urelas | 91d9bb403c6ce7eece8eaf345dca0e1baf5bf4591e6b426ba3d921fcb177405c

General

Target

NEAS.c0b531f0de9f7e8305b537535f9f0620.exe
Size

200KB
MD5

c0b531f0de9f7e8305b537535f9f0620
SHA1

63bb2cd5430eb483f7878378e8f9607f678a20a2
SHA256

91d9bb403c6ce7eece8eaf345dca0e1baf5bf4591e6b426ba3d921fcb177405c
SHA512

86a67320786bb7fab27d0c4cf8ce3824e571f8588fde2c8fc373cae20fd68f1e986a89abbb352857501959688cc3680308d3b07725a3812902900fdb93742fff
SSDEEP

1536:Ti+N6u0utYGsoK2mEGIBp+WWN7YfEj77iZ76vVGU2AjZ1g9B5McLaRQLd764cGPP:eYYutRQSc/7c6tJZm9B5MuaRQLd7643H

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1200	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x0000000001300000-0x0000000001333000-memory.dmp	upx
behavioral1/memory/2308-3-0x0000000001300000-0x0000000001333000-memory.dmp	upx
behavioral1/files/0x000a000000012268-5.dat	upx
behavioral1/files/0x000a000000012268-10.dat	upx
behavioral1/memory/2308-9-0x0000000000E40000-0x0000000000E73000-memory.dmp	upx
behavioral1/memory/1200-12-0x0000000000E40000-0x0000000000E73000-memory.dmp	upx
behavioral1/memory/2308-19-0x0000000001300000-0x0000000001333000-memory.dmp	upx
behavioral1/memory/1200-22-0x0000000000E40000-0x0000000000E73000-memory.dmp	upx
behavioral1/memory/1200-23-0x0000000000E40000-0x0000000000E73000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1200	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	26
PID 2308 wrote to memory of 1200	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	26
PID 2308 wrote to memory of 1200	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	26
PID 2308 wrote to memory of 1200	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	26
PID 2308 wrote to memory of 1200	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	26
PID 2308 wrote to memory of 1200	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	26
PID 2308 wrote to memory of 1200	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	26
PID 2308 wrote to memory of 2596	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	27
PID 2308 wrote to memory of 2596	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	27
PID 2308 wrote to memory of 2596	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	27
PID 2308 wrote to memory of 2596	2308	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	27

C:\Users\Admin\AppData\Local\Temp\NEAS.c0b531f0de9f7e8305b537535f9f0620.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c0b531f0de9f7e8305b537535f9f0620.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55d2fdd1432483e3ba86ebeccfe130b6

SHA1
7280b14d708800fd15303b2caa8628a0fbd7aa08

SHA256
5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb

SHA512
36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
200KB

MD5
0f678200efcdb44af7d221a12d78d29b

SHA1
2f136802a471ac57d30600703b85d79b1d94c8e1

SHA256
404680fc93fd66d05ee0d383c24663725d3cc7bb90810e9fc3a851b1f070a10f

SHA512
49d1ea32e1427676991a6512eb294324b91f343ee5c4a057220bb7e9f210b256e8c92527d2bbaabcf3919edb8df720222842cac674dede61f231e5e2a0a7372c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
f5a61de5ee53ebfca2fc9d1623139f34

SHA1
9be2fde4755926cc9069abc3564cb504184e3c9e

SHA256
bd4fd831110fd056d68d76900ec8562fd697d4190dd9c807f5bf51ffdb1842ff

SHA512
c6b5dcb543aeb56ddacfbeb6bbe8d7c411f672b8cc4e282627f7ce969518ae8e41a1a2d2afe01bf0066d41faa37bb348bc7f3e9166ab17d5d65f654488c347aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
f5a61de5ee53ebfca2fc9d1623139f34

SHA1
9be2fde4755926cc9069abc3564cb504184e3c9e

SHA256
bd4fd831110fd056d68d76900ec8562fd697d4190dd9c807f5bf51ffdb1842ff

SHA512
c6b5dcb543aeb56ddacfbeb6bbe8d7c411f672b8cc4e282627f7ce969518ae8e41a1a2d2afe01bf0066d41faa37bb348bc7f3e9166ab17d5d65f654488c347aa

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
200KB

MD5
0f678200efcdb44af7d221a12d78d29b

SHA1
2f136802a471ac57d30600703b85d79b1d94c8e1

SHA256
404680fc93fd66d05ee0d383c24663725d3cc7bb90810e9fc3a851b1f070a10f

SHA512
49d1ea32e1427676991a6512eb294324b91f343ee5c4a057220bb7e9f210b256e8c92527d2bbaabcf3919edb8df720222842cac674dede61f231e5e2a0a7372c

Download Submit
memory/1200-12-0x0000000000E40000-0x0000000000E73000-memory.dmp

Filesize
204KB

Download
memory/1200-22-0x0000000000E40000-0x0000000000E73000-memory.dmp

Filesize
204KB

Download
memory/1200-23-0x0000000000E40000-0x0000000000E73000-memory.dmp

Filesize
204KB

Download
memory/2308-0-0x0000000001300000-0x0000000001333000-memory.dmp

Filesize
204KB

Download
memory/2308-3-0x0000000001300000-0x0000000001333000-memory.dmp

Filesize
204KB

Download
memory/2308-9-0x0000000000E40000-0x0000000000E73000-memory.dmp

Filesize
204KB

Download
memory/2308-19-0x0000000001300000-0x0000000001333000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing