urelas | 1acdea1201a8dfa629364934b47d8b64c8358f2fb19551972bdc7ec27935aa2c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5f4f5019d82a342eb9253f21e66af9f.exe
Size

402KB
MD5

d5f4f5019d82a342eb9253f21e66af9f
SHA1

30f7a8492b526b34c9da272c6ed1a3cb2ab37514
SHA256

1acdea1201a8dfa629364934b47d8b64c8358f2fb19551972bdc7ec27935aa2c
SHA512

5d2b624f0b3fb7191f0a7e05cfe5bc925d78c2c21ee42ab4e88064acd5a9f3455bd938db294616d74f6864464d81a2811e4b73cebbbac5f52227cbee9c25321c
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh9:8IfBoDWoyFblU6hAJQnO/

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2132	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2064	dofoa.exe
2572	tafuor.exe
2168	kuybw.exe

Loads dropped DLL 5 IoCs

pid	Process
2932	d5f4f5019d82a342eb9253f21e66af9f.exe
2932	d5f4f5019d82a342eb9253f21e66af9f.exe
2064	dofoa.exe
2064	dofoa.exe
2572	tafuor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe
2168	kuybw.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2064	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	28
PID 2932 wrote to memory of 2064	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	28
PID 2932 wrote to memory of 2064	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	28
PID 2932 wrote to memory of 2064	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	28
PID 2932 wrote to memory of 2132	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	29
PID 2932 wrote to memory of 2132	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	29
PID 2932 wrote to memory of 2132	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	29
PID 2932 wrote to memory of 2132	2932	d5f4f5019d82a342eb9253f21e66af9f.exe	29
PID 2064 wrote to memory of 2572	2064	dofoa.exe	31
PID 2064 wrote to memory of 2572	2064	dofoa.exe	31
PID 2064 wrote to memory of 2572	2064	dofoa.exe	31
PID 2064 wrote to memory of 2572	2064	dofoa.exe	31
PID 2572 wrote to memory of 2168	2572	tafuor.exe	34
PID 2572 wrote to memory of 2168	2572	tafuor.exe	34
PID 2572 wrote to memory of 2168	2572	tafuor.exe	34
PID 2572 wrote to memory of 2168	2572	tafuor.exe	34
PID 2572 wrote to memory of 2672	2572	tafuor.exe	35
PID 2572 wrote to memory of 2672	2572	tafuor.exe	35
PID 2572 wrote to memory of 2672	2572	tafuor.exe	35
PID 2572 wrote to memory of 2672	2572	tafuor.exe	35

C:\Users\Admin\AppData\Local\Temp\d5f4f5019d82a342eb9253f21e66af9f.exe
"C:\Users\Admin\AppData\Local\Temp\d5f4f5019d82a342eb9253f21e66af9f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\dofoa.exe
  "C:\Users\Admin\AppData\Local\Temp\dofoa.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\tafuor.exe
    "C:\Users\Admin\AppData\Local\Temp\tafuor.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\kuybw.exe
      "C:\Users\Admin\AppData\Local\Temp\kuybw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
1b3d5f4d5ea6c65e268f25c21c4b187e

SHA1
567c4db2c9a4dfd22745f1f6c86877e726dea17b

SHA256
e2eb6c4dc9454d9577cf333d457092fccd4ce918573bdf4dd8d3abb89d5da29f

SHA512
e4438544f2a6a41623379d817afe22e087f1ab2f74211964921fc39cb8fd39c7d0b34c87f67f912d8cdb376ac9b7302f4f671d86dcc3a42d079b908510e0be88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
77ee2c6840bcc2135ab8bc8ccad0d312

SHA1
7eaa0f9e6479cf75c9b967f977f9cc71f5467f12

SHA256
57f52a6cfd393fd796589d19a5a2726b273f30923dfe29c92d55896149770e97

SHA512
f1901b08de741958b582877cc27c901f4fba707dd0bcfad6b62b3fbc4f13a1f404a71553a7d80fd6f2ae43f5bb5d61f12c412dcd1022c6821f802dba33ed7cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e34b711ef54b796ea8770b372b4f4a3a

SHA1
75602e0e666105a4f1bfd5d55aaa27dc1330f05c

SHA256
a2d675bd03353c844fd2ee5b1f8332b96c8f2f65586e2da41387e33c9309ec7c

SHA512
e78081175b863d113e9814c575cd4da6c428671b53b28ce29029514e2cfd48edcc6f88654a499d8b623d4f2b402de405b31d0d3c0d2ab210ab1993b0d60d5012

Download Submit
\Users\Admin\AppData\Local\Temp\dofoa.exe

Filesize
402KB

MD5
724eb331286be04f69cf205a11911185

SHA1
c3d68d6dd261ee3fd0901483124ffe0ef0812021

SHA256
8d274a414e63326bfac8f3976988f18b28d0a6f7ca7ecfaeed11af3a93bfe371

SHA512
6474ffeeb9ee6d9a800accfb47c8e5240802202358546d29c346a5084d96b0b1614c38bdf0a4df1a0c2725dba4b116527ddef98ae53656176776532dc59af21b

Download Submit
\Users\Admin\AppData\Local\Temp\kuybw.exe

Filesize
223KB

MD5
c70e284b875dd5882db178c6f24dd52c

SHA1
a2f5ff96e438b664c72df25df98f9da077bf87ea

SHA256
8ee2b3738fc52fcbdd1bda824418b026b7f67dbc9bd64a324d6ff5b86b5193b8

SHA512
86d9cd3d937cdd1ec85cb3d4058c0b7bde0ccb91836ed2b0c3dcc57b511445b91d2180b52b50b96f17b6931cdcb514026046df64f761f99c7891df605fd6cec0

Download Submit
\Users\Admin\AppData\Local\Temp\tafuor.exe

Filesize
402KB

MD5
209f7b3d9171f23794634e97fc1015b5

SHA1
dbb5b4dca3055b80336ce76ba774587437250d84

SHA256
f8a8c0a4c001eeee86e3e3d094becd2aa7360518187a80e5feb79faf8916af09

SHA512
8d6844baef66ad221b06515ecd241ff5967ff244060d4c2dbbd81dfbdd7f4a1a849f5c3182ab80b8d6bfcc6be61368b669dbf37441602413887763659c0caf16

Download Submit
memory/2064-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2064-35-0x0000000002120000-0x0000000002188000-memory.dmp

Filesize
416KB

Download
memory/2064-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2168-53-0x0000000000C00000-0x0000000000CA0000-memory.dmp

Filesize
640KB

Download
memory/2168-54-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2168-58-0x0000000000C00000-0x0000000000CA0000-memory.dmp

Filesize
640KB

Download
memory/2168-59-0x0000000000C00000-0x0000000000CA0000-memory.dmp

Filesize
640KB

Download
memory/2168-60-0x0000000000C00000-0x0000000000CA0000-memory.dmp

Filesize
640KB

Download
memory/2168-61-0x0000000000C00000-0x0000000000CA0000-memory.dmp

Filesize
640KB

Download
memory/2168-62-0x0000000000C00000-0x0000000000CA0000-memory.dmp

Filesize
640KB

Download
memory/2572-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2572-51-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2932-22-0x00000000023A0000-0x0000000002408000-memory.dmp

Filesize
416KB

Download
memory/2932-19-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2932-20-0x00000000023A0000-0x0000000002408000-memory.dmp

Filesize
416KB

Download
memory/2932-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download