urelas | befc29ba7101805e3e556d7a2b5256840e1bf176e876e575aea7736d3feb9a83

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f9b03f1fdabac3cdb41c08eb785db54.exe
Size

466KB
MD5

3f9b03f1fdabac3cdb41c08eb785db54
SHA1

e46aebfedcfa2d4271659e758effc7656e8edac4
SHA256

befc29ba7101805e3e556d7a2b5256840e1bf176e876e575aea7736d3feb9a83
SHA512

6436b4e6c40c1d1433b245f15dab53da432b487d3ff65c8e98c745bec6e6524d8ea2ebf658bc3257589ae55fedb87eca2ab122cdedf69f4a74b7c904ab191ede
SSDEEP

12288:Y6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UJ:Y6tQCG0UUPzEkTn4AC1+K

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	efojl.exe
2384	qyvyt.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	3f9b03f1fdabac3cdb41c08eb785db54.exe
2924	efojl.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/files/0x0006000000005a59-28.dat	upx
behavioral1/memory/2924-26-0x0000000003E30000-0x0000000003ECF000-memory.dmp	upx
behavioral1/files/0x0006000000005a59-23.dat	upx
behavioral1/memory/2384-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2384-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2384-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2384-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2384-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe
2384	qyvyt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2924	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	28
PID 2988 wrote to memory of 2924	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	28
PID 2988 wrote to memory of 2924	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	28
PID 2988 wrote to memory of 2924	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	28
PID 2988 wrote to memory of 2832	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	29
PID 2988 wrote to memory of 2832	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	29
PID 2988 wrote to memory of 2832	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	29
PID 2988 wrote to memory of 2832	2988	3f9b03f1fdabac3cdb41c08eb785db54.exe	29
PID 2924 wrote to memory of 2384	2924	efojl.exe	33
PID 2924 wrote to memory of 2384	2924	efojl.exe	33
PID 2924 wrote to memory of 2384	2924	efojl.exe	33
PID 2924 wrote to memory of 2384	2924	efojl.exe	33

C:\Users\Admin\AppData\Local\Temp\3f9b03f1fdabac3cdb41c08eb785db54.exe
"C:\Users\Admin\AppData\Local\Temp\3f9b03f1fdabac3cdb41c08eb785db54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\efojl.exe
  "C:\Users\Admin\AppData\Local\Temp\efojl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\qyvyt.exe
    "C:\Users\Admin\AppData\Local\Temp\qyvyt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
276B

MD5
f7805170a72dced63bde4650665baf78

SHA1
c90ed4d430c08cd0e968c60bb7422dffb2bf4765

SHA256
c6348ffb929fd0d0f1737f0284f55a2aa0fbf1aba6c03e16c695357406fcf3e5

SHA512
2b001e97dd46c94b8dd03f2425eeee3218bdf9526b934ed6e6a87ffd19b9592885ed6aad9d1a98ce3f80dca62f2a3ac76762bf65c8d3e0ad7a8e3c1af2bb8a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\efojl.exe

Filesize
466KB

MD5
de03872ba3d4ddf1d8f7d9e597dfabf8

SHA1
594b1b828675d4c59b735fe1de5cb25ac74219f6

SHA256
7d878bcc4e4080d80297242f79300c4fa8c796996cc0082562f453c8c8447e5d

SHA512
d264e9f1f61b77aab81d4915a2c9ea5fc428f55c8d2dc837ce4320c656b0eb6a7c5ac78eea79388744d3c940345f228461562ce9643e0322ac98ae87c78eec0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\efojl.exe

Filesize
280KB

MD5
725d73fc8286f187348ad5b52d89954d

SHA1
440a7279e63e71d90c629e420fd303f6f7db626c

SHA256
38daa216f8b6078299745c85d723ebd77e7cc3af13c1add1311e289d6a1f1f70

SHA512
f7ef40d310e314ef3618d50aa6d3d7b6a10e152392d0849d8ee5e63e3ee97a9dec2b2ef5bdf619b20e1d2840c98afc048ebabcaa53def607beb54a98744c63ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8f391b07eb40588a6646d70fa62c039b

SHA1
30a31b5ac9e6fb3fb2556a5e2d7eba7dd14794b0

SHA256
5a96f6b6ff135144340d35d9ccc1920d2d660a3ae21556343a3f89c8a4729c58

SHA512
6d2f639ae6d27d86d8758b74226345790b8cc78122180c70c89face19be6bdad2bb43f51bb50954e72f97450352058920aecf7e1f94a86126abbbb76374f3867

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyvyt.exe

Filesize
198KB

MD5
e6e6602bac289142bb7b9006509af3f2

SHA1
576faca5843db3cb3a4ca5b0beea64d5222ba1bb

SHA256
48da5751f4bf765a8b7052f89c8c6f4276fde6d1c0248130d47601af03fe52ca

SHA512
6e72ad6e0b6664e78e7fc1d332678301a28d6818659f89f8f7a89f9791951fc3293e9fe3b7ffb6feed5eaad87b8aadb581bb72169eec015586678ec96c11394f

Download Submit
\Users\Admin\AppData\Local\Temp\efojl.exe

Filesize
390KB

MD5
be4329d1a3401dbfaa74bbb5ff5fe71b

SHA1
4b9c60dfbd44fbfb3d9a7f08ffa963bca968361a

SHA256
4860f9e20c57104d4ddfa6f0dca6ed8b4419407d4b6e9246a925fd54c124fd3e

SHA512
8d260d66be4b08d43e65ccf250a67c4d880f2a763b76e0ba5bfb2119f3d53fbc5758eb98c914fddf0cf85531eab4c421231c68495dd62c34eafededfdf888da6

Download Submit
\Users\Admin\AppData\Local\Temp\qyvyt.exe

Filesize
171KB

MD5
f2819dd28acbfe63d53d964447dd4547

SHA1
54bbe6a451ac1443fad3650c88771d3f782f65e5

SHA256
2768efa79bbbf7177d9e88ed4cbc746dda86d1654272090626aaf6e733831d15

SHA512
7a26f47905432c51d9766429207b680bcb6139464287e47094222bc980d68410b9a6dab7402dc40bc7b4f6618f49fe1ccf4b19cb36cd1abb9a2d973656120398

Download Submit
memory/2384-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2384-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2384-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2384-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2384-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2384-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2924-17-0x0000000000F80000-0x0000000000FFC000-memory.dmp

Filesize
496KB

Download
memory/2924-27-0x0000000000F80000-0x0000000000FFC000-memory.dmp

Filesize
496KB

Download
memory/2924-26-0x0000000003E30000-0x0000000003ECF000-memory.dmp

Filesize
636KB

Download
memory/2988-10-0x0000000000980000-0x00000000009FC000-memory.dmp

Filesize
496KB

Download
memory/2988-0-0x0000000000A10000-0x0000000000A8C000-memory.dmp

Filesize
496KB

Download
memory/2988-18-0x0000000000A10000-0x0000000000A8C000-memory.dmp

Filesize
496KB

Download