urelas | 9bac1b8a97d97578004a183f906e8538eeac645b67639e2adeb177e0fb37524b

General

Target

NEAS.f6355edcf70f465da76a85e411a4a110.exe
Size

470KB
MD5

f6355edcf70f465da76a85e411a4a110
SHA1

d0bccd6ada6e2f85a7e20599c793d8d86e272cb0
SHA256

9bac1b8a97d97578004a183f906e8538eeac645b67639e2adeb177e0fb37524b
SHA512

f715888c11d6848e2e95c3d2c8db8a14aaa4535d8dae98f73378bf702dffc954680712d13462cc5a1c5a3006c528047018f2460a303a4ec284f9258bcb3f5912
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UJ:m6tQCG0UUPzEkTn4AC1+i

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2820	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2360	ypozm.exe
2640	jeevl.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe
2360	ypozm.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0004000000004ed7-23.dat	upx
behavioral1/memory/2360-25-0x0000000003810000-0x00000000038AF000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-27.dat	upx
behavioral1/memory/2640-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2640-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe
2640	jeevl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2360	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	28
PID 2220 wrote to memory of 2360	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	28
PID 2220 wrote to memory of 2360	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	28
PID 2220 wrote to memory of 2360	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	28
PID 2220 wrote to memory of 2820	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	29
PID 2220 wrote to memory of 2820	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	29
PID 2220 wrote to memory of 2820	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	29
PID 2220 wrote to memory of 2820	2220	NEAS.f6355edcf70f465da76a85e411a4a110.exe	29
PID 2360 wrote to memory of 2640	2360	ypozm.exe	33
PID 2360 wrote to memory of 2640	2360	ypozm.exe	33
PID 2360 wrote to memory of 2640	2360	ypozm.exe	33
PID 2360 wrote to memory of 2640	2360	ypozm.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.f6355edcf70f465da76a85e411a4a110.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f6355edcf70f465da76a85e411a4a110.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\ypozm.exe
  "C:\Users\Admin\AppData\Local\Temp\ypozm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Local\Temp\jeevl.exe
    "C:\Users\Admin\AppData\Local\Temp\jeevl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
286B

MD5
34f93d0371d10556e8384021a1b0cc11

SHA1
4ede610b82813c9a71a539533493cc6ee0e09ce0

SHA256
1d906f302700f6efddc41a371da15d58ff8dfe912376a00674b739501728ad46

SHA512
ff7e3b98384dbfd2b64d9e8f64378c88efaa83da2919992a0c45cf0c02d4f01a7614bb5010b4b836b33ff27359f655dfc2dc3c21e742e7910dd147adb144001a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
286B

MD5
34f93d0371d10556e8384021a1b0cc11

SHA1
4ede610b82813c9a71a539533493cc6ee0e09ce0

SHA256
1d906f302700f6efddc41a371da15d58ff8dfe912376a00674b739501728ad46

SHA512
ff7e3b98384dbfd2b64d9e8f64378c88efaa83da2919992a0c45cf0c02d4f01a7614bb5010b4b836b33ff27359f655dfc2dc3c21e742e7910dd147adb144001a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8607611f551d02533fab34c43ef485a2

SHA1
06337354fc2ba4b09abd595e19fd8cf7938be017

SHA256
4725ebdd1b42d003826836f1fe8327751d41d619a51ff089aff50571853c25ce

SHA512
07a3ef12c0b3672afcd853f628309367b51c5f19042eccb2b8f2ec07d56edfa48a76d0b6e95fadbfde4021b4cd370c7b1fa5459e558450a9fd065fa1987b519e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeevl.exe

Filesize
198KB

MD5
cc99c204cb13db60a2fa15d87f5ce0c6

SHA1
4d7a8084213593cc39ef0bfdfa14211d01085738

SHA256
2edf45f07786828a32506af7f2f832e20794537c134c0412a9ec6e8274bb395e

SHA512
8524a0c2874646095b32e3fff7a028dd6bf8ac1218b5416ad682625bc3b32536e9505d4a0734bb04828c85cd7b799f37eb6ec5353f4b7be434a5c016b71f88e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypozm.exe

Filesize
470KB

MD5
827407f52bce1dd0902c13fb591a3d1d

SHA1
1f1cd34e77f67277fa09bd1d8b5dd2ba324c89d1

SHA256
a127fda3ef97da62fb9430ff7a5e77bfd1b2e51e71f25203274ea3a2494393fb

SHA512
b49752e915ba2a938cbde50ea62a35c0641cd0b636bd580ef9c6d80ae46b4d64dc224d095df7fd1ada4cfebfedf53bde36375d349d180a5bb3203b937d46a515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypozm.exe

Filesize
470KB

MD5
827407f52bce1dd0902c13fb591a3d1d

SHA1
1f1cd34e77f67277fa09bd1d8b5dd2ba324c89d1

SHA256
a127fda3ef97da62fb9430ff7a5e77bfd1b2e51e71f25203274ea3a2494393fb

SHA512
b49752e915ba2a938cbde50ea62a35c0641cd0b636bd580ef9c6d80ae46b4d64dc224d095df7fd1ada4cfebfedf53bde36375d349d180a5bb3203b937d46a515

Download Submit
\Users\Admin\AppData\Local\Temp\jeevl.exe

Filesize
198KB

MD5
cc99c204cb13db60a2fa15d87f5ce0c6

SHA1
4d7a8084213593cc39ef0bfdfa14211d01085738

SHA256
2edf45f07786828a32506af7f2f832e20794537c134c0412a9ec6e8274bb395e

SHA512
8524a0c2874646095b32e3fff7a028dd6bf8ac1218b5416ad682625bc3b32536e9505d4a0734bb04828c85cd7b799f37eb6ec5353f4b7be434a5c016b71f88e6

Download Submit
\Users\Admin\AppData\Local\Temp\ypozm.exe

Filesize
470KB

MD5
827407f52bce1dd0902c13fb591a3d1d

SHA1
1f1cd34e77f67277fa09bd1d8b5dd2ba324c89d1

SHA256
a127fda3ef97da62fb9430ff7a5e77bfd1b2e51e71f25203274ea3a2494393fb

SHA512
b49752e915ba2a938cbde50ea62a35c0641cd0b636bd580ef9c6d80ae46b4d64dc224d095df7fd1ada4cfebfedf53bde36375d349d180a5bb3203b937d46a515

Download Submit
memory/2220-6-0x0000000000FA0000-0x000000000101C000-memory.dmp

Filesize
496KB

Download
memory/2220-17-0x0000000001360000-0x00000000013DC000-memory.dmp

Filesize
496KB

Download
memory/2220-0-0x0000000001360000-0x00000000013DC000-memory.dmp

Filesize
496KB

Download
memory/2360-20-0x00000000010F0000-0x000000000116C000-memory.dmp

Filesize
496KB

Download
memory/2360-28-0x00000000010F0000-0x000000000116C000-memory.dmp

Filesize
496KB

Download
memory/2360-25-0x0000000003810000-0x00000000038AF000-memory.dmp

Filesize
636KB

Download
memory/2640-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2640-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing