac21da2d61103ace291191b5efbc308ba

SHA512
71cc75300fad8acae6c70f68adef3d2c530e4e0248b362dc24877805145f06043fbe44da24834dfa7ee7db86f50e4b6853a68ee4c45aef816ecc72d2195f03d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\joxihi.exe

Filesize
331KB

MD5
e737ca0cef5d6fb315ea53b8afd71f2b

SHA1
e9277919e55cc1c0c1a227bd781d4ca57f7fd161

SHA256
bf78d87dc5ab7eafcb25840f63069bcac21da2d61103ace291191b5efbc308ba

SHA512
71cc75300fad8acae6c70f68adef3d2c530e4e0248b362dc24877805145f06043fbe44da24834dfa7ee7db86f50e4b6853a68ee4c45aef816ecc72d2195f03d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\joxihi.exe

Filesize
331KB

MD5
e737ca0cef5d6fb315ea53b8afd71f2b

SHA1
e9277919e55cc1c0c1a227bd781d4ca57f7fd161

SHA256
bf78d87dc5ab7eafcb25840f63069bcac21da2d61103ace291191b5efbc308ba

SHA512
71cc75300fad8acae6c70f68adef3d2c530e4e0248b362dc24877805145f06043fbe44da24834dfa7ee7db86f50e4b6853a68ee4c45aef816ecc72d2195f03d2

Download Submit
\Users\Admin\AppData\Local\Temp\efkot.exe

Filesize
223KB

MD5
d3185c2d6e6e57e1a8922349bc6ffd51

SHA1
8cf600939cf82fdc88a9d687b9e699b5f553cf36

SHA256
61989b483718c7c80011bc0e77afce077ddb685580a900d2afae65dad7bc3151

SHA512
a681af02edea521c9533a40bdd12074d977f82ba89471ed4735b9de7ebce344fc1c16739c367b74b7f659b7b0bcf36b553e9f32266dbc4811b13735c7bf1a45c

Download Submit
\Users\Admin\AppData\Local\Temp\guefu.exe

Filesize
331KB

MD5
0bb68f7aae077929b1d686a5bf4bde02

SHA1
fe7c135d51b74e5ebae212cca265a99024c8a31d

SHA256
edfc07d129166005ca70a97542214f4ab7e3c7f8bc8cd749f74b5eeef1b3d80b

SHA512
ab6ac8a8845595b060c76463610d2d9f8730ba6afc389a8af1279918354a4ff533c6c22f1e88613daeb4cf944c7258fa08d43d1b7576c2a9e8e6f6a1f9772191

Download Submit
\Users\Admin\AppData\Local\Temp\joxihi.exe

Filesize
331KB

MD5
e737ca0cef5d6fb315ea53b8afd71f2b

SHA1
e9277919e55cc1c0c1a227bd781d4ca57f7fd161

SHA256
bf78d87dc5ab7eafcb25840f63069bcac21da2d61103ace291191b5efbc308ba

SHA512
71cc75300fad8acae6c70f68adef3d2c530e4e0248b362dc24877805145f06043fbe44da24834dfa7ee7db86f50e4b6853a68ee4c45aef816ecc72d2195f03d2

Download Submit
memory/524-65-0x0000000000DF0000-0x0000000000E90000-memory.dmp

Filesize
640KB

Download
memory/524-61-0x0000000000DF0000-0x0000000000E90000-memory.dmp

Filesize
640KB

Download
memory/524-63-0x0000000000DF0000-0x0000000000E90000-memory.dmp

Filesize
640KB

Download
memory/524-58-0x0000000000DF0000-0x0000000000E90000-memory.dmp

Filesize
640KB

Download
memory/524-64-0x0000000000DF0000-0x0000000000E90000-memory.dmp

Filesize
640KB

Download
memory/524-57-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/524-62-0x0000000000DF0000-0x0000000000E90000-memory.dmp

Filesize
640KB

Download
memory/1376-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1376-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1376-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1376-9-0x0000000002840000-0x00000000028AE000-memory.dmp

Filesize
440KB

Download
memory/1576-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1576-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1576-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2644-54-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2644-56-0x00000000032B0000-0x0000000003350000-memory.dmp

Filesize
640KB

Download
memory/2644-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download