urelas | 56cfad78febf1f87650569c7f76b0a40019a12bd5f2413311c63671f0a5261f5

General

Target

0cb71b6fcbddec2c349b9ccaa742e030.exe
Size

509KB
MD5

0cb71b6fcbddec2c349b9ccaa742e030
SHA1

78e3632f4dd80b7b4bde3ac593311aa94a7fef59
SHA256

56cfad78febf1f87650569c7f76b0a40019a12bd5f2413311c63671f0a5261f5
SHA512

3157abc0779c52bd115c745e18c18dffa73e0a91958c1f7a4ded175d503324890efaa24a0f79d5695a8ae1d1d11bd8dcbd12ae4d32e09131ef64714b7d273733
SSDEEP

12288:j/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFV:j/D0caF8wvhb43pDbV

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
3000	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	rizyq.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	0cb71b6fcbddec2c349b9ccaa742e030.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2812	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	30
PID 2320 wrote to memory of 2812	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	30
PID 2320 wrote to memory of 2812	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	30
PID 2320 wrote to memory of 2812	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	30
PID 2320 wrote to memory of 3000	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	29
PID 2320 wrote to memory of 3000	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	29
PID 2320 wrote to memory of 3000	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	29
PID 2320 wrote to memory of 3000	2320	0cb71b6fcbddec2c349b9ccaa742e030.exe	29

C:\Users\Admin\AppData\Local\Temp\0cb71b6fcbddec2c349b9ccaa742e030.exe
"C:\Users\Admin\AppData\Local\Temp\0cb71b6fcbddec2c349b9ccaa742e030.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\rizyq.exe
  "C:\Users\Admin\AppData\Local\Temp\rizyq.exe"
  2⤵
  - Executes dropped EXE
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\kopuu.exe
    "C:\Users\Admin\AppData\Local\Temp\kopuu.exe"
    3⤵
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
905d92a471d869ff9e754232d32a642d

SHA1
fcf0e22ab8dc57dee0c42e9c5ef3697b91fa25c4

SHA256
c4f8d1a1ad88a86b8b87b210fe3c43aa0536c242cc61b98ad6aa6fb80471631d

SHA512
560b886ea7f9ba22ecdf3e12736d54b3216774bb5078ddeb7f49d5e33e66ef4877be6ea4bf67ac3720f977a91608d7f2fe0454a3156062536bc50bdc991ba3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8da9e91645b7412a5570e088cfe57aa4

SHA1
861dd4d4b016319ff72bc9acd64c820d56692c07

SHA256
8f2c04103d0ef09b4bff8c837fd023650ebb22f4d0537ba82fd93e9db68c8d0a

SHA512
badc94356af464bbe9b9bc438578e08b08abc6bc6521e64abd96c3f99e626801fab0000384f069d0dd027b592c399530a501f1af1a7ffdb5002bd33fda48322c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kopuu.exe

Filesize
37KB

MD5
0d0cac7756a192bd8052d29a470bcc91

SHA1
b4c2c006c4c4fd18d430d1f3d001523f29c0fc04

SHA256
1f3c4480bb5c836c3027cc149c7a6cf5e0ad8db96b89531465936e249d817cb6

SHA512
9ac4cd6a19c8a1dd26bd4aefeb9a0b595980d68ef97b5bc781b45acd966403efadba08cbd0c9656849e69abaa5b505d96b5fa66e21003b440847fe507a3ad07f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rizyq.exe

Filesize
87KB

MD5
bc752f09b32df450a30d1dcbc2f45241

SHA1
bd073376e6bc5dc241ee6a3aa6c5a19a13144001

SHA256
091393146f5edb944460ca1a4ddd7f14a2a819d69987018a9cd29ef6ac8c0bdf

SHA512
d34a84e652c3145b7d77b8f7650815707976cec4f5dc7d7a03cfdf7355a3bb876e322f3eb8311356b911eb7a771d09812ca7248c4a79db15c920731df86061e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rizyq.exe

Filesize
92KB

MD5
c49e3ce98480956da018a16ad0aabc34

SHA1
e99792dbc9b0e2ba1ab7ebe773d71cd83ae5f87f

SHA256
45433d0330375a8892cc20a324f40fd5365d66efbe6ff78a50e082cc87b57798

SHA512
3d3ba3981f7b204c2393fc8d742a039e1951910a2b269099ff2b706e0947d8099ac5d1f6814f59ccf90df1dc336ba30bddbc6c642e11b90cf28a82506fc295ba

Download Submit
\Users\Admin\AppData\Local\Temp\kopuu.exe

Filesize
77KB

MD5
1c436977d111507fe1cc463843003509

SHA1
6837f24dc8c3a4620d1e7e9f7e900d2ed5f17aa9

SHA256
7e27e05a843e1accd11d214764bd8e763afca3cd1c6b9393e7115eb44ea7b6f4

SHA512
dabc0f091a933b9d2b014f9d6981339c014e3d7026fa4ce07965e18757452381c6840b3dd33aa565647a60e8751350c675d98c0a3247d65f590d84cc8f823bdf

Download Submit
\Users\Admin\AppData\Local\Temp\rizyq.exe

Filesize
5KB

MD5
62f6e5f5f12ef8857d712bd2b634ff86

SHA1
ae90038d9dad9663de085b5132bacf791a38e1fd

SHA256
7d2d92b0895980e090d1e2a6124f3662529733ea9881557fcc061c1c664e04af

SHA512
d356637de2878df502e48205b6e18a914e085847d732d7d599ea52cd1b1e132ae80ee89c1b87dbf5745aaf713f6ec3da4911670f1c630fd1544f11bf0fff8bc5

Download Submit
memory/2320-18-0x0000000000BD0000-0x0000000000C56000-memory.dmp

Filesize
536KB

Download
memory/2320-0-0x0000000000BD0000-0x0000000000C56000-memory.dmp

Filesize
536KB

Download
memory/2320-7-0x0000000002850000-0x00000000028D6000-memory.dmp

Filesize
536KB

Download
memory/2640-32-0x0000000000240000-0x00000000002FB000-memory.dmp

Filesize
748KB

Download
memory/2640-30-0x0000000000240000-0x00000000002FB000-memory.dmp

Filesize
748KB

Download
memory/2640-29-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2640-33-0x0000000000240000-0x00000000002FB000-memory.dmp

Filesize
748KB

Download
memory/2640-34-0x0000000000300000-0x0000000000302000-memory.dmp

Filesize
8KB

Download
memory/2640-35-0x0000000000240000-0x00000000002FB000-memory.dmp

Filesize
748KB

Download
memory/2640-36-0x0000000000240000-0x00000000002FB000-memory.dmp

Filesize
748KB

Download
memory/2640-37-0x0000000000240000-0x00000000002FB000-memory.dmp

Filesize
748KB

Download
memory/2812-28-0x0000000000050000-0x00000000000D6000-memory.dmp

Filesize
536KB

Download
memory/2812-25-0x0000000002F90000-0x000000000304B000-memory.dmp

Filesize
748KB

Download
memory/2812-10-0x0000000000050000-0x00000000000D6000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing