urelas | 4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe
Size

6.5MB
MD5

617ce8380267c9eccda986f2c643a184
SHA1

2908ed6602e78475f247ecb3b65df9bb5ca5506e
SHA256

4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9
SHA512

360858a035eab73bb39085637340ad0b19ff5d3dd157b9f3aa02cb1735512f6e1c09ebe2c3ba625cd24e16a40aceafaadef72968e800aa570de6ef3d57e04e84
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSC:i0LrA2kHKQHNk3og9unipQyOaOC

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\vixea.exe	UPX
behavioral1/memory/1964-157-0x0000000004790000-0x0000000004929000-memory.dmp	UPX
behavioral1/memory/2836-159-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/2836-172-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2768 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

juofa.exeemasno.exevixea.exe

pid process

2748 juofa.exe
1964 emasno.exe
2836 vixea.exe

pid	process
2768	cmd.exe

pid	process
2748	juofa.exe
1964	emasno.exe
2836	vixea.exe

Loads dropped DLL 5 IoCs

Processes:

4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exejuofa.exeemasno.exe

pid	process
1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe
1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe
2748	juofa.exe
2748	juofa.exe
1964	emasno.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\vixea.exe	upx
behavioral1/memory/1964-157-0x0000000004790000-0x0000000004929000-memory.dmp	upx
behavioral1/memory/2836-159-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2836-172-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exejuofa.exeemasno.exevixea.exe

pid	process
1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe
2748	juofa.exe
1964	emasno.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe
2836	vixea.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exejuofa.exeemasno.exe

description	pid	process	target process
PID 1740 wrote to memory of 2748	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	juofa.exe
PID 1740 wrote to memory of 2748	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	juofa.exe
PID 1740 wrote to memory of 2748	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	juofa.exe
PID 1740 wrote to memory of 2748	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	juofa.exe
PID 1740 wrote to memory of 2768	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	cmd.exe
PID 1740 wrote to memory of 2768	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	cmd.exe
PID 1740 wrote to memory of 2768	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	cmd.exe
PID 1740 wrote to memory of 2768	1740	4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe	cmd.exe
PID 2748 wrote to memory of 1964	2748	juofa.exe	emasno.exe
PID 2748 wrote to memory of 1964	2748	juofa.exe	emasno.exe
PID 2748 wrote to memory of 1964	2748	juofa.exe	emasno.exe
PID 2748 wrote to memory of 1964	2748	juofa.exe	emasno.exe
PID 1964 wrote to memory of 2836	1964	emasno.exe	vixea.exe
PID 1964 wrote to memory of 2836	1964	emasno.exe	vixea.exe
PID 1964 wrote to memory of 2836	1964	emasno.exe	vixea.exe
PID 1964 wrote to memory of 2836	1964	emasno.exe	vixea.exe
PID 1964 wrote to memory of 1128	1964	emasno.exe	cmd.exe
PID 1964 wrote to memory of 1128	1964	emasno.exe	cmd.exe
PID 1964 wrote to memory of 1128	1964	emasno.exe	cmd.exe
PID 1964 wrote to memory of 1128	1964	emasno.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe
"C:\Users\Admin\AppData\Local\Temp\4055cf6defa3c63ffd2dd2fd26b3cb9b224ed394b9186ea6ada4cf7325ef65f9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\juofa.exe
  "C:\Users\Admin\AppData\Local\Temp\juofa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\emasno.exe
    "C:\Users\Admin\AppData\Local\Temp\emasno.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\vixea.exe
      "C:\Users\Admin\AppData\Local\Temp\vixea.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c44f581595ec54baa030231a723044ad

SHA1
309fc73ed012488dfe53246bf7249af5fb965909

SHA256
ba3474cf3750c6f65d72732c0d9b7709a2a442f12081d2bddcef3d6926223406

SHA512
c4af6439b0adabe403f06308773690c3965edd82774b414ea7ed38be34d775ad7abfb238c284cfa5377e2cbc216c0f764eb2b790fddbe97d596867132340b65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
2c5a710652b8af0eddb4eca87ea51a63

SHA1
58767930f4d16718e3d33413562161cb32d43192

SHA256
74131b3720d1d016b8de5290b467dd41dda43a064dc6670edd67582a8ad1dfdc

SHA512
eaebbc468772bb2ea6410d071c6d3d7d336e772ab2b4b790fae2cae1bb581c6cf917b80a13beb613ed28edfe53d4bb576f3a76d7c4bf5c3c6a0611ccfd4bc654

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
20f86fb33b976efaddaa0282462116c5

SHA1
872073acbe4bd1fcf0dccd2278fdd2d0aadd85a1

SHA256
ed93159fe5ee989557579b0467efb7df6b421220d2ee134bec08b1b1e700ee6d

SHA512
42e9bfb7dcbbc8469cb6b101c1407182674b3311027026c6d3b0f7e773d93984133842b2f0dee6360da6ac4454e99288d6aa98dab09ebb2db8e8dea9918462eb

Download Submit
\Users\Admin\AppData\Local\Temp\juofa.exe

Filesize
6.5MB

MD5
6fc3e266b8d2beb69b612c6001c96093

SHA1
ed7a0e298dbecbb42319a1073bd167a185d5db89

SHA256
75a661931d7d2e4c2ce116126b6c8962b48d21d5bc8d3f363703ba5e0cafd4fb

SHA512
0ce21c21496055b3088343257bdf9e620d444722f36575ea5f0788baa88481523072b2c6649abc3cc858cf2bf8def7aafd2dd19a6048c6ce2c35752caa9bf436

Download Submit
\Users\Admin\AppData\Local\Temp\vixea.exe

Filesize
459KB

MD5
60faaa40bda0f7ebeb43d5c41d18fb1f

SHA1
50d1864bd08f638b64c8b68cc2c2d58e605e2a2f

SHA256
a49ed973335a476150044806cd5620f463556e6fa71c4a078865cdf20b580f8f

SHA512
a3a0b414389455489a3397f0a8958b3dc54f24d7f2abed54faa916946ba0934972f7c9505a1b711066e4877d606bed4481157cbffbdf79032049fb657d87966d

Download Submit
memory/1740-57-0x0000000004220000-0x0000000004D0C000-memory.dmp

Filesize
10.9MB

Download
memory/1740-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-23-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1740-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1740-18-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1740-15-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1740-13-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1740-11-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1740-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1740-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1740-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1740-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1740-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-28-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1740-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-30-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1740-60-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1740-25-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1740-40-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1740-33-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1740-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1740-35-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1964-157-0x0000000004790000-0x0000000004929000-memory.dmp

Filesize
1.6MB

Download
memory/1964-167-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2748-111-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2748-82-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2748-70-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2748-67-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2748-65-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2748-109-0x0000000004300000-0x0000000004DEC000-memory.dmp

Filesize
10.9MB

Download
memory/2748-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2748-72-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2748-75-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2748-85-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2748-87-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2748-77-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2836-159-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2836-172-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download