urelas | 4410d3de681f8c4f4cb4f55fe465384c4d0d5e9403e505d4f7ab78e16e9e991e

General

Target

NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe
Size

289KB
MD5

cbe905ebeb4510ebbeae76aacfac70e0
SHA1

c6e815b74120f8e9aa50d3eb45af24a895e3c6e4
SHA256

4410d3de681f8c4f4cb4f55fe465384c4d0d5e9403e505d4f7ab78e16e9e991e
SHA512

308e219b417b7bdab974830111fd3568a02015f08ac8942b1e96d8ea97acdc70a9176e3438fcba93d3a4beeb029d7199eb2ed1704e6b483cfce44af7ee346ddc
SSDEEP

6144:1VzEZ5YgoSsj/ZQUWvYqDUbsbX6EdK77RXW7VGwrLO8O7Pf:a7oSOWUWvXbX5g7pW7Jg

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.182

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2804	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	sander.exe

Loads dropped DLL 1 IoCs

pid	Process
1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1308-0-0x0000000000A90000-0x0000000000B2C000-memory.dmp	upx
behavioral1/files/0x0030000000015c4f-4.dat	upx
behavioral1/memory/1308-5-0x00000000023C0000-0x000000000245C000-memory.dmp	upx
behavioral1/memory/2764-10-0x0000000001050000-0x00000000010EC000-memory.dmp	upx
behavioral1/files/0x0030000000015c4f-9.dat	upx
behavioral1/memory/1308-18-0x0000000000A90000-0x0000000000B2C000-memory.dmp	upx
behavioral1/memory/2764-21-0x0000000001050000-0x00000000010EC000-memory.dmp	upx
behavioral1/memory/2764-28-0x0000000001050000-0x00000000010EC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2764	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	28
PID 1308 wrote to memory of 2764	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	28
PID 1308 wrote to memory of 2764	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	28
PID 1308 wrote to memory of 2764	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	28
PID 1308 wrote to memory of 2804	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	30
PID 1308 wrote to memory of 2804	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	30
PID 1308 wrote to memory of 2804	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	30
PID 1308 wrote to memory of 2804	1308	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
e5e2df68e6158600bf30e8444cffaef4

SHA1
f70fb7d2c97bad899d4db34f84b1db260cb88ce5

SHA256
d3e5489f1e1fefa0eb79519d1df6e1adeb16d9832362dbb9a3bae3ed3c6a3271

SHA512
e5063d720663677cf43520db22fcb60d59ac71582b8029e956ffab0995c8c1ad6604cc2eeb1fec077c588559e4a8833fa5d700a9d42d7b516e2fb26587a1982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
e5e2df68e6158600bf30e8444cffaef4

SHA1
f70fb7d2c97bad899d4db34f84b1db260cb88ce5

SHA256
d3e5489f1e1fefa0eb79519d1df6e1adeb16d9832362dbb9a3bae3ed3c6a3271

SHA512
e5063d720663677cf43520db22fcb60d59ac71582b8029e956ffab0995c8c1ad6604cc2eeb1fec077c588559e4a8833fa5d700a9d42d7b516e2fb26587a1982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
478fec1df0aef79beb699928cb2787fa

SHA1
dfff00b9eceaebff908ca9681320d4c770f14814

SHA256
c186c06d9bed7785981b05d4c474afd33a83f9ef0e8f5a558505a44af519ec30

SHA512
9875eb579e6ab7d8595be86eb53bb8aec6b6d09af4f96742aea1dbcf21fda7e1b7bb561ad5bdbc560472d94e76eca975e33d8ca9ae6e30d1261b86dbb511cf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
289KB

MD5
b59c63029e9f71e0bfcd874ce96b6535

SHA1
e546b68a9b045b0d59728ccfdd3cd5b1136003ba

SHA256
69526dc0dfa5a06471d63efdfb64d6a84b65f0a7b692aeae338231a2f53e7620

SHA512
762e76d590a1077052f036b304d8041582e84987c75eacbd88a2595902630778261a283b61e642a4a50445acf19711b0064ca83bc6ad98d929ebb386fafaa1dc

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
289KB

MD5
b59c63029e9f71e0bfcd874ce96b6535

SHA1
e546b68a9b045b0d59728ccfdd3cd5b1136003ba

SHA256
69526dc0dfa5a06471d63efdfb64d6a84b65f0a7b692aeae338231a2f53e7620

SHA512
762e76d590a1077052f036b304d8041582e84987c75eacbd88a2595902630778261a283b61e642a4a50445acf19711b0064ca83bc6ad98d929ebb386fafaa1dc

Download Submit
memory/1308-0-0x0000000000A90000-0x0000000000B2C000-memory.dmp

Filesize
624KB

Download
memory/1308-5-0x00000000023C0000-0x000000000245C000-memory.dmp

Filesize
624KB

Download
memory/1308-18-0x0000000000A90000-0x0000000000B2C000-memory.dmp

Filesize
624KB

Download
memory/2764-10-0x0000000001050000-0x00000000010EC000-memory.dmp

Filesize
624KB

Download
memory/2764-21-0x0000000001050000-0x00000000010EC000-memory.dmp

Filesize
624KB

Download
memory/2764-28-0x0000000001050000-0x00000000010EC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing