urelas | f6c8a2b59adf369b7096bbffb617c22e767ac6f6d9ba40966ed346e59d6a84a3

General

Target

NEAS.e32ef0e287e6b5e284b882356a849220.exe
Size

344KB
MD5

e32ef0e287e6b5e284b882356a849220
SHA1

249ecaba9a2302d5b41fb7dbdcfa845fe06a8d7b
SHA256

f6c8a2b59adf369b7096bbffb617c22e767ac6f6d9ba40966ed346e59d6a84a3
SHA512

bbaa666ef50a94c325a11fcb08ed3f4c5007886274347ec0d9e168115561abfd6bef0399b282ecfadf49eb83ae14d3906b9668dfd901653472c20e1b82e06204
SSDEEP

6144:SaVKyyzwbnUkoiqwcAR92o29tZTEr6UTdO5CksxCDy9pPbzBHU2ytlu8:g7yUTihRQhE9ONs46pP3BHUbtT

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2412	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2252	muyzz.exe
2632	guewh.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe
2252	muyzz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe
2632	guewh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2252	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	28
PID 1736 wrote to memory of 2252	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	28
PID 1736 wrote to memory of 2252	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	28
PID 1736 wrote to memory of 2252	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	28
PID 1736 wrote to memory of 2412	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	30
PID 1736 wrote to memory of 2412	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	30
PID 1736 wrote to memory of 2412	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	30
PID 1736 wrote to memory of 2412	1736	NEAS.e32ef0e287e6b5e284b882356a849220.exe	30
PID 2252 wrote to memory of 2632	2252	muyzz.exe	33
PID 2252 wrote to memory of 2632	2252	muyzz.exe	33
PID 2252 wrote to memory of 2632	2252	muyzz.exe	33
PID 2252 wrote to memory of 2632	2252	muyzz.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.e32ef0e287e6b5e284b882356a849220.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e32ef0e287e6b5e284b882356a849220.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\muyzz.exe
  "C:\Users\Admin\AppData\Local\Temp\muyzz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Users\Admin\AppData\Local\Temp\guewh.exe
    "C:\Users\Admin\AppData\Local\Temp\guewh.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
217c2cdd7203c235aef2433dd21c8d78

SHA1
daddc6bf0a3c11b91df59a634e5b319074960118

SHA256
de70a281264a8355daadcd0d271be717d99bb8b676794f94f18e4365a4715498

SHA512
f8f490e2127986108291b4e930e095991fca35d20ee8ab64d6851b94fbf2bc6c5e93f642f0063d1ee424f26199673f477ba3c2f28e1540b327ea108ecd27d014

Download Submit
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
217c2cdd7203c235aef2433dd21c8d78

SHA1
daddc6bf0a3c11b91df59a634e5b319074960118

SHA256
de70a281264a8355daadcd0d271be717d99bb8b676794f94f18e4365a4715498

SHA512
f8f490e2127986108291b4e930e095991fca35d20ee8ab64d6851b94fbf2bc6c5e93f642f0063d1ee424f26199673f477ba3c2f28e1540b327ea108ecd27d014

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e319c438d04ecd124736d58928c5fe5e

SHA1
d3ff01fc01610a20738a76c2950a344bf9ca323c

SHA256
cb76fd2b2c14a6748e72820fd05434d234922b90796404db6a9cc745549a61ba

SHA512
da879e8c5428c0e1361ef6f8d017b0e701e59eca003865005b2beac4181f3b106e963bc6afc2fddd735864341c9d296245bea59100241d485328db3aebc029b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\guewh.exe

Filesize
244KB

MD5
b5bf0f91754ac21bf77f6039ae3930ef

SHA1
a68ccc0c8171db1d8534b42d1e72a37bbd849ed2

SHA256
8fd18c0fc4f23a83a812c87c484368451d337215165c770ae62973cdf42a02bc

SHA512
d060ea63428a46cbd4b9986b41b84d158e62ce89e9e8473f18a1fb28e145f99bed8f81206077e52f15e042bf6df439e142a547039781df71a650f9469081de1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\muyzz.exe

Filesize
345KB

MD5
a0ca95d054c22afbb0fdbb962a5d67d9

SHA1
fb144920d1ced6bb31be479e2593ce4f6cc356eb

SHA256
f7a7f40b33be26cf2584ccf563e1231078f844f1179fc2b927e063246355747d

SHA512
827e7da037f064d946e8165f9002d752d9094d33b6bb6c779352040b64f6a7913bd9f62377e26552970b0a835f2edd577beed0310e6fdaa43c9849213e0ed1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\muyzz.exe

Filesize
345KB

MD5
a0ca95d054c22afbb0fdbb962a5d67d9

SHA1
fb144920d1ced6bb31be479e2593ce4f6cc356eb

SHA256
f7a7f40b33be26cf2584ccf563e1231078f844f1179fc2b927e063246355747d

SHA512
827e7da037f064d946e8165f9002d752d9094d33b6bb6c779352040b64f6a7913bd9f62377e26552970b0a835f2edd577beed0310e6fdaa43c9849213e0ed1c8

Download Submit
\Users\Admin\AppData\Local\Temp\guewh.exe

Filesize
244KB

MD5
b5bf0f91754ac21bf77f6039ae3930ef

SHA1
a68ccc0c8171db1d8534b42d1e72a37bbd849ed2

SHA256
8fd18c0fc4f23a83a812c87c484368451d337215165c770ae62973cdf42a02bc

SHA512
d060ea63428a46cbd4b9986b41b84d158e62ce89e9e8473f18a1fb28e145f99bed8f81206077e52f15e042bf6df439e142a547039781df71a650f9469081de1d

Download Submit
\Users\Admin\AppData\Local\Temp\muyzz.exe

Filesize
345KB

MD5
a0ca95d054c22afbb0fdbb962a5d67d9

SHA1
fb144920d1ced6bb31be479e2593ce4f6cc356eb

SHA256
f7a7f40b33be26cf2584ccf563e1231078f844f1179fc2b927e063246355747d

SHA512
827e7da037f064d946e8165f9002d752d9094d33b6bb6c779352040b64f6a7913bd9f62377e26552970b0a835f2edd577beed0310e6fdaa43c9849213e0ed1c8

Download Submit
memory/1736-8-0x0000000001020000-0x00000000010E1000-memory.dmp

Filesize
772KB

Download
memory/1736-21-0x0000000001020000-0x00000000010E1000-memory.dmp

Filesize
772KB

Download
memory/1736-0-0x0000000001150000-0x0000000001211000-memory.dmp

Filesize
772KB

Download
memory/1736-17-0x0000000001150000-0x0000000001211000-memory.dmp

Filesize
772KB

Download
memory/2252-22-0x0000000000D00000-0x0000000000DC1000-memory.dmp

Filesize
772KB

Download
memory/2252-36-0x0000000000D00000-0x0000000000DC1000-memory.dmp

Filesize
772KB

Download
memory/2252-18-0x0000000000D00000-0x0000000000DC1000-memory.dmp

Filesize
772KB

Download
memory/2632-38-0x0000000001080000-0x000000000113A000-memory.dmp

Filesize
744KB

Download
memory/2632-40-0x0000000001080000-0x000000000113A000-memory.dmp

Filesize
744KB

Download
memory/2632-41-0x0000000001080000-0x000000000113A000-memory.dmp

Filesize
744KB

Download
memory/2632-42-0x0000000001080000-0x000000000113A000-memory.dmp

Filesize
744KB

Download
memory/2632-43-0x0000000001080000-0x000000000113A000-memory.dmp

Filesize
744KB

Download
memory/2632-44-0x0000000001080000-0x000000000113A000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing