urelas | fddb13f88b36b3e522df810d59ab1f1af8fdc829d832e39acfe14dfd92d6c07e

General

Target

cd0a5b65338d5b8938a2f7746d2b7a1b.exe
Size

1.1MB
MD5

cd0a5b65338d5b8938a2f7746d2b7a1b
SHA1

6de316020509a70a2de22c15420f4765e1e85cbd
SHA256

fddb13f88b36b3e522df810d59ab1f1af8fdc829d832e39acfe14dfd92d6c07e
SHA512

2dfb93015c8cafa81bdd6eae3280b0af8e03504b92ffe1a0a88bbe427a613d5fccc3a04a46b5c2fe7283e2521a084d1ddc32e04a0ad726e124fe10b988b77287
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YU:tcykpY5852j6aJGl5cqBH

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2944	wejiy.exe
2772	apyhso.exe
2076	visoh.exe

Loads dropped DLL 5 IoCs

pid	Process
2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe
2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe
2944	wejiy.exe
2944	wejiy.exe
2772	apyhso.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0033000000015cbd-40.dat	upx
behavioral1/memory/2076-54-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2076-59-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe
2076	visoh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2944	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	28
PID 2900 wrote to memory of 2944	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	28
PID 2900 wrote to memory of 2944	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	28
PID 2900 wrote to memory of 2944	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	28
PID 2900 wrote to memory of 2484	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	29
PID 2900 wrote to memory of 2484	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	29
PID 2900 wrote to memory of 2484	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	29
PID 2900 wrote to memory of 2484	2900	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	29
PID 2944 wrote to memory of 2772	2944	wejiy.exe	31
PID 2944 wrote to memory of 2772	2944	wejiy.exe	31
PID 2944 wrote to memory of 2772	2944	wejiy.exe	31
PID 2944 wrote to memory of 2772	2944	wejiy.exe	31
PID 2772 wrote to memory of 2076	2772	apyhso.exe	34
PID 2772 wrote to memory of 2076	2772	apyhso.exe	34
PID 2772 wrote to memory of 2076	2772	apyhso.exe	34
PID 2772 wrote to memory of 2076	2772	apyhso.exe	34
PID 2772 wrote to memory of 2656	2772	apyhso.exe	35
PID 2772 wrote to memory of 2656	2772	apyhso.exe	35
PID 2772 wrote to memory of 2656	2772	apyhso.exe	35
PID 2772 wrote to memory of 2656	2772	apyhso.exe	35

C:\Users\Admin\AppData\Local\Temp\cd0a5b65338d5b8938a2f7746d2b7a1b.exe
"C:\Users\Admin\AppData\Local\Temp\cd0a5b65338d5b8938a2f7746d2b7a1b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\wejiy.exe
  "C:\Users\Admin\AppData\Local\Temp\wejiy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Local\Temp\apyhso.exe
    "C:\Users\Admin\AppData\Local\Temp\apyhso.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\visoh.exe
      "C:\Users\Admin\AppData\Local\Temp\visoh.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9b1095e5bbdf3fcbd7a95ef181790250

SHA1
dfd3588a295f9247f7a9a2a7032f1bc2550d3a2f

SHA256
9a2b0ead323353caae8c07c0963efcc46dead32c40ff8ed7a24fe50e0aa9ecd3

SHA512
240aefb171df01f16b3e1eee7b34f19dbfaac9d49f790d8c2440a4de0f449ac1b99adc50ca6a0efbde8b86388fe8a266867c107e823ba5ab9c12522775dabf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
71518b2619df53bd29b44c704e6bc1c1

SHA1
fc039515f860a373ac919d203e0964498570bd4b

SHA256
f0881d66ab9ffae50b4430c05cba3fc110c06399046a12a943511c25bfba6ede

SHA512
3142f6c4922d63da98893afac4d31d51eee1efba343810a3ec2afdd60ff92834c58461460d578656eba85e1377992fd67fc870d7e1a1b4ed9e07df62bf781b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04cc2089e1b341ba68ae231c1aa1df1c

SHA1
6f842036ab3a6d1be7c8bfa5addc4fec94a044a2

SHA256
21c42ceb068fa5df1cd145c3273ad7aeec69955cf3f9b156d4babe228598ed5c

SHA512
7bb582b158b225b8ef4f0cf100f5758a59042b55a5cccc3e57799ffbbf2871f5ce811df9db1b16592c615d7a9af05a340ebf3566e872e473a6e3090457fa42ab

Download Submit
\Users\Admin\AppData\Local\Temp\visoh.exe

Filesize
459KB

MD5
d73b80ffc445a0db7a6125f23bfc6b83

SHA1
d277d9a05fa65cf09c198b91ac052689a469e5ee

SHA256
e3f768f19ac4cc7ee9a64f4ea97a932731b9d473f5cf132e06b65496511c7644

SHA512
3ca64ebfc88b9bfbfbccd1c30cde1f5fd5c7e7e1a844e383879163fdebafcb49a10de15935c2f5105d9da69ac06f79cb65ae04a502264f2120522bcff3d83ce0

Download Submit
\Users\Admin\AppData\Local\Temp\wejiy.exe

Filesize
1.1MB

MD5
1fd09ace88f0cbd75cdee2c3f3aa6a5f

SHA1
d6dff058f779574da2ed0333647c364be064e8b7

SHA256
ba8a4c0e82d46d8ad9c186db33022a9b84a89cd145380fc18f1891d847ec12cc

SHA512
5a5bb29be3b695c9e2f01a28b55a4baa63460c8bb749668ded7d6cea8389438fc6f2ef8954cffc30089f561c9725741ac1ca9da425231e8643f44df869fb987d

Download Submit
memory/2076-54-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2076-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2076-62-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2076-59-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2772-61-0x0000000003DD0000-0x0000000003F69000-memory.dmp

Filesize
1.6MB

Download
memory/2772-35-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2772-53-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2772-52-0x0000000003DD0000-0x0000000003F69000-memory.dmp

Filesize
1.6MB

Download
memory/2900-20-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2900-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2944-32-0x0000000003790000-0x00000000038B4000-memory.dmp

Filesize
1.1MB

Download
memory/2944-34-0x0000000003790000-0x00000000038B4000-memory.dmp

Filesize
1.1MB

Download
memory/2944-21-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2944-33-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing