urelas | 255545ed1bd0d5209873370cc88901ad114fe8ce04fc3250bfb145153c562ac4

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa387482fde8b6558331be3e65e21d30_exe32.exe
Size

340KB
MD5

aa387482fde8b6558331be3e65e21d30
SHA1

3ea1348a718b0486f56e70a961e87ed9fddf2ec6
SHA256

255545ed1bd0d5209873370cc88901ad114fe8ce04fc3250bfb145153c562ac4
SHA512

ed00ef26f5d786ee76c479ae757c8eb6781af9e1586d2c68e52dedc4acfb69409f9d8b39d6dc3ea38f06d1383ea0f43ff35aa67681f1d43f116d5e77217b9ca7
SSDEEP

6144:DX+psoWJ+IvLI7BziS3qoJGd2GexPZmxMcVp0Xps:ymoWkI094og2GgPZkiu

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2580	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	qavoq.exe

Loads dropped DLL 1 IoCs

pid	Process
1076	aa387482fde8b6558331be3e65e21d30_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1956	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	28
PID 1076 wrote to memory of 1956	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	28
PID 1076 wrote to memory of 1956	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	28
PID 1076 wrote to memory of 1956	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	28
PID 1076 wrote to memory of 2580	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	30
PID 1076 wrote to memory of 2580	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	30
PID 1076 wrote to memory of 2580	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	30
PID 1076 wrote to memory of 2580	1076	aa387482fde8b6558331be3e65e21d30_exe32.exe	30

C:\Users\Admin\AppData\Local\Temp\aa387482fde8b6558331be3e65e21d30_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\aa387482fde8b6558331be3e65e21d30_exe32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\qavoq.exe
  "C:\Users\Admin\AppData\Local\Temp\qavoq.exe"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
288B

MD5
444d2d50e005c2993eae56608f486a27

SHA1
39275fc9963ea604495179fa88cdcd0ae853979a

SHA256
8ad22721e12c8330dfa8e1e6455ed8da11b13f2517fe285d1f2f8837672ca989

SHA512
caeace56f25e5ddae5f3239bdc6b7a0dd958ffe803b7f800a03ca711b9e835e03442b1a81a886ee99db4f1e854b19548bbf105146c3925cb7419f8a606369402

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
288B

MD5
444d2d50e005c2993eae56608f486a27

SHA1
39275fc9963ea604495179fa88cdcd0ae853979a

SHA256
8ad22721e12c8330dfa8e1e6455ed8da11b13f2517fe285d1f2f8837672ca989

SHA512
caeace56f25e5ddae5f3239bdc6b7a0dd958ffe803b7f800a03ca711b9e835e03442b1a81a886ee99db4f1e854b19548bbf105146c3925cb7419f8a606369402

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9f6234af5012a781333995b1fd1caf95

SHA1
bd31099106069c74c761fb4cdd01445e80b45ab3

SHA256
9cb73c0a3a777bae8c11d1396099dbca34db8c4f7702efc3960c44ad296cdb9a

SHA512
91363d3a779f1bc49209f4c99a92740f3290117dee2dc2aeae39ac41183e1f60b8833d65c705c71b68c03cea2ac8f803d7637f573041d260e189839f7859f0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qavoq.exe

Filesize
340KB

MD5
34a7321b9c186e1cef71f723254774eb

SHA1
ea2212bb18cabe067c804931081e979f73d21c89

SHA256
409b2e3a3132ce68d44ba063c09e0f7e7ef2069822c5489b5c8d951dea41a7f2

SHA512
16e2913c29b13daf15f6c75fcb87447ebf8d69571515231edbc6173a752c2b195db986cdebc2959dd6a68d6b83e7d8c56534f6ca83f3a06da38752b6eb3c2daa

Download Submit
\Users\Admin\AppData\Local\Temp\qavoq.exe

Filesize
340KB

MD5
34a7321b9c186e1cef71f723254774eb

SHA1
ea2212bb18cabe067c804931081e979f73d21c89

SHA256
409b2e3a3132ce68d44ba063c09e0f7e7ef2069822c5489b5c8d951dea41a7f2

SHA512
16e2913c29b13daf15f6c75fcb87447ebf8d69571515231edbc6173a752c2b195db986cdebc2959dd6a68d6b83e7d8c56534f6ca83f3a06da38752b6eb3c2daa

Download Submit
memory/1076-0-0x0000000001050000-0x000000000111C000-memory.dmp

Filesize
816KB

Download
memory/1076-8-0x0000000002AD0000-0x0000000002B9C000-memory.dmp

Filesize
816KB

Download
memory/1076-18-0x0000000001050000-0x000000000111C000-memory.dmp

Filesize
816KB

Download
memory/1956-16-0x00000000008C0000-0x000000000098C000-memory.dmp

Filesize
816KB

Download
memory/1956-21-0x00000000008C0000-0x000000000098C000-memory.dmp

Filesize
816KB

Download