urelas | 685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d

General

Target

685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe
Size

102KB
MD5

7fe58f1d3995cfbc0b1c24a68b0aa63b
SHA1

5487ebe115e3ab177a45ca63e0f60cab799f837e
SHA256

685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d
SHA512

47904d161ec377c7620aa3be53a6e90bd631f9657537a66cfc45378fd115ba59ec82682557a776d823f041b5929daf987cfdd4471f3e4379e4997e867c65e097
SSDEEP

1536:OVNSf7hyk+I6412V6PMqAax80XAFSrRd4BH/bdF2x:SSf9yk+U2V63XAFSrRKBHTix

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Detects executables built or packed with MPress PE compressor 8 IoCs

resource	yara_rule
behavioral1/memory/2852-0-0x0000000000400000-0x0000000000438000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000b00000001267a-4.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2852-6-0x0000000002C00000-0x0000000002C38000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2296-18-0x0000000000400000-0x0000000000438000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2852-16-0x0000000000400000-0x0000000000438000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2296-21-0x0000000000400000-0x0000000000438000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2296-23-0x0000000000400000-0x0000000000438000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2296-29-0x0000000000400000-0x0000000000438000-memory.dmp	INDICATOR_EXE_Packed_MPress

Deletes itself 1 IoCs

pid	Process
2224	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2296	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	28
PID 2852 wrote to memory of 2296	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	28
PID 2852 wrote to memory of 2296	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	28
PID 2852 wrote to memory of 2296	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	28
PID 2852 wrote to memory of 2296	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	28
PID 2852 wrote to memory of 2296	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	28
PID 2852 wrote to memory of 2296	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	28
PID 2852 wrote to memory of 2224	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	29
PID 2852 wrote to memory of 2224	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	29
PID 2852 wrote to memory of 2224	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	29
PID 2852 wrote to memory of 2224	2852	685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe	29

C:\Users\Admin\AppData\Local\Temp\685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe
"C:\Users\Admin\AppData\Local\Temp\685e31d7a1575a8d0b201dff4ac49fd301b59441c347b2f43678a12de4f7058d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d8c69e006046149f40585fb3e1bfafb4

SHA1
97073fb1d116248dbecd009e4bf873ab45c6c2da

SHA256
df1edebe6911c5127449117bdcec2878b0ecaff3e930a37e13aefe54363be228

SHA512
b8f5c75fbbddbb185a82395b59f75802cf800dac792c7256261998f3b4a965f180a901f4bd4e873b1cec0ac7acb77e09ec793c8b19ac2d1fdf115e57c42626b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
cdc850b01239422a7e6613927f52e738

SHA1
1dd18d9b3523e1f87961a05694dd5601d1fff901

SHA256
696159560667d41313be0214185920209d557197869bbdd6711bdd9e79ec3d6d

SHA512
d78ff99dc3492831067c4dd9b7000a6f2683dd4fe23a28883e9bd845fc5cb1b5f1f2a90c7c787f0860ac09e23cd82775b9a10555840ce2f418967800c8e1f693

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
102KB

MD5
dc8a05a55e6516ceb5a1d820754ea11c

SHA1
b391d24c23228fd0c2c5877af905947f10402c85

SHA256
4f701d47cfb5dc4148c5de39df20139957f26300c12c709c30239aba9d5211d0

SHA512
a4fd21495f50f69c7bc30f3678b4894f26dc6c3a0ea9f404d51e93882e0a8d2137127cfd717b4dcb98d8e749938f23cb53de2fc932be04ae5d07ef6859231f63

Download Submit
memory/2296-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2296-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2296-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2296-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2852-6-0x0000000002C00000-0x0000000002C38000-memory.dmp

Filesize
224KB

Download
memory/2852-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing