urelas | f8b425089506521645583c6720cf3498d91e09c0669640a88a0d1b1355a98d8b

General

Target

c5d0b55930807ca01e358f4d9b86d315.exe
Size

449KB
MD5

c5d0b55930807ca01e358f4d9b86d315
SHA1

4e3349ef3d5dd7e0504e2b15853850aa0c1759e0
SHA256

f8b425089506521645583c6720cf3498d91e09c0669640a88a0d1b1355a98d8b
SHA512

03adb2442eb1274d7a532be6de38eba02396e297fbd939c92124f39f25011a5d990f8a190fddd0874e76f2f7ad5f16bb88ac9562c0232748170d6ca163093f38
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpzW:PMpASIcWYx2U6hAJQnL

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2752	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2948	ofymj.exe
2592	ojazoc.exe

Loads dropped DLL 2 IoCs

pid	Process
2736	c5d0b55930807ca01e358f4d9b86d315.exe
2948	ofymj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2948	2736	c5d0b55930807ca01e358f4d9b86d315.exe	20
PID 2736 wrote to memory of 2948	2736	c5d0b55930807ca01e358f4d9b86d315.exe	20
PID 2736 wrote to memory of 2948	2736	c5d0b55930807ca01e358f4d9b86d315.exe	20
PID 2736 wrote to memory of 2948	2736	c5d0b55930807ca01e358f4d9b86d315.exe	20
PID 2736 wrote to memory of 2752	2736	c5d0b55930807ca01e358f4d9b86d315.exe	19
PID 2736 wrote to memory of 2752	2736	c5d0b55930807ca01e358f4d9b86d315.exe	19
PID 2736 wrote to memory of 2752	2736	c5d0b55930807ca01e358f4d9b86d315.exe	19
PID 2736 wrote to memory of 2752	2736	c5d0b55930807ca01e358f4d9b86d315.exe	19
PID 2948 wrote to memory of 2592	2948	ofymj.exe	17
PID 2948 wrote to memory of 2592	2948	ofymj.exe	17
PID 2948 wrote to memory of 2592	2948	ofymj.exe	17
PID 2948 wrote to memory of 2592	2948	ofymj.exe	17

C:\Users\Admin\AppData\Local\Temp\c5d0b55930807ca01e358f4d9b86d315.exe
"C:\Users\Admin\AppData\Local\Temp\c5d0b55930807ca01e358f4d9b86d315.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\ofymj.exe
  "C:\Users\Admin\AppData\Local\Temp\ofymj.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2948

C:\Users\Admin\AppData\Local\Temp\ojazoc.exe
"C:\Users\Admin\AppData\Local\Temp\ojazoc.exe" OK
1⤵
- Executes dropped EXE
PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:320
- C:\Users\Admin\AppData\Local\Temp\ciimu.exe
  "C:\Users\Admin\AppData\Local\Temp\ciimu.exe"
  2⤵
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ofymj.exe

Filesize
12KB

MD5
a665ee1f9c28fe33a886b74924dfbe99

SHA1
186aa0b66db8b250d1ae0d98222ffaaf70f8d8d5

SHA256
e36228b1fe0926c1df77a8360097e0abe8985bffe169c8c3637a20abc82ea683

SHA512
92878c3e135c8b51e2bd08652820cc09393e53c0258544a0f140cfad028444fe3ad878c917cf9f53237f273b5291bfb5de1470abbbd6d61e32204470f7b91434

Download Submit
\Users\Admin\AppData\Local\Temp\ofymj.exe

Filesize
23KB

MD5
13a6d079bfae61bf11885d2da86c7c66

SHA1
2f31ba35f979095ab22cf2f452c686d1c8c9287f

SHA256
6ff1a3a7f6602015ba07d1b1f18c5f51b164638c0d96ac1ff08f91c5b6290f0a

SHA512
5128481f37a5ab731f7fe29be0386fadf899c272b882af4b4c284c9532cde6d0620b7fc2981d2baea75d3eae94161a1395e09b4dd4f1796152a487b321aed85a

Download Submit
memory/2024-53-0x0000000001260000-0x0000000001300000-memory.dmp

Filesize
640KB

Download
memory/2024-55-0x0000000001260000-0x0000000001300000-memory.dmp

Filesize
640KB

Download
memory/2024-54-0x0000000001260000-0x0000000001300000-memory.dmp

Filesize
640KB

Download
memory/2024-52-0x0000000001260000-0x0000000001300000-memory.dmp

Filesize
640KB

Download
memory/2024-56-0x0000000001260000-0x0000000001300000-memory.dmp

Filesize
640KB

Download
memory/2024-48-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2024-47-0x0000000001260000-0x0000000001300000-memory.dmp

Filesize
640KB

Download
memory/2592-45-0x0000000003670000-0x0000000003710000-memory.dmp

Filesize
640KB

Download
memory/2592-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2592-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-9-0x0000000002810000-0x000000000287E000-memory.dmp

Filesize
440KB

Download
memory/2736-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2948-11-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2948-27-0x0000000001E70000-0x0000000001EDE000-memory.dmp

Filesize
440KB

Download
memory/2948-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing