urelas | 0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe
Size

454KB
MD5

e545840f1e3a352832c34ec59e0bc74c
SHA1

349acbecb2f97d39236f0c04c2c926b9ecccda99
SHA256

0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6
SHA512

a0ca1f60633f79002b1595452ff2c781d02316194bf12a9a1f51ef1ae25416ebab21a3b60672d4c4353ec871ea5d8e8f6b6b146e5cc63a88f0c9806145403b6f
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjIa1EMi:oMpASIcWYx2U6hAJQnSLi

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2652	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2984	xeufx.exe
2768	kutyad.exe
1588	yhmeo.exe

Loads dropped DLL 3 IoCs

pid	Process
2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe
2984	xeufx.exe
2768	kutyad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe
1588	yhmeo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2984	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	28
PID 2972 wrote to memory of 2984	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	28
PID 2972 wrote to memory of 2984	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	28
PID 2972 wrote to memory of 2984	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	28
PID 2972 wrote to memory of 2652	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	29
PID 2972 wrote to memory of 2652	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	29
PID 2972 wrote to memory of 2652	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	29
PID 2972 wrote to memory of 2652	2972	0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe	29
PID 2984 wrote to memory of 2768	2984	xeufx.exe	31
PID 2984 wrote to memory of 2768	2984	xeufx.exe	31
PID 2984 wrote to memory of 2768	2984	xeufx.exe	31
PID 2984 wrote to memory of 2768	2984	xeufx.exe	31
PID 2768 wrote to memory of 1588	2768	kutyad.exe	34
PID 2768 wrote to memory of 1588	2768	kutyad.exe	34
PID 2768 wrote to memory of 1588	2768	kutyad.exe	34
PID 2768 wrote to memory of 1588	2768	kutyad.exe	34
PID 2768 wrote to memory of 812	2768	kutyad.exe	35
PID 2768 wrote to memory of 812	2768	kutyad.exe	35
PID 2768 wrote to memory of 812	2768	kutyad.exe	35
PID 2768 wrote to memory of 812	2768	kutyad.exe	35

C:\Users\Admin\AppData\Local\Temp\0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe
"C:\Users\Admin\AppData\Local\Temp\0eba22ddf1e969bbe97ed7f909b2eb6df2ee28f78dd575527fabc4e3fb35c3a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\xeufx.exe
  "C:\Users\Admin\AppData\Local\Temp\xeufx.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\kutyad.exe
    "C:\Users\Admin\AppData\Local\Temp\kutyad.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\yhmeo.exe
      "C:\Users\Admin\AppData\Local\Temp\yhmeo.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
c4f8be4499e10c5e3e36ca5547e0f03c

SHA1
0cc89b4c10ada460b04cf2f9c2608fea7bfc5109

SHA256
94a94d4dfa5bf5fea34a0f8b13204c46e79556ef0d34b111d48f3256088b2303

SHA512
bbc8b4c5da0311115b710aab55be087ea737b9ba8a533fe56c5a815a16335a5179ec57a944c89c7bfaac485b44681e842c6d3d23793f9e9c88ec6b67c847aec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
87ed9541f07f7f6f79ed7e1a074fb0ed

SHA1
04ec7356603c28d9c7d41016c88706951afc3e41

SHA256
87dc081784e7b98c2a23b1e9a083fa6bf75d7da721073adbece47e1462daf0fa

SHA512
79ff42364f90145be0d7af0a872eeb232d2c8b8319e18e138d0e42fd52e5f8120e8675cf53ded800dd1c51ca44752f05363b5986faf687ab15b5e11f517ed23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e265dbc77ce984c11df452ab9f726a9a

SHA1
ece5982df8b136f75aeb1bb6dcde05c334e736b1

SHA256
aefd3cf3eef9985733abe0766ea969140238d82b3e91dc9f6ee69caed9b983e6

SHA512
35a3b20aeea1578b79270a17aebbc32180f4845485a66b07711efac31926348e3316fbdf89ae5f0c35b157a8b6e8601851641ebf22c404d7354dc0c0c745eede

Download Submit
C:\Users\Admin\AppData\Local\Temp\kutyad.exe

Filesize
454KB

MD5
61fe483b2a6dc51b11be1e209361e92c

SHA1
b0c16e4a706f432ea011357365476e995d066cf1

SHA256
b548bce8121ac75f34949f499f67518ba42bd17985b6f0e9032460d0ec4795ae

SHA512
c1a7a597868b2a59ccd5b955c58b975662b09068ab35e4cf45d290c0aa1816b6b93ad98c4d52f201ae4b84fb8ffdb1ef34b67409018b71abbf569e3aefd9eebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhmeo.exe

Filesize
223KB

MD5
11fa24384f77c27f2874300b89c4759c

SHA1
16cead41c4d311ff5fcebf5a9b152469de748779

SHA256
b0673c13f8ccb5877bc2d2cb5f9eca8960880735f27bc1a3615d4163949688ab

SHA512
ef6a6bc328e3147ac1d1c2676cadc56497ae1948979000b3cdf3ada83d7a20e5399d59c451b23bb597ef56f7644539af3f81caef03a45c84090ce31e9a3fda7a

Download Submit
\Users\Admin\AppData\Local\Temp\xeufx.exe

Filesize
454KB

MD5
e03e9b17e03bce03fba377ccbfe0abc5

SHA1
06bab97f6696f6e4b5b7f54c02ddc15ff95856a6

SHA256
36c7670b45a97dec2e6d149baeaa4259ca7c07ee5e666a86404bc982a11e1d08

SHA512
e40df6843ba7e4ba2335099321dd0c62819b6be7dae8544d08765027b670e1ec0c020366cd6769d6dff15b3cfc98108c61ad4f9a67bf8c78bea416564afa6819

Download Submit
memory/1588-49-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1588-44-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1588-45-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1588-50-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1588-51-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1588-52-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/1588-53-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/2768-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2768-34-0x0000000003D30000-0x0000000003DD0000-memory.dmp

Filesize
640KB

Download
memory/2768-42-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2972-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2972-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2984-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download