urelas | be4b9fca1e031f9d8314c94515bba09a45c11894738c9cdd223e17d3a91c3dd8

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39fc2f065fcd40fe8eaa9c2111a05f87.exe
Size

465KB
MD5

39fc2f065fcd40fe8eaa9c2111a05f87
SHA1

628101daca9506b2f5863b2962671c462158b82b
SHA256

be4b9fca1e031f9d8314c94515bba09a45c11894738c9cdd223e17d3a91c3dd8
SHA512

9cf10ed0ee1be9deffea5667543baef95e60788a2463e3859c6ad07eb530cab782423d674f2aed272f83d8fe9afb9d74df8254dfe43c846e70ae14158cd6c309
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1UFW:m6tQCG0UUPzEkTn4AC1+P

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1528	fyfyw.exe
2604	ezxix.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe
1528	fyfyw.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000000f6f8-23.dat	upx
behavioral1/memory/2604-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2604-32-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2604-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2604-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2604-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2604-36-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe
2604	ezxix.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1528	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	28
PID 2880 wrote to memory of 1528	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	28
PID 2880 wrote to memory of 1528	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	28
PID 2880 wrote to memory of 1528	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	28
PID 2880 wrote to memory of 2908	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	29
PID 2880 wrote to memory of 2908	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	29
PID 2880 wrote to memory of 2908	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	29
PID 2880 wrote to memory of 2908	2880	39fc2f065fcd40fe8eaa9c2111a05f87.exe	29
PID 1528 wrote to memory of 2604	1528	fyfyw.exe	33
PID 1528 wrote to memory of 2604	1528	fyfyw.exe	33
PID 1528 wrote to memory of 2604	1528	fyfyw.exe	33
PID 1528 wrote to memory of 2604	1528	fyfyw.exe	33

C:\Users\Admin\AppData\Local\Temp\39fc2f065fcd40fe8eaa9c2111a05f87.exe
"C:\Users\Admin\AppData\Local\Temp\39fc2f065fcd40fe8eaa9c2111a05f87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\fyfyw.exe
  "C:\Users\Admin\AppData\Local\Temp\fyfyw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\ezxix.exe
    "C:\Users\Admin\AppData\Local\Temp\ezxix.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
276B

MD5
cc072365855cedd36b34cfd6ef9d5738

SHA1
72d2bc244b49e91b9cfa9467878677f0db34917d

SHA256
35a09e2baa4b84b84c1ec5026f845cc41c16404389b88078f205f6f289c291d4

SHA512
298d2b52b49197dea4765a54e1317ef69dec96a4af1ee38fdb72b83b9978c37a691776fe45ea82dfb6ce20a8fdc57f3d9668f4deb8e494853cdc6dd90cafa765

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyfyw.exe

Filesize
465KB

MD5
5b532bc3efb32f766b781aadb07f67f8

SHA1
a4baf7e4be961eff1150df58c20ad91cdcfc7ac4

SHA256
4579fff416151ca49693cd938e48a44aa3e78cc2ea928b48da297fb18795f9d7

SHA512
6d8479913f05a89db5c8973516a76a1de8cdc42b5880d15272d3456c84ddaa5ba1eae950022582ac78c30f509242ae9b4c8e7b2ae0f187983e4e86efa478fef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7ced3674dd755776c3d0a9bb327647cc

SHA1
c95974910734088674709d16e9aa34046d9f4cc1

SHA256
509ebab345145604f0354064ce8d8e9b8d79f12ed9edacdd875ce6c880a87f26

SHA512
63dda716bf3ae4992938a49eda151036a7108692d6145252c159ffa15d72a860ab83d498b95a68661a339e7d690a05ec1028931ef25fbc885393c3cee1dfa6e7

Download Submit
\Users\Admin\AppData\Local\Temp\ezxix.exe

Filesize
198KB

MD5
b122683d6aebd8d4e0a370bac62551c4

SHA1
de65d2a6dd017185c75903f15cc5518fe2e94ded

SHA256
4100c941e318becf66ff7097dc00ebc9ecc30d58baae3912e8d4e22c1f2b9d05

SHA512
99bbc81795a779d6ee672bf46dc48a539f53c6063494b4d22df20af244be78b47a9b8d416d3f182d12a89d26e2f939a554d4feead7c4f15727fbf33f3df195c8

Download Submit
\Users\Admin\AppData\Local\Temp\fyfyw.exe

Filesize
465KB

MD5
65f93f6d989d5dcc9997105d229c93e3

SHA1
f3cc12baaa1d7cf49f503283995f5ce9b88b8297

SHA256
4c9a2df612903244871921969f5a41a1e530b63eb4850799b288c291ddcd0852

SHA512
3e011186792c6681caede5f47a6122e8fd948761631a6e9325120a04283f01c06cb26494a117567df91eff284a39cb629ba416b66f463caeddcee5fde7281547

Download Submit
memory/1528-28-0x0000000000030000-0x00000000000AC000-memory.dmp

Filesize
496KB

Download
memory/1528-18-0x0000000000030000-0x00000000000AC000-memory.dmp

Filesize
496KB

Download
memory/1528-25-0x0000000003330000-0x00000000033CF000-memory.dmp

Filesize
636KB

Download
memory/2604-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2604-32-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2604-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2604-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2604-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2604-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2880-0-0x0000000001080000-0x00000000010FC000-memory.dmp

Filesize
496KB

Download
memory/2880-17-0x0000000001080000-0x00000000010FC000-memory.dmp

Filesize
496KB

Download
memory/2880-8-0x0000000000AC0000-0x0000000000B3C000-memory.dmp

Filesize
496KB

Download