urelas | 8cdf7723e24698ed5eb4e2976f92a9815803097d8a9d0b657975b174a7708b31

General

Target

NEAS.3b768d8f94122b013be7d91dca485b00.exe
Size

340KB
MD5

3b768d8f94122b013be7d91dca485b00
SHA1

ab13639b7be97ec59f5e4ea2389a38268dc3a2d7
SHA256

8cdf7723e24698ed5eb4e2976f92a9815803097d8a9d0b657975b174a7708b31
SHA512

604edecda3c4fb0236683e0843609efe3fea7f975ec747d6595d6a5e2870de1af2aeced6a246de1e5fe86b3417a5dc50095daa4697fea26e6752bcea226ecd49
SSDEEP

6144:L5j2IK9SqJ2HoS7LZRlUFARtbAwmw2IP4RznwJd2h/obwyEnAv64ZfO:LscqQoS7l3UW8wmeaznwcob33vRM

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	sander.exe

Loads dropped DLL 1 IoCs

pid	Process
2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2960-0-0x0000000000D20000-0x0000000000DD6000-memory.dmp	upx
behavioral1/files/0x0033000000014702-4.dat	upx
behavioral1/files/0x0033000000014702-8.dat	upx
behavioral1/memory/2948-10-0x00000000012A0000-0x0000000001356000-memory.dmp	upx
behavioral1/memory/2960-18-0x0000000000D20000-0x0000000000DD6000-memory.dmp	upx
behavioral1/memory/2948-21-0x00000000012A0000-0x0000000001356000-memory.dmp	upx
behavioral1/memory/2948-28-0x00000000012A0000-0x0000000001356000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2948	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	28
PID 2960 wrote to memory of 2948	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	28
PID 2960 wrote to memory of 2948	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	28
PID 2960 wrote to memory of 2948	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	28
PID 2960 wrote to memory of 2628	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	29
PID 2960 wrote to memory of 2628	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	29
PID 2960 wrote to memory of 2628	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	29
PID 2960 wrote to memory of 2628	2960	NEAS.3b768d8f94122b013be7d91dca485b00.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.3b768d8f94122b013be7d91dca485b00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3b768d8f94122b013be7d91dca485b00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
bad8786e4341a45617d3f978a8ec42b9

SHA1
ae69fec1c299e33edde42ae8335194bd2904d3a4

SHA256
733a341fd335b91417ea9517d57439e4c72c65b482ec5ad0f0acee00abf3eb50

SHA512
8bdcac43d9a75eb369bb3babee8aef066ec3be4fdd956d200c4a97e3fe45270cd2cdd7cf05f85670626de01705b8a0349e8c6995e84d08b8823675630b39f711

Download Submit
C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
bad8786e4341a45617d3f978a8ec42b9

SHA1
ae69fec1c299e33edde42ae8335194bd2904d3a4

SHA256
733a341fd335b91417ea9517d57439e4c72c65b482ec5ad0f0acee00abf3eb50

SHA512
8bdcac43d9a75eb369bb3babee8aef066ec3be4fdd956d200c4a97e3fe45270cd2cdd7cf05f85670626de01705b8a0349e8c6995e84d08b8823675630b39f711

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8edc8e83af9ccb57168230686dcb81a2

SHA1
15f71b7c8e19727a913f7b0e062829b7e1789fa0

SHA256
fb348d3d0f7700004fc47dfb81c71888b52978d609a6b3d6f1bfa51ac35270ce

SHA512
9708e1fb3f02bb481c67ab45617a657812e0b598d33b6994cc65ec2f048127d5e44cfe71ed93006952836a63d88454545af7e953a6516d01e277888a9f0dba38

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
340KB

MD5
71ee8f7bb961589cc74b9f61ecd4edb3

SHA1
a627176557b3072ee2349aca8286400650303eb2

SHA256
279ba3fecd2a5848299d0a8899cbc05915f8411e27115ee29a6ab91099b3877e

SHA512
75847d84692a18d0844a3bd1f0fd887f8892a792e5fdcf3cd5cdc170cfa4a0fc10978c9e32a5ea06e183a7e71b457de562e55bddbf744f4967f3dfb1da11938f

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
340KB

MD5
71ee8f7bb961589cc74b9f61ecd4edb3

SHA1
a627176557b3072ee2349aca8286400650303eb2

SHA256
279ba3fecd2a5848299d0a8899cbc05915f8411e27115ee29a6ab91099b3877e

SHA512
75847d84692a18d0844a3bd1f0fd887f8892a792e5fdcf3cd5cdc170cfa4a0fc10978c9e32a5ea06e183a7e71b457de562e55bddbf744f4967f3dfb1da11938f

Download Submit
memory/2948-10-0x00000000012A0000-0x0000000001356000-memory.dmp

Filesize
728KB

Download
memory/2948-21-0x00000000012A0000-0x0000000001356000-memory.dmp

Filesize
728KB

Download
memory/2948-28-0x00000000012A0000-0x0000000001356000-memory.dmp

Filesize
728KB

Download
memory/2960-0-0x0000000000D20000-0x0000000000DD6000-memory.dmp

Filesize
728KB

Download
memory/2960-9-0x0000000002A60000-0x0000000002B16000-memory.dmp

Filesize
728KB

Download
memory/2960-18-0x0000000000D20000-0x0000000000DD6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing