urelas | d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe
Size

6.4MB
MD5

2fb94fe3b6ac58d0a8355e24dce703e6
SHA1

fac38ffb4b175463f90d513062d27c55507a1ef6
SHA256

d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6
SHA512

a586c6300cae01427e3bffe3d472ea4097b16c00c74e9c6899a76f568328d32f8aaa88995a669fa8e8f638b324c36cc94edd106b9d332ef9b78422d5bab5d447
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSu:i0LrA2kHKQHNk3og9unipQyOaOu

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral1/files/0x0012000000013f2c-161.dat	UPX
behavioral1/memory/2220-174-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/2220-181-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2704	muley.exe
2792	puteve.exe
2220	bikun.exe

Loads dropped DLL 5 IoCs

pid	Process
2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe
2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe
2704	muley.exe
2704	muley.exe
2792	puteve.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0012000000013f2c-161.dat	upx
behavioral1/memory/2220-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2220-181-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe
2704	muley.exe
2792	puteve.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe
2220	bikun.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2704	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	28
PID 2912 wrote to memory of 2704	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	28
PID 2912 wrote to memory of 2704	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	28
PID 2912 wrote to memory of 2704	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	28
PID 2912 wrote to memory of 2656	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	29
PID 2912 wrote to memory of 2656	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	29
PID 2912 wrote to memory of 2656	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	29
PID 2912 wrote to memory of 2656	2912	d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe	29
PID 2704 wrote to memory of 2792	2704	muley.exe	31
PID 2704 wrote to memory of 2792	2704	muley.exe	31
PID 2704 wrote to memory of 2792	2704	muley.exe	31
PID 2704 wrote to memory of 2792	2704	muley.exe	31
PID 2792 wrote to memory of 2220	2792	puteve.exe	34
PID 2792 wrote to memory of 2220	2792	puteve.exe	34
PID 2792 wrote to memory of 2220	2792	puteve.exe	34
PID 2792 wrote to memory of 2220	2792	puteve.exe	34
PID 2792 wrote to memory of 1112	2792	puteve.exe	35
PID 2792 wrote to memory of 1112	2792	puteve.exe	35
PID 2792 wrote to memory of 1112	2792	puteve.exe	35
PID 2792 wrote to memory of 1112	2792	puteve.exe	35

C:\Users\Admin\AppData\Local\Temp\d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe
"C:\Users\Admin\AppData\Local\Temp\d276a8b8f347e8ae29beebd93f3dcbb0fd4215e0e6045e13f247b7ad78beafe6.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\muley.exe
  "C:\Users\Admin\AppData\Local\Temp\muley.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\puteve.exe
    "C:\Users\Admin\AppData\Local\Temp\puteve.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\bikun.exe
      "C:\Users\Admin\AppData\Local\Temp\bikun.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
01334a8e7c56071c959dae74c53e822e

SHA1
b5c4bf03cd24038dd14c37ab00d54f0f863bae0d

SHA256
702923818e0338658bab3b99f0be895e205920b3f9af1be3e0661e5f6174bf08

SHA512
ed42c0938cb802b87769eb56dace82996d1bdff1c2bb945c741ad1ba1d6a3f4e4ef5c619f8f64f816f9d761423c8ea987b4faa7c03e2f35fdae0849345d64129

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f8ec7d8cd0c79c803d601205b3282e5a

SHA1
2b3cabb088b0a3bdf57de4242ba5f2004b714c5e

SHA256
24f3405d02cfea82bc17b134e93d9d0c01cd3356cbc63bf0bb7e9b6e3b21a829

SHA512
612996e87ef258f76215f5b6f06752f0a8d29153ce0543efbcf1e95b4fab3eb31b46c88b9df1f245bf7d6c7a59303ff93d1b234a1520479b27d5e330952debb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6de62bcaafbf1246a40a3c0465ea92a0

SHA1
b46e68c161be01740c782c28eb49abb97ce40605

SHA256
f190423355d86b71fe0d6715c05b41fbfcca3d479e7d2ac2985aa30aa2f9b3a7

SHA512
4c101b9a48f1d488d649e3d9052a589dc63dc2716d19ea676347b6ddc174af328eb31f82e92afc466f93b2902a3b6499351f914060778efb8a1587ef018e631b

Download Submit
\Users\Admin\AppData\Local\Temp\bikun.exe

Filesize
459KB

MD5
114f8c2d124f7d46f9a2aa7036954c2e

SHA1
2b947318e7fe578d65ce4f5c003229366e3ddbd2

SHA256
b62c60e1be69ace46574b007ec822aabc7fd868a541fb0b18ce4f7989d2e0ede

SHA512
ac04e06d67bfb7233198ba0e80340699c8245c4c2565dbded72acfe4bd065862071e396fc8fe18081a242db2b92a54fa2b32ceff37cf5e458ea5b508851c58e7

Download Submit
\Users\Admin\AppData\Local\Temp\muley.exe

Filesize
6.4MB

MD5
13bdc14bc9a730947fe5ca29368586ee

SHA1
6905826875e5d89947f1b0b1f84d312761802702

SHA256
2e7e7cc35bcf3aa643ce36c03c643ef2fe1ab5afc7507a8373b7d4ecc2bcc325

SHA512
291f1677bd83bf4ed80fcae11295d2496595f130645df06c974cb43d4913c6158169ca2b3986ddb0acc97f25512c5f96a4850cb44d58af090b3fc75740c14b04

Download Submit
memory/2220-182-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2220-181-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2220-176-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2220-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2704-86-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2704-89-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2704-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-117-0x0000000004400000-0x0000000004EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-116-0x0000000004400000-0x0000000004EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-84-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2704-68-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-67-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-81-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2704-91-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2704-79-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2792-165-0x0000000004B20000-0x0000000004CB9000-memory.dmp

Filesize
1.6MB

Download
memory/2792-130-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2792-175-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2792-157-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2792-118-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-33-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2912-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-55-0x0000000004100000-0x0000000004BEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-53-0x0000000004100000-0x0000000004BEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2912-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2912-18-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2912-23-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2912-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2912-28-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2912-31-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2912-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-36-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2912-38-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2912-21-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2912-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-10-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

Filesize
4KB

Download
memory/2912-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2912-5-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2912-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2912-2-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2912-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download