urelas | 3bf3deb377d5dbbfd2d99521d2e0e381425a06e1a59b00ecd1f1281547ada63d

General

Target

5261ff1774557e45ff437f68c0cafa42.exe
Size

509KB
MD5

5261ff1774557e45ff437f68c0cafa42
SHA1

004440aee55c7542345c81bea13adff2bdfdf485
SHA256

3bf3deb377d5dbbfd2d99521d2e0e381425a06e1a59b00ecd1f1281547ada63d
SHA512

08ee6446142f8b4a6e02ba9acdfca421ae654f3a354b60c2b0f3d8e6aefa42ea422825ba7839d9a5beaccf91102005a6625ac9e7c055f96c9790001a9b22cf12
SSDEEP

12288:j/fCEOMsm8nc3qWQ8wqKhb43nLl5tDrXlFv:j/D0caF8wvhb43pDbv

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2916	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	sabeo.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	5261ff1774557e45ff437f68c0cafa42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2176	2724	5261ff1774557e45ff437f68c0cafa42.exe	30
PID 2724 wrote to memory of 2176	2724	5261ff1774557e45ff437f68c0cafa42.exe	30
PID 2724 wrote to memory of 2176	2724	5261ff1774557e45ff437f68c0cafa42.exe	30
PID 2724 wrote to memory of 2176	2724	5261ff1774557e45ff437f68c0cafa42.exe	30
PID 2724 wrote to memory of 2916	2724	5261ff1774557e45ff437f68c0cafa42.exe	29
PID 2724 wrote to memory of 2916	2724	5261ff1774557e45ff437f68c0cafa42.exe	29
PID 2724 wrote to memory of 2916	2724	5261ff1774557e45ff437f68c0cafa42.exe	29
PID 2724 wrote to memory of 2916	2724	5261ff1774557e45ff437f68c0cafa42.exe	29

C:\Users\Admin\AppData\Local\Temp\5261ff1774557e45ff437f68c0cafa42.exe
"C:\Users\Admin\AppData\Local\Temp\5261ff1774557e45ff437f68c0cafa42.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\sabeo.exe
  "C:\Users\Admin\AppData\Local\Temp\sabeo.exe"
  2⤵
  - Executes dropped EXE
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\lyguc.exe
    "C:\Users\Admin\AppData\Local\Temp\lyguc.exe"
    3⤵
    PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
276B

MD5
b14efd2ed44e0df120f78786bb819b81

SHA1
0fd1db461e311ebf16645ddf4e10aeaeb6645407

SHA256
4bc9aca10aa1c801ecf2d5b6e5987e74cc7ce13fb96cce40a42277bd2e0ba255

SHA512
861491a37a808b6040c104d852efc14fed82f062e5b1a5d495631ddc388bc7142cf4f135d3f30608ca3d1e25be92d5374b6e2e0a766c3385f0f49129386af317

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
421b077b3de1d53b2b87aa36bd38697a

SHA1
c68a21951f314287b420f6bff4a123129d46c76b

SHA256
5fe3a80f53e41663a4ab88548fa49514fb2603dd7ed6fa550029809252d92c53

SHA512
f45322182a5f77563d201ec253eb0478520c882266bce5db764b643400877fee45cf84c3aa9670732d6a0c284659568a2369f76be62d0be73b27587f43dfd13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyguc.exe

Filesize
92KB

MD5
34a40c709bd93e137e1a31da75c5f95a

SHA1
3940e0c288b3c01c20351fa8b543faddddc92257

SHA256
3d168a07ddaeaf028799e05eb8f205690bb323c22ac516a307148827f271ebf8

SHA512
29ca9feea7a95bab85f85e803eef646a562e86703490f15df8eb43e6709556e2ac1a6e1f19471ff5da6a647ec29b1fbd040ac6aa84f1cb6cf09e0a9b622b3bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\sabeo.exe

Filesize
509KB

MD5
5cb7e094e713ca0e2b67b6d9aee44efb

SHA1
c3f1f493d0e003185ade779a2b44dcd76518b408

SHA256
fe18bb58b064a0ccb885e3231eaecbccfea1dfd3319c6dc8eabf74964013789c

SHA512
e33ef739cbb31e3b6f96cef6e3a2e08b2390dfbbd9cbdbb02f7bbcf1826ded875723b566621e0e68fef3aee43abe4d8ccb58336907f21819a743e1ce3a652225

Download Submit
\Users\Admin\AppData\Local\Temp\lyguc.exe

Filesize
218KB

MD5
38e21e58aa7281910eb793dcc9cf7fb5

SHA1
c44ebd16873be6a6f7bf6b4abd347034e379e794

SHA256
74f86ecf37e42d94b7f1d883eaa81f69dd817dcff9eaa448fb34dd8902fc6fe9

SHA512
4ea9a36f46515f5de5ec2e14beb905c23f30a631b77de738558190d6079a6c8c03669c7d712d90507a3da1ad81e10bb9acb89cd23c320fcf5141b03947b803df

Download Submit
\Users\Admin\AppData\Local\Temp\sabeo.exe

Filesize
96KB

MD5
72c5d4a45da65c2c0e196bd176e5b0e4

SHA1
0364ea3bfcc9bbde652c846a238d0bd24c1cdb3c

SHA256
1d8b660fb8c6a32143b467a35024bfb4604b1b6315dc24920fa05ba163318f2b

SHA512
b4abf8ef163fce2510fc3b5264bffeae1f5277039a45658a54548cb3a1180dbf570653f33161437ffd91ce41fee4a325b17098d929b8c0784b4357c1750118bc

Download Submit
memory/940-32-0x0000000001140000-0x00000000011FB000-memory.dmp

Filesize
748KB

Download
memory/940-29-0x0000000001140000-0x00000000011FB000-memory.dmp

Filesize
748KB

Download
memory/940-28-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/940-31-0x0000000001140000-0x00000000011FB000-memory.dmp

Filesize
748KB

Download
memory/940-33-0x0000000000100000-0x0000000000102000-memory.dmp

Filesize
8KB

Download
memory/940-34-0x0000000001140000-0x00000000011FB000-memory.dmp

Filesize
748KB

Download
memory/940-35-0x0000000001140000-0x00000000011FB000-memory.dmp

Filesize
748KB

Download
memory/940-36-0x0000000001140000-0x00000000011FB000-memory.dmp

Filesize
748KB

Download
memory/2176-27-0x0000000000920000-0x00000000009A6000-memory.dmp

Filesize
536KB

Download
memory/2176-18-0x0000000000920000-0x00000000009A6000-memory.dmp

Filesize
536KB

Download
memory/2724-16-0x0000000000740000-0x00000000007C6000-memory.dmp

Filesize
536KB

Download
memory/2724-17-0x00000000000D0000-0x0000000000156000-memory.dmp

Filesize
536KB

Download
memory/2724-0-0x00000000000D0000-0x0000000000156000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing