urelas | 2c23cab9e2722ddcc9ea7c78f630ed177cbcda9dd71da2d3d524e5864e9ce2ff

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d171f74d11f49784f4ab635173f33950_JC.exe
Size

450KB
MD5

d171f74d11f49784f4ab635173f33950
SHA1

8e719a662e0a60d3cd34e05e3de6b5be7176ab90
SHA256

2c23cab9e2722ddcc9ea7c78f630ed177cbcda9dd71da2d3d524e5864e9ce2ff
SHA512

6be38cb72a086741cc55c330975b75abbdad0629659802bcc89f5c89d2855982030c2673f8891de4cbfd52919fe9e46eabd91ecf77becc47f669594f19164f11
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoN:PMpASIcWYx2U6hAJQnx

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2396	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2148	oslat.exe
3036	xepaza.exe
1200	moizj.exe

Loads dropped DLL 3 IoCs

pid	Process
1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe
2148	oslat.exe
3036	xepaza.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe
1200	moizj.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2148	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	28
PID 1324 wrote to memory of 2148	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	28
PID 1324 wrote to memory of 2148	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	28
PID 1324 wrote to memory of 2148	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	28
PID 1324 wrote to memory of 2396	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	29
PID 1324 wrote to memory of 2396	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	29
PID 1324 wrote to memory of 2396	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	29
PID 1324 wrote to memory of 2396	1324	NEAS.d171f74d11f49784f4ab635173f33950_JC.exe	29
PID 2148 wrote to memory of 3036	2148	oslat.exe	31
PID 2148 wrote to memory of 3036	2148	oslat.exe	31
PID 2148 wrote to memory of 3036	2148	oslat.exe	31
PID 2148 wrote to memory of 3036	2148	oslat.exe	31
PID 3036 wrote to memory of 1200	3036	xepaza.exe	34
PID 3036 wrote to memory of 1200	3036	xepaza.exe	34
PID 3036 wrote to memory of 1200	3036	xepaza.exe	34
PID 3036 wrote to memory of 1200	3036	xepaza.exe	34
PID 3036 wrote to memory of 2176	3036	xepaza.exe	36
PID 3036 wrote to memory of 2176	3036	xepaza.exe	36
PID 3036 wrote to memory of 2176	3036	xepaza.exe	36
PID 3036 wrote to memory of 2176	3036	xepaza.exe	36

C:\Users\Admin\AppData\Local\Temp\NEAS.d171f74d11f49784f4ab635173f33950_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d171f74d11f49784f4ab635173f33950_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\oslat.exe
  "C:\Users\Admin\AppData\Local\Temp\oslat.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\xepaza.exe
    "C:\Users\Admin\AppData\Local\Temp\xepaza.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\moizj.exe
      "C:\Users\Admin\AppData\Local\Temp\moizj.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9bed3ff976d7c2665f964d558b76aa9a

SHA1
ea7d2355307d762dfd3d4cf97f062e8b0b6e12fd

SHA256
02ee408df0c08c608c0afd4634a587006c4d82ce5c90b515eb0f4cad81fcb159

SHA512
0bd59c5cbaf73abd61de0314a4dacf0fa9fc53a53c3f2bb6b64e4a55c535eb10cdd74de27a9d086a0225b5b7bbfc8e04c2efcd6f9f5d4bf017fb0cd95c33d970

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9bed3ff976d7c2665f964d558b76aa9a

SHA1
ea7d2355307d762dfd3d4cf97f062e8b0b6e12fd

SHA256
02ee408df0c08c608c0afd4634a587006c4d82ce5c90b515eb0f4cad81fcb159

SHA512
0bd59c5cbaf73abd61de0314a4dacf0fa9fc53a53c3f2bb6b64e4a55c535eb10cdd74de27a9d086a0225b5b7bbfc8e04c2efcd6f9f5d4bf017fb0cd95c33d970

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
aa1ad13bdf1c8cef820579d3bb182f05

SHA1
eb094f46aedf08325e697fee66b81d52bd137fa6

SHA256
bbf8765a5a2a9e3ecae5445e3ec93172ce9a7847e941bf7e76ec985caced2387

SHA512
0580c49facf2e4868bbc3cf38b37e44885f702c5aa477ebd8197f1964291ecad201d258a776c6c21d4189174e0b5d5564dc21f098117422cb8a3b3ae30258c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
292B

MD5
aa1ad13bdf1c8cef820579d3bb182f05

SHA1
eb094f46aedf08325e697fee66b81d52bd137fa6

SHA256
bbf8765a5a2a9e3ecae5445e3ec93172ce9a7847e941bf7e76ec985caced2387

SHA512
0580c49facf2e4868bbc3cf38b37e44885f702c5aa477ebd8197f1964291ecad201d258a776c6c21d4189174e0b5d5564dc21f098117422cb8a3b3ae30258c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
622db7202ddd1c15402f1de5ca10510c

SHA1
5067778fa480be159c2ddcca6a045fc26725d8f5

SHA256
ca61bbd41d94fdabaf95af407ee1bda826dc11a820ff487c164244a0e822e66c

SHA512
c9b0363103e8d5a24baca921dfc158c32bcaa511fa3de5fd51d4053d35d27fe8e2d6f25e11fb8be35e798ee2b2198f7bdf56d5da6a382b644814fe9cad0bdc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\moizj.exe

Filesize
223KB

MD5
76b5fc8afd195eb9e4879d514b875d8b

SHA1
19359047d743c891fde6babafd11024189c4d7ae

SHA256
5b2751a449bac25b91ac40385fd73657795c4697f73d5e64cf75cc33724397c9

SHA512
0836178bec209ceae07158f0a740d0b7685fa822e3d7616847cdcefd865349f3505316e70f7696a5e2270f7abf4127ed44f799ef45f655397c2bd7b9ff96af96

Download Submit
C:\Users\Admin\AppData\Local\Temp\oslat.exe

Filesize
450KB

MD5
06f9c8e2ed260fcd30a9afba4dbe85f0

SHA1
55edc3e44c9c468571f6197cbf0d6df9aafacda0

SHA256
7b283d7a6fe843652b982a3d8fef6735cc298ade425a2491ae00ac7edaf3308d

SHA512
c53ed21176bc222df29cfe9a03230ff94932dcb04c6086153eadb24381435509f2e1ca3c6bd3c21fb3d35f7530874c87309387d71a97f219f35d162b8b09ef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\oslat.exe

Filesize
450KB

MD5
06f9c8e2ed260fcd30a9afba4dbe85f0

SHA1
55edc3e44c9c468571f6197cbf0d6df9aafacda0

SHA256
7b283d7a6fe843652b982a3d8fef6735cc298ade425a2491ae00ac7edaf3308d

SHA512
c53ed21176bc222df29cfe9a03230ff94932dcb04c6086153eadb24381435509f2e1ca3c6bd3c21fb3d35f7530874c87309387d71a97f219f35d162b8b09ef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\xepaza.exe

Filesize
450KB

MD5
7fece6b482f0ce47e5cba4323ae7e637

SHA1
52b81abb01458b62a2d5ac72e81b1c9d2d8453d2

SHA256
1a6bbec0237d7d11b3e21aeb27d09a13f2e5ec42759a155e13ff37b06da215c2

SHA512
edecf45f1ef4840e3fbb418592bab07ebf9f85fd5511d33775dacc37726e55bd8b737906a45015f4202d180db88ed8c83b0bd2904be292d8eecf3bcaa3aa6a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xepaza.exe

Filesize
450KB

MD5
7fece6b482f0ce47e5cba4323ae7e637

SHA1
52b81abb01458b62a2d5ac72e81b1c9d2d8453d2

SHA256
1a6bbec0237d7d11b3e21aeb27d09a13f2e5ec42759a155e13ff37b06da215c2

SHA512
edecf45f1ef4840e3fbb418592bab07ebf9f85fd5511d33775dacc37726e55bd8b737906a45015f4202d180db88ed8c83b0bd2904be292d8eecf3bcaa3aa6a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xepaza.exe

Filesize
450KB

MD5
7fece6b482f0ce47e5cba4323ae7e637

SHA1
52b81abb01458b62a2d5ac72e81b1c9d2d8453d2

SHA256
1a6bbec0237d7d11b3e21aeb27d09a13f2e5ec42759a155e13ff37b06da215c2

SHA512
edecf45f1ef4840e3fbb418592bab07ebf9f85fd5511d33775dacc37726e55bd8b737906a45015f4202d180db88ed8c83b0bd2904be292d8eecf3bcaa3aa6a6c

Download Submit
\Users\Admin\AppData\Local\Temp\moizj.exe

Filesize
223KB

MD5
76b5fc8afd195eb9e4879d514b875d8b

SHA1
19359047d743c891fde6babafd11024189c4d7ae

SHA256
5b2751a449bac25b91ac40385fd73657795c4697f73d5e64cf75cc33724397c9

SHA512
0836178bec209ceae07158f0a740d0b7685fa822e3d7616847cdcefd865349f3505316e70f7696a5e2270f7abf4127ed44f799ef45f655397c2bd7b9ff96af96

Download Submit
\Users\Admin\AppData\Local\Temp\oslat.exe

Filesize
450KB

MD5
06f9c8e2ed260fcd30a9afba4dbe85f0

SHA1
55edc3e44c9c468571f6197cbf0d6df9aafacda0

SHA256
7b283d7a6fe843652b982a3d8fef6735cc298ade425a2491ae00ac7edaf3308d

SHA512
c53ed21176bc222df29cfe9a03230ff94932dcb04c6086153eadb24381435509f2e1ca3c6bd3c21fb3d35f7530874c87309387d71a97f219f35d162b8b09ef45

Download Submit
\Users\Admin\AppData\Local\Temp\xepaza.exe

Filesize
450KB

MD5
7fece6b482f0ce47e5cba4323ae7e637

SHA1
52b81abb01458b62a2d5ac72e81b1c9d2d8453d2

SHA256
1a6bbec0237d7d11b3e21aeb27d09a13f2e5ec42759a155e13ff37b06da215c2

SHA512
edecf45f1ef4840e3fbb418592bab07ebf9f85fd5511d33775dacc37726e55bd8b737906a45015f4202d180db88ed8c83b0bd2904be292d8eecf3bcaa3aa6a6c

Download Submit
memory/1200-53-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1200-51-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1200-52-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1200-56-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1200-49-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1200-55-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1200-54-0x0000000000C30000-0x0000000000CD0000-memory.dmp

Filesize
640KB

Download
memory/1324-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1324-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1324-8-0x0000000001FE0000-0x000000000204E000-memory.dmp

Filesize
440KB

Download
memory/2148-27-0x0000000003180000-0x00000000031EE000-memory.dmp

Filesize
440KB

Download
memory/2148-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2148-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3036-47-0x0000000003460000-0x0000000003500000-memory.dmp

Filesize
640KB

Download
memory/3036-45-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3036-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download