urelas | 41a06a41931fe281179944dbc9ec941d88eac9063d8877664c4e584569e4cb66

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4338d227b68d80fc282073c758d0bac1.exe
Size

366KB
MD5

4338d227b68d80fc282073c758d0bac1
SHA1

7fb57bdfcfd56035b34adf47bdd6e1cd205613ce
SHA256

41a06a41931fe281179944dbc9ec941d88eac9063d8877664c4e584569e4cb66
SHA512

0942b5dfe9f4b4e20607f772d885965590d76432a35343702418a3c91cc3f1abd76bfcdbcd09939f8ea43786464bf3453474cb97da0c342e5654d5c1c45e90ab
SSDEEP

6144:OuJkl8DV12C28tLN2/FkCO0aHftvCGCBhDOHjTPmXHk62pk:OzGL2C2aZ2/F1XaveOHjTo

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Executes dropped EXE 1 IoCs

pid	Process
1088	vivin.exe

Loads dropped DLL 1 IoCs

pid	Process
2080	4338d227b68d80fc282073c758d0bac1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1088	2080	4338d227b68d80fc282073c758d0bac1.exe	28
PID 2080 wrote to memory of 1088	2080	4338d227b68d80fc282073c758d0bac1.exe	28
PID 2080 wrote to memory of 1088	2080	4338d227b68d80fc282073c758d0bac1.exe	28
PID 2080 wrote to memory of 1088	2080	4338d227b68d80fc282073c758d0bac1.exe	28

C:\Users\Admin\AppData\Local\Temp\4338d227b68d80fc282073c758d0bac1.exe
"C:\Users\Admin\AppData\Local\Temp\4338d227b68d80fc282073c758d0bac1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\vivin.exe
  "C:\Users\Admin\AppData\Local\Temp\vivin.exe"
  2⤵
  - Executes dropped EXE
  PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b70b322c2aebd49aa493eeecbec410de

SHA1
50edcd9fc3f4dc3ca3965a265769325cff853422

SHA256
8b2ccb4b632c25023866e0e9b7ba4d24891c8fcae6b9df1c22018f2cf1504dcf

SHA512
1ce56344d23b156f3437d4283f971b51ab4ad8e551b68c09ac59ee71f6dd305aa7946131561727f32d635380d717789146b0e772c41bf52eb820175d4a5a23fe

Download Submit
\Users\Admin\AppData\Local\Temp\vivin.exe

Filesize
366KB

MD5
a2a41f18edc0879460844ff34ae737ae

SHA1
8b6cb615d53be9c401c69db463dd0205dc8e3a41

SHA256
464d75d013767a516ae02ed96229c0e556e3f6fae66fff9370185cd5046f99a3

SHA512
f1fcb6b7840710524904e3d04f20f7246276189fa55a5d66e33365e5fb84ad17f6dce926d39a01edb5fb42cfb96226bc643a662b025da27494e95db679469cc6

Download Submit
memory/1088-13-0x00000000010B0000-0x0000000001112000-memory.dmp

Filesize
392KB

Download
memory/1088-18-0x00000000010B0000-0x0000000001112000-memory.dmp

Filesize
392KB

Download
memory/2080-0-0x0000000000DC0000-0x0000000000E22000-memory.dmp

Filesize
392KB

Download
memory/2080-11-0x0000000000DC0000-0x0000000000E22000-memory.dmp

Filesize
392KB

Download
memory/2080-8-0x0000000000640000-0x00000000006A2000-memory.dmp

Filesize
392KB

Download