urelas | c9a7fbc74f14fd0561ba21366dbf3f0b053bc65bc078622c61b2881cadbc47e9

General

Target

299aba363caef390fbc4bd35f09718dd.exe
Size

401KB
MD5

299aba363caef390fbc4bd35f09718dd
SHA1

86cc9f5714875325e3f582176cf50e1d2b6887ba
SHA256

c9a7fbc74f14fd0561ba21366dbf3f0b053bc65bc078622c61b2881cadbc47e9
SHA512

7071f458001f56b80bdfcd4ff5ed3a036d48f7ce26f5b5cc9aecb8b45fb1b3d112c94e345682e8f250a8d97529bae56e3227b5786f57a065e26ff1cae9d60272
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohJh:8IfBoDWoyFblU6hAJQnOTh

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2464	dabuu.exe
2712	logupy.exe
1008	dogux.exe

Loads dropped DLL 5 IoCs

pid	Process
2416	299aba363caef390fbc4bd35f09718dd.exe
2416	299aba363caef390fbc4bd35f09718dd.exe
2464	dabuu.exe
2464	dabuu.exe
2712	logupy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe
1008	dogux.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2464	2416	299aba363caef390fbc4bd35f09718dd.exe	28
PID 2416 wrote to memory of 2464	2416	299aba363caef390fbc4bd35f09718dd.exe	28
PID 2416 wrote to memory of 2464	2416	299aba363caef390fbc4bd35f09718dd.exe	28
PID 2416 wrote to memory of 2464	2416	299aba363caef390fbc4bd35f09718dd.exe	28
PID 2416 wrote to memory of 2700	2416	299aba363caef390fbc4bd35f09718dd.exe	30
PID 2416 wrote to memory of 2700	2416	299aba363caef390fbc4bd35f09718dd.exe	30
PID 2416 wrote to memory of 2700	2416	299aba363caef390fbc4bd35f09718dd.exe	30
PID 2416 wrote to memory of 2700	2416	299aba363caef390fbc4bd35f09718dd.exe	30
PID 2464 wrote to memory of 2712	2464	dabuu.exe	31
PID 2464 wrote to memory of 2712	2464	dabuu.exe	31
PID 2464 wrote to memory of 2712	2464	dabuu.exe	31
PID 2464 wrote to memory of 2712	2464	dabuu.exe	31
PID 2712 wrote to memory of 1008	2712	logupy.exe	34
PID 2712 wrote to memory of 1008	2712	logupy.exe	34
PID 2712 wrote to memory of 1008	2712	logupy.exe	34
PID 2712 wrote to memory of 1008	2712	logupy.exe	34
PID 2712 wrote to memory of 1480	2712	logupy.exe	36
PID 2712 wrote to memory of 1480	2712	logupy.exe	36
PID 2712 wrote to memory of 1480	2712	logupy.exe	36
PID 2712 wrote to memory of 1480	2712	logupy.exe	36

C:\Users\Admin\AppData\Local\Temp\299aba363caef390fbc4bd35f09718dd.exe
"C:\Users\Admin\AppData\Local\Temp\299aba363caef390fbc4bd35f09718dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\dabuu.exe
  "C:\Users\Admin\AppData\Local\Temp\dabuu.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\logupy.exe
    "C:\Users\Admin\AppData\Local\Temp\logupy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\dogux.exe
      "C:\Users\Admin\AppData\Local\Temp\dogux.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
976952907df353c96bb613452ea44e38

SHA1
08d9fddb1669416ee42450f6490b4682ae959d29

SHA256
133082ad05099c6b3fe437fd721c803ef2584675b551f47621988b5e1b0e147f

SHA512
429f3365ab05cc734fb47a7915b593c415e43bf49b2d28bc261650d38c8e91a6d4abc951cd31e5f95de06d76a57c654b0bd230b25c08a801fdeda6f7f09403a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
d09c340f1023c63586b0641d474fca43

SHA1
f9e24d347c02dcc2d777bc04ad90f851e7c62e84

SHA256
6bda78e59089c39a9b62703fdaec529efa0241f767db7aa29b891eba29cd9905

SHA512
cf3a0e1a272ad106e4a07ffc527b17c419fc2710cc3b256b8699edd292fdf0971bf73426ce45493d090b0f0ea3c3cef5e16a909ef5ccafeb33ffe43b79481f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\logupy.exe

Filesize
401KB

MD5
24b1b20282bd9c6297667008c937f3d0

SHA1
c1faec7c1687535e3698abf87ae0969928c8bc63

SHA256
e97515c5a68bd68e2358f4d6027584c6322674dec3064eecdbf3ee44d919f244

SHA512
879df201676ee8b98f8a184eb01743e8f5e4415ff36100f4979e9aa120987e1cf94fc6458d292a8507e50ec026de8ea701ed6b5d04f56d1d6565e38bd9b8b0d4

Download Submit
\Users\Admin\AppData\Local\Temp\dabuu.exe

Filesize
401KB

MD5
d0eb53e4b662ab38004f1d60021b7e0d

SHA1
b9cf434c4d928bbe54ca50f1c39570a2f298043b

SHA256
087487db06b76c5076ec5e875e0f6aef7f6fd98504471421a6108ce74a046c26

SHA512
dede7d0ed905055a2d70a85e207677a01e32ca22c8f952f7eb65fca21b507bc336888e3b75ac2c2582c8898a85705b1e063329a0aa6a7fd8a4270c101785ea3c

Download Submit
\Users\Admin\AppData\Local\Temp\dogux.exe

Filesize
223KB

MD5
5fde4f7de949145658790ec725b0e7bd

SHA1
c7bf98137907a73319b2c6c9c72ce9780a555628

SHA256
6520bb8af271185e91d4bc1ad4c325720423ccb78b7df43a38f4dabb38e5e5e1

SHA512
70eae0be96cbb7ec0344ff2a357736630c393365f0d84f8bf5eb323705e5491d2303ff6a592a66319206475946fa5ab987b104c03e917247d6c697080497b451

Download Submit
memory/1008-59-0x0000000001210000-0x00000000012B0000-memory.dmp

Filesize
640KB

Download
memory/1008-57-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1008-64-0x0000000001210000-0x00000000012B0000-memory.dmp

Filesize
640KB

Download
memory/1008-63-0x0000000001210000-0x00000000012B0000-memory.dmp

Filesize
640KB

Download
memory/1008-62-0x0000000001210000-0x00000000012B0000-memory.dmp

Filesize
640KB

Download
memory/1008-61-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1008-60-0x0000000001210000-0x00000000012B0000-memory.dmp

Filesize
640KB

Download
memory/1008-54-0x0000000001210000-0x00000000012B0000-memory.dmp

Filesize
640KB

Download
memory/2416-20-0x0000000002360000-0x00000000023C8000-memory.dmp

Filesize
416KB

Download
memory/2416-12-0x0000000002360000-0x00000000023C8000-memory.dmp

Filesize
416KB

Download
memory/2416-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2416-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2464-21-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2464-29-0x00000000031B0000-0x0000000003218000-memory.dmp

Filesize
416KB

Download
memory/2464-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2712-50-0x0000000003260000-0x0000000003300000-memory.dmp

Filesize
640KB

Download
memory/2712-52-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2712-36-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing