urelas | 001ebed0cc678ade59c90d6937de0dd9cec8ed1b565d3bbc6385e7534b602f55

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Backdoor.Win32.Plite.exe
Size

486KB
MD5

0e206b5d0ef3f4430c393e0d6ed2006c
SHA1

2024ecc37b01aebd48d39de633a9953999c33046
SHA256

001ebed0cc678ade59c90d6937de0dd9cec8ed1b565d3bbc6385e7534b602f55
SHA512

21735a43b23ddf1cdd93a6bbedb3ad4b207837b8cd7c33f14669a4570222e1837802f5c4cdf473ca45d638ac92dfb74254be667b5ae06bdbf72efa7f446c1541
SSDEEP

6144:3yKfEd7FQGSmAWRViVxGwl+fQSVY/Z+I2VLfFX/L3WsuF9BRIMv9alQ1pEKuH86T:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKK

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2184	yzrob.exe
1856	uqozo.exe

Loads dropped DLL 2 IoCs

pid	Process
2360	Backdoor.Win32.Plite.exe
2184	yzrob.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe
1856	uqozo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2184	2360	Backdoor.Win32.Plite.exe	28
PID 2360 wrote to memory of 2184	2360	Backdoor.Win32.Plite.exe	28
PID 2360 wrote to memory of 2184	2360	Backdoor.Win32.Plite.exe	28
PID 2360 wrote to memory of 2184	2360	Backdoor.Win32.Plite.exe	28
PID 2360 wrote to memory of 2564	2360	Backdoor.Win32.Plite.exe	29
PID 2360 wrote to memory of 2564	2360	Backdoor.Win32.Plite.exe	29
PID 2360 wrote to memory of 2564	2360	Backdoor.Win32.Plite.exe	29
PID 2360 wrote to memory of 2564	2360	Backdoor.Win32.Plite.exe	29
PID 2184 wrote to memory of 1856	2184	yzrob.exe	33
PID 2184 wrote to memory of 1856	2184	yzrob.exe	33
PID 2184 wrote to memory of 1856	2184	yzrob.exe	33
PID 2184 wrote to memory of 1856	2184	yzrob.exe	33

C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe
"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Plite.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\yzrob.exe
  "C:\Users\Admin\AppData\Local\Temp\yzrob.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\uqozo.exe
    "C:\Users\Admin\AppData\Local\Temp\uqozo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
252B

MD5
97fc87a02a4d6b9e3c84b60d8c043bfe

SHA1
766c62bed33c6c7aabf6e27099702bcd584dcccb

SHA256
a3196284add063a8e6090efbb24a11a92af85d7257bc6b583299ff5df53806cc

SHA512
4462f2d9275882358de182cf3984fdde74e8430ea85212efa2c579c618c6cab10c867e7a2d6fd3dfd0400b7918a9d03de37eb5c5296abefa53846a8e126e6938

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
541801b0907265c718b9afcc9e75a89d

SHA1
8623d03875fd03a4744c4a6fe41393ac5f5f0186

SHA256
3c3fa77bce6ef160729983c33ecc423ccf95fa07ebcb9dcf0d19fdd89de7f76e

SHA512
faa6febcf6b5f3d42dde6be5b3b1b6ad2e365c10357032066b8c0ee9f9ca2ac12b2dbca09a475ae7a6bf756fe1b3e4f003ad263b85ccdb77f62549e06038d018

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqozo.exe

Filesize
172KB

MD5
69830c5b999f45b8532e3fa7d608d876

SHA1
7add64569b0b74303b6420bbd6effea09a1f5a8f

SHA256
3da8a8cb79c2f6c8a235e6e0964b9b4a7d99c25b8de1473c0baf28a3446534d5

SHA512
ecd2067f652d084607484211a7492d4922ab7e56d5b012263c5b3df8e204a6b22f99077567b945c9ac237a1a86b9504c83b220b5df6b68af49c637db7785aa1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzrob.exe

Filesize
486KB

MD5
49587931e193122b065d93b3c9845de7

SHA1
15dc3c735f4c460d7ee060d6dbe0222885db459c

SHA256
390fb18f77bebe8df03c6502914f16612a05c24a8f6cbc0ba53baa8ccfdb872d

SHA512
f73ef20e3fd1b7f6173eee3b2c00b9bbaba5f18d5fc262a2530c5ead45dada76de953c4850668189a378081836a6702d583dd9ea191c8775b53b86ee35a1c3a0

Download Submit
\Users\Admin\AppData\Local\Temp\yzrob.exe

Filesize
486KB

MD5
ae3d3d2af9b0fb540b3741f86d2f4267

SHA1
e2251fc9f67dd020640f7bb64e92b1d91675e5ab

SHA256
fb5d2b1d3830e249ef4d67e5ccfd27f95e3e0566d3c3a5163c150a94c9c2821d

SHA512
2d793a4a100abbac372b75442c5da0b9585e818559efb6bf1d36a0af53139308735a88c4691b2bbc81cee41420a3a069ea27524254823bd48177f04aab25086f

Download Submit
memory/1856-36-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1856-30-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1856-32-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1856-37-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1856-38-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1856-39-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1856-40-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/2184-27-0x0000000000130000-0x00000000001B1000-memory.dmp

Filesize
516KB

Download
memory/2184-26-0x0000000003500000-0x0000000003599000-memory.dmp

Filesize
612KB

Download
memory/2184-10-0x0000000000130000-0x00000000001B1000-memory.dmp

Filesize
516KB

Download
memory/2360-9-0x0000000001F60000-0x0000000001FE1000-memory.dmp

Filesize
516KB

Download
memory/2360-18-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2360-0-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download