urelas | 9b6801fde8bdfa1938b266df59b072edf43282e9adc778d53cf4ba5f0b613f27

General

Target

NEAS.3bc68fbc0eb3a75536dd679611f68110.exe
Size

363KB
MD5

3bc68fbc0eb3a75536dd679611f68110
SHA1

f038e4bc78b72236e4ce88ba7f58576a5280fb99
SHA256

9b6801fde8bdfa1938b266df59b072edf43282e9adc778d53cf4ba5f0b613f27
SHA512

91183aa3da47d988ad12968569fe01bd10a5261d6778bb912c9eefbfeefe1881ab2cb68abc22591103aaafa93d3030ab49d94d2e4029746afe5c9db5625d2d57
SSDEEP

6144:1o3whi+1Py3V0a24kOn+Sr72iyjmhuKtUYiw52hVOcvBRMHkWYHpY:YKf1PyKa2anKjm3OYZ2hocvHK

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1212	kiduy.exe
2956	zudef.exe

Loads dropped DLL 2 IoCs

pid	Process
1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe
1212	kiduy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe
2956	zudef.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1212	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	27
PID 1208 wrote to memory of 1212	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	27
PID 1208 wrote to memory of 1212	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	27
PID 1208 wrote to memory of 1212	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	27
PID 1208 wrote to memory of 2816	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	28
PID 1208 wrote to memory of 2816	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	28
PID 1208 wrote to memory of 2816	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	28
PID 1208 wrote to memory of 2816	1208	NEAS.3bc68fbc0eb3a75536dd679611f68110.exe	28
PID 1212 wrote to memory of 2956	1212	kiduy.exe	32
PID 1212 wrote to memory of 2956	1212	kiduy.exe	32
PID 1212 wrote to memory of 2956	1212	kiduy.exe	32
PID 1212 wrote to memory of 2956	1212	kiduy.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.3bc68fbc0eb3a75536dd679611f68110.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3bc68fbc0eb3a75536dd679611f68110.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\kiduy.exe
  "C:\Users\Admin\AppData\Local\Temp\kiduy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\zudef.exe
    "C:\Users\Admin\AppData\Local\Temp\zudef.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
6ebe41d2effa2847a2910ea11d6ff4dd

SHA1
35b6faafd45c4aba43db7fcb6d5a2ad5535e1f76

SHA256
6ae94f4be50e30fcb0d9e135fc51d0ab16acda145db75d78638357227a527b34

SHA512
ce8dd02092d508e2b78d0b79ea654e96eb9540c8748225b5bf0f2fb9c47ac6d560d651737f593e1d028016414427387118705ef19c7ea1d8138600178c1504f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
6ebe41d2effa2847a2910ea11d6ff4dd

SHA1
35b6faafd45c4aba43db7fcb6d5a2ad5535e1f76

SHA256
6ae94f4be50e30fcb0d9e135fc51d0ab16acda145db75d78638357227a527b34

SHA512
ce8dd02092d508e2b78d0b79ea654e96eb9540c8748225b5bf0f2fb9c47ac6d560d651737f593e1d028016414427387118705ef19c7ea1d8138600178c1504f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0638b0f9ba8c227ccbc2f2a4fbc5ee8b

SHA1
b6c8d400985e4ea48f08d81533e3e1cb12a65278

SHA256
be748dc81cf1657260323cf7f84503a385bd0e79dad3e9c3b4fafb8752ee568d

SHA512
ffe4f5deb6e0162721347e6862665891ce94df85d0c18ed669c0eed4a595050e1514e4e39c6c5204e5659c46034217c693b2319f181c1180020bff9919748b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiduy.exe

Filesize
363KB

MD5
3f83db08530e6b50cbac3846d5257f0f

SHA1
c73cd730ce3053cf90fb62c0d46d6345c4ce8735

SHA256
ff3b5d9edd90da60bf333d43d21c501ff2145c603297d955182d044ed5d02da5

SHA512
d92119f7b1cd605dc0b93d06125ef20ff16e2397ab13cf6040e0343c6d283597191ef80a8687f68c249c7772f75483410c8a9e15910a9cfb5591c9a806722d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kiduy.exe

Filesize
363KB

MD5
3f83db08530e6b50cbac3846d5257f0f

SHA1
c73cd730ce3053cf90fb62c0d46d6345c4ce8735

SHA256
ff3b5d9edd90da60bf333d43d21c501ff2145c603297d955182d044ed5d02da5

SHA512
d92119f7b1cd605dc0b93d06125ef20ff16e2397ab13cf6040e0343c6d283597191ef80a8687f68c249c7772f75483410c8a9e15910a9cfb5591c9a806722d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zudef.exe

Filesize
208KB

MD5
76764ac68ffcdac8c39b38d1690e0d66

SHA1
16b11e027b097d95b1933809c420e908514af7e1

SHA256
6bfa07bab2761c272b6ed2337974a9699ea1423831e980881979930ff30becd4

SHA512
986c55c5e8fe3e020e104b697988b88c160aa3d14ebb3a335ffe25f6f85fb6b84cfae587bcefed9e2df8f05750e515a19a6aeda8e5733a9b5a2bb04bf45687e2

Download Submit
\Users\Admin\AppData\Local\Temp\kiduy.exe

Filesize
363KB

MD5
3f83db08530e6b50cbac3846d5257f0f

SHA1
c73cd730ce3053cf90fb62c0d46d6345c4ce8735

SHA256
ff3b5d9edd90da60bf333d43d21c501ff2145c603297d955182d044ed5d02da5

SHA512
d92119f7b1cd605dc0b93d06125ef20ff16e2397ab13cf6040e0343c6d283597191ef80a8687f68c249c7772f75483410c8a9e15910a9cfb5591c9a806722d7c

Download Submit
\Users\Admin\AppData\Local\Temp\zudef.exe

Filesize
208KB

MD5
76764ac68ffcdac8c39b38d1690e0d66

SHA1
16b11e027b097d95b1933809c420e908514af7e1

SHA256
6bfa07bab2761c272b6ed2337974a9699ea1423831e980881979930ff30becd4

SHA512
986c55c5e8fe3e020e104b697988b88c160aa3d14ebb3a335ffe25f6f85fb6b84cfae587bcefed9e2df8f05750e515a19a6aeda8e5733a9b5a2bb04bf45687e2

Download Submit
memory/1208-20-0x0000000000B50000-0x0000000000BB2000-memory.dmp

Filesize
392KB

Download
memory/1208-10-0x0000000002570000-0x00000000025D2000-memory.dmp

Filesize
392KB

Download
memory/1208-1-0x0000000000B50000-0x0000000000BB2000-memory.dmp

Filesize
392KB

Download
memory/1208-0-0x0000000000B50000-0x0000000000BB2000-memory.dmp

Filesize
392KB

Download
memory/1208-4-0x0000000000B50000-0x0000000000BB2000-memory.dmp

Filesize
392KB

Download
memory/1212-29-0x00000000039A0000-0x0000000003A53000-memory.dmp

Filesize
716KB

Download
memory/1212-32-0x00000000011A0000-0x0000000001202000-memory.dmp

Filesize
392KB

Download
memory/1212-18-0x00000000011A0000-0x0000000001202000-memory.dmp

Filesize
392KB

Download
memory/1212-23-0x00000000011A0000-0x0000000001202000-memory.dmp

Filesize
392KB

Download
memory/2956-31-0x0000000000860000-0x0000000000913000-memory.dmp

Filesize
716KB

Download
memory/2956-33-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2956-35-0x0000000000860000-0x0000000000913000-memory.dmp

Filesize
716KB

Download
memory/2956-36-0x0000000000860000-0x0000000000913000-memory.dmp

Filesize
716KB

Download
memory/2956-37-0x0000000000860000-0x0000000000913000-memory.dmp

Filesize
716KB

Download
memory/2956-38-0x0000000000860000-0x0000000000913000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing