urelas | 1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8

General

Target

1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe
Size

247KB
MD5

6bc8b8ea22ded629343c7cd37d165b69
SHA1

ac644dbe00940622e829eea2c7ff98ddde7f2979
SHA256

1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8
SHA512

9335907ea8c7b3190adb4368238eb47b05eb279f7dc0195de681d3b33b2758377b7ef657de0d094e75606a49e97129780f6a108c68e586a4b1882c008268cc5b
SSDEEP

3072:YYB4Qlayj4kOLH7yUzOu376z6zODggW9VzzOninjdJpHk:5yQlayj4vLmar6zFVWjzzPRJpHk

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.184

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/memory/1224-0-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral1/files/0x000d0000000122ee-4.dat	UPX
behavioral1/memory/1224-18-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral1/memory/2960-10-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral1/memory/2960-21-0x0000000000400000-0x0000000000445000-memory.dmp	UPX
behavioral1/memory/2960-22-0x0000000000400000-0x0000000000445000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	shoste.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1224-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x000d0000000122ee-4.dat	upx
behavioral1/memory/1224-18-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2960-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2960-21-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2960-22-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2960	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	28
PID 1224 wrote to memory of 2960	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	28
PID 1224 wrote to memory of 2960	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	28
PID 1224 wrote to memory of 2960	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	28
PID 1224 wrote to memory of 2572	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	29
PID 1224 wrote to memory of 2572	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	29
PID 1224 wrote to memory of 2572	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	29
PID 1224 wrote to memory of 2572	1224	1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe	29

C:\Users\Admin\AppData\Local\Temp\1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe
"C:\Users\Admin\AppData\Local\Temp\1aa81f2c899008b1f482206e0a73588f63c16c17c829169ed34ab2553e6232e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\shoste.exe
  "C:\Users\Admin\AppData\Local\Temp\shoste.exe"
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
84755d526a89b1cec68d6091abfbcb6d

SHA1
c75a1553266458d5d4d6fb18291ea44563fa130f

SHA256
4485e73b8e2dd2346284b33156fcb30f8d6ab41c194933246803f1ab1b62665b

SHA512
78666508a3b72e65f9b1ec5736c88e3557023a7469be40e0a4b9e489e3b37fa6f50e87cc70779b66de19338b867e8037d572e965c4cf569dc9ef417d010f0f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
a2f1cfefee13539bee315ce711c269c6

SHA1
5a188e55886b54bdd6cc268825d0ee3238b3c57a

SHA256
541d4cb101005acc44067724797f497bc8f01efefbd2a389dcad8631cde48e76

SHA512
eb8319f51e54bc432b793444a84d0f205cfda26387e45d86e8ef96ffefe8ea21c12d0d8dcda55c63a987d40f5214b28973feb929cf5445fe86cba72cb2b87698

Download Submit
\Users\Admin\AppData\Local\Temp\shoste.exe

Filesize
247KB

MD5
266536b8f691f442f789429671db11ba

SHA1
93f6e580e9ec67465c36890a02bcef549cca4d73

SHA256
cbbce8892f93c375f2ee80deec01d01574c64782c62ae5875480cb4bc1cefaf8

SHA512
4455571c900a223468bc9201ffdc8daec630c6a61ad63aeae72323b6b083239cabc6b421699160a8021f4fbf6274f66172f43120837ecccdeba9f562b854b8b2

Download Submit
memory/1224-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1224-8-0x0000000002550000-0x0000000002595000-memory.dmp

Filesize
276KB

Download
memory/1224-18-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-21-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2960-22-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing