urelas | 78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb

Analysis

max time kernel
167s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe
Size

336KB
MD5

25c58eb932724a40ba440ab0da42c526
SHA1

8fb69b4b550599d0a4d9a50b07ad43a5bc461dc9
SHA256

78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb
SHA512

d96f098b0e951d26c4fb440e11c0bfe0e3d8971c9da157cc7cbdacf6c666cfe3ceecf1ecaa9c7a559181d1ce3137e2bd37fb376dc89099c03300c7b7395c156e
SSDEEP

6144:GLtOexihqv4m+lXD6betiTuBMTWjIDIiUBAkW9UOKMOtzWO8CatspddOE:GL1D+IatauBML42MykRa6j

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2428	hojuh.exe
2292	zuatuh.exe
2480	kugub.exe

Loads dropped DLL 3 IoCs

pid	Process
2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe
2428	hojuh.exe
2292	zuatuh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe
2480	kugub.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2428	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	27
PID 2692 wrote to memory of 2428	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	27
PID 2692 wrote to memory of 2428	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	27
PID 2692 wrote to memory of 2428	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	27
PID 2692 wrote to memory of 2572	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	28
PID 2692 wrote to memory of 2572	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	28
PID 2692 wrote to memory of 2572	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	28
PID 2692 wrote to memory of 2572	2692	78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe	28
PID 2428 wrote to memory of 2292	2428	hojuh.exe	29
PID 2428 wrote to memory of 2292	2428	hojuh.exe	29
PID 2428 wrote to memory of 2292	2428	hojuh.exe	29
PID 2428 wrote to memory of 2292	2428	hojuh.exe	29
PID 2292 wrote to memory of 2480	2292	zuatuh.exe	33
PID 2292 wrote to memory of 2480	2292	zuatuh.exe	33
PID 2292 wrote to memory of 2480	2292	zuatuh.exe	33
PID 2292 wrote to memory of 2480	2292	zuatuh.exe	33
PID 2292 wrote to memory of 920	2292	zuatuh.exe	34
PID 2292 wrote to memory of 920	2292	zuatuh.exe	34
PID 2292 wrote to memory of 920	2292	zuatuh.exe	34
PID 2292 wrote to memory of 920	2292	zuatuh.exe	34

C:\Users\Admin\AppData\Local\Temp\78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe
"C:\Users\Admin\AppData\Local\Temp\78b1f1335b9a822fb5e9e24c70b3eb87f229f3383f1f9db67fafec43abf19dbb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\hojuh.exe
  "C:\Users\Admin\AppData\Local\Temp\hojuh.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\zuatuh.exe
    "C:\Users\Admin\AppData\Local\Temp\zuatuh.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\kugub.exe
      "C:\Users\Admin\AppData\Local\Temp\kugub.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2480
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ac201c03baa65b217cc279cb157dbf4b

SHA1
570db0603fc1444b0a80ca8b48a997a8e0e2dcd7

SHA256
b3fcca09d2bff04ebba3ea3259e9d72d73e2e0a5a71edc748af58c6830c308bd

SHA512
d0cf775ffb020c41cc0f5b13b869dfc8ed0bcb62dab11e506fa33ff9422fd66ac370556aef5529615a2234839593e6ea5c1708a1fb8d6e8795893a1f7ec7aa10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d6e2a6cb1d0783111ea2a0fa14bae8b9

SHA1
c0eeda318dfeac00d9449551286dde86a103a9b2

SHA256
b71439d31a9d550e481d69dc9e7be766616c91be6d9d4135e28cf8c3f08d2dcb

SHA512
45c92191a15b90961968f07b520cff8bace442449d637b30b8c72697f01a34800808b40cceba297f9d5c259f708ad5b67a380cb7903edc2c5bf0291a3f72114d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0fd683333d6c0589791b406cfdecf27b

SHA1
7ab21dc16133c4bffef003b5e216fc7e6c5986f7

SHA256
7d6cd6638f001ac77520415d5c954604928f88ed5499d0539429865764f57787

SHA512
889e92bcd025ea17a4dcca5bbb12f89d9ea6bb159cdc0678127a639e555d235a14c92cff04fc8857b7b3c87e57019c523ffa57f80bff34ff3568620a1cdb3072

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuatuh.exe

Filesize
336KB

MD5
a25cead1ab5101ea0b1a1a7e99980a8d

SHA1
2564e3684de35ef40567ea00e2e335675134c7de

SHA256
2e3489bb4b2d32dd566b01213041f7764b4e14cd63a07abf1b09da84af21da21

SHA512
f1cada7af7bcf0ddb90c15ecbfeb5066a745f3c9f4440c5100034209409a011c66a611dd5654722c3e1029a1c2f212ad51b8309967762e1aa60c255fc6a1eebf

Download Submit
\Users\Admin\AppData\Local\Temp\hojuh.exe

Filesize
336KB

MD5
7071bf5b7d9bc8e2dc9a7a4af3f78710

SHA1
823d4759de04ef3dccbf24527e90b5d6c43579d6

SHA256
e5a8c08b57377c3c9971b05d90855f33655058819288501d5a40160a7b1214c2

SHA512
b580377f56e4ab79b5d1e4ac2c6d7fef6b2c8ed7c7c789ec646ec3276f1a1628f462005d978cb7b6db4000a0e57b927cca33e25f47ef279b1f81b33a3ae8cc60

Download Submit
\Users\Admin\AppData\Local\Temp\kugub.exe

Filesize
223KB

MD5
db44f6742f31814a87aa08224fe52420

SHA1
4b8709d2343b58adb50759dc3b19e0232e926e46

SHA256
72066916883894533d60309e4b83a4c18f140a42d296cf5fd84e6cf848ff31f0

SHA512
4bd6d25d0cbb3b8fe427c1f0a247202635a178e5577b7aeecdc0b136b05502e69c2ee7a861caaf1026e2350b07c2bf772ed230f0de9945687aebc35baf28a55f

Download Submit
memory/2292-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2292-46-0x00000000031F0000-0x0000000003290000-memory.dmp

Filesize
640KB

Download
memory/2292-56-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2292-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2292-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2428-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2428-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2428-29-0x0000000003070000-0x00000000030DE000-memory.dmp

Filesize
440KB

Download
memory/2428-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2480-60-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2480-58-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2480-63-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2480-64-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2480-65-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2480-66-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2480-67-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2480-68-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2692-3-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2692-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2692-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download