urelas | c048f581df7a53413f2abb679a44d7f2e93a703c0c5c5cc3b037c1daac7ec74d

General

Target

cad9fd9cbb6118db912f4465eb3fa786.exe
Size

444KB
MD5

cad9fd9cbb6118db912f4465eb3fa786
SHA1

aaa46a59b9a73766ba461c7f2d00cfbbdb563925
SHA256

c048f581df7a53413f2abb679a44d7f2e93a703c0c5c5cc3b037c1daac7ec74d
SHA512

50d7fa156afe16c03b59776d5b163dd0349abe9de9127195a75943cfd3b3cf58eb413bda0406f3e23610d9ae6133108a26690f6ada3ba0cf584d5051ea884d01
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjdOx:oMpASIcWYx2U6hAJQnMU

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Executes dropped EXE 1 IoCs

pid	Process
2268	vasoq.exe

Loads dropped DLL 1 IoCs

pid	Process
1364	cad9fd9cbb6118db912f4465eb3fa786.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2268	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	17
PID 1364 wrote to memory of 2268	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	17
PID 1364 wrote to memory of 2268	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	17
PID 1364 wrote to memory of 2268	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	17
PID 1364 wrote to memory of 2916	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	16
PID 1364 wrote to memory of 2916	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	16
PID 1364 wrote to memory of 2916	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	16
PID 1364 wrote to memory of 2916	1364	cad9fd9cbb6118db912f4465eb3fa786.exe	16

C:\Users\Admin\AppData\Local\Temp\dosoci.exe
"C:\Users\Admin\AppData\Local\Temp\dosoci.exe" OK
1⤵
PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\corot.exe
  "C:\Users\Admin\AppData\Local\Temp\corot.exe"
  2⤵
  PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
1⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\vasoq.exe
"C:\Users\Admin\AppData\Local\Temp\vasoq.exe" hi
1⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\Temp\cad9fd9cbb6118db912f4465eb3fa786.exe
"C:\Users\Admin\AppData\Local\Temp\cad9fd9cbb6118db912f4465eb3fa786.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
ed9841bb4a7bdefda4714e624a210f47

SHA1
c704cfecd0aa08a038caf1a9ec0638cbe5b960e5

SHA256
f68851c05167f2adfeac68d95d544575c2aa003588eb402c255642210eedc978

SHA512
571818acf1a5eaddf9bc9fa040d05cf0472936b8b0aefd8a37fa426f1434dae57d6694a17c4131b76be8586e6dada139c10ab7a0f0c2aad7935316b38d711f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a7396c6864e4707a9ab4811dd10f3a72

SHA1
76fb3baefd05ebc7c5658f4f57c3b43a7418bd59

SHA256
63f6a78d5cbbf0b0268c8bd2329092bde38632fd94142fec87ed29f4d8684263

SHA512
82e06adeca72c27dbe0844f947dd413c1e9c3c231efab4c719c93b21f49d8476648920358409435ad9006b10f093d7d7e3bf2614b87f0150166c0752a10373d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vasoq.exe

Filesize
92KB

MD5
fa3f92547d2c27f83df83ea97e4578b9

SHA1
82f45a70224240b1908bc168ee2e1e0da64151fb

SHA256
778099f6a556cf87a008a71e032659a6f72b6d753b974166047e1e83be63c874

SHA512
5815875930ad14c321336841c93f25ccd15a7efd8848d1416d34246f1fb66845830ee132a8184cb535b9b0ac134a88dc14dc8243f3bc35e317a4787cd965d49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vasoq.exe

Filesize
444KB

MD5
07ff26c9d25a0a0f030665e62c6c4163

SHA1
4e670f280b44df21b7b91bad9c8c64e93fcf0f4d

SHA256
9ad646e9ed5c29a66cb7659c4c1e5fbe5ff038e0a38b3fdcd30772d1b41031d5

SHA512
d2873e26ba306251cf50aaa729993947bf5a2afce7af73635ee632e668baeeda36ecf96dd4719b846d3b84b8e71d7a8a60b45bdf4a18a11f7f6f042c419e169e

Download Submit
memory/1364-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1364-16-0x0000000002C00000-0x0000000002C6E000-memory.dmp

Filesize
440KB

Download
memory/1364-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1908-52-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/1908-56-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/1908-55-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/1908-54-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/1908-48-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/1908-47-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1908-53-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/2268-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2268-29-0x00000000037F0000-0x000000000385E000-memory.dmp

Filesize
440KB

Download
memory/2268-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2632-37-0x0000000003A10000-0x0000000003AB0000-memory.dmp

Filesize
640KB

Download
memory/2632-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2632-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing