urelas | af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289

General

Target

af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe
Size

6.5MB
MD5

b8f48f81154e07c64dbe8880bc698df0
SHA1

c57afa057e3eb8523e4f1afe260358a31e73a7e2
SHA256

af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289
SHA512

dbc1b7468063683bc173dec7fa0efa3c33d9a6e78fadd391804cadcf4d2473c0b65043cd83c9ed05d6104ac8fe43a333c3beb02b01aee44156832bfdf4f55e80
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSK:i0LrA2kHKQHNk3og9unipQyOaOK

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tuorl.exe	UPX
behavioral1/memory/1132-170-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/1132-176-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2152 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

wuojj.exewuenzo.exetuorl.exe

pid process

2524 wuojj.exe
2708 wuenzo.exe
1132 tuorl.exe

pid	process
2152	cmd.exe

pid	process
2524	wuojj.exe
2708	wuenzo.exe
1132	tuorl.exe

Loads dropped DLL 5 IoCs

Processes:

af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exewuojj.exewuenzo.exe

pid	process
2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe
2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe
2524	wuojj.exe
2524	wuojj.exe
2708	wuenzo.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tuorl.exe	upx
behavioral1/memory/1132-170-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1132-176-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exewuojj.exewuenzo.exetuorl.exe

pid	process
2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe
2524	wuojj.exe
2708	wuenzo.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe
1132	tuorl.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exewuojj.exewuenzo.exe

description	pid	process	target process
PID 2108 wrote to memory of 2524	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	wuojj.exe
PID 2108 wrote to memory of 2524	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	wuojj.exe
PID 2108 wrote to memory of 2524	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	wuojj.exe
PID 2108 wrote to memory of 2524	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	wuojj.exe
PID 2108 wrote to memory of 2152	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	cmd.exe
PID 2108 wrote to memory of 2152	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	cmd.exe
PID 2108 wrote to memory of 2152	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	cmd.exe
PID 2108 wrote to memory of 2152	2108	af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe	cmd.exe
PID 2524 wrote to memory of 2708	2524	wuojj.exe	wuenzo.exe
PID 2524 wrote to memory of 2708	2524	wuojj.exe	wuenzo.exe
PID 2524 wrote to memory of 2708	2524	wuojj.exe	wuenzo.exe
PID 2524 wrote to memory of 2708	2524	wuojj.exe	wuenzo.exe
PID 2708 wrote to memory of 1132	2708	wuenzo.exe	tuorl.exe
PID 2708 wrote to memory of 1132	2708	wuenzo.exe	tuorl.exe
PID 2708 wrote to memory of 1132	2708	wuenzo.exe	tuorl.exe
PID 2708 wrote to memory of 1132	2708	wuenzo.exe	tuorl.exe
PID 2708 wrote to memory of 844	2708	wuenzo.exe	cmd.exe
PID 2708 wrote to memory of 844	2708	wuenzo.exe	cmd.exe
PID 2708 wrote to memory of 844	2708	wuenzo.exe	cmd.exe
PID 2708 wrote to memory of 844	2708	wuenzo.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe
"C:\Users\Admin\AppData\Local\Temp\af5445831e1daa125e35a5f94ebb6876130fa0d347483d93aa9ca0592d564289.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\wuojj.exe
"C:\Users\Admin\AppData\Local\Temp\wuojj.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\wuenzo.exe
"C:\Users\Admin\AppData\Local\Temp\wuenzo.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\tuorl.exe
"C:\Users\Admin\AppData\Local\Temp\tuorl.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d00d6d5c9eb714bee5b53c1c61f7b120

SHA1
e793cae26a4c74eb658c463a7191e57b00784320

SHA256
efc3b97fe4f8f20d2edc0448336276c5866231e14ef327abe97c519728c6578d

SHA512
b7d684130b59927129d302f40f8fbac4894af2e1a6d0c1fa018b80bfab8cf5bd045abe8a1d5357a18ba14a66fe7a8adc0404a1abec5797546dfcf739a5b8b341

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
ad9f65d95d65a29221128809d5235fab

SHA1
1862730e26848347779c1ab93c965131734ec791

SHA256
99722a3473b2e0b3a590b504b4920a6bfad2d45cb421696fefc95f1ae5f3d54c

SHA512
dd478d5842e2ad4b11a5201d8a5c0a8a5754b818376beb1301f0d2bde962f2fb73016a3c9668131bdf06ceaba9cdc1883a49cacda1d6c710701658d5036c30be

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e61e87bf077e231997b83f6aa97fc663

SHA1
bb9b6f69f50532deee681a0927c75a3cec899512

SHA256
4069e3e1fae4f0eda9a90a0a2e1f0473b38e6759e1320ccf477c728b3ae71c80

SHA512
1386cf65eaf71ae06fd3434ba78ffc15a6b06d4638f9efaa442b69501a2bd5c5b691b90fc348b2e9fde3b24ab3d67b702fbb769015b4c6b33f09610488acd26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuojj.exe

Filesize
6.5MB

MD5
462b8b191743533078be8c3c26092a27

SHA1
e21ba24e1e40119caa881e2280836afeff3815a8

SHA256
deb0ee0d4311cb036832be0633c9cbc90dadc56dbbb23f241d220d2d581ef403

SHA512
16759666a5681a9ffbb54024c64e6dbde4841bd63afb596e8ec0303629aac416bf19bf2cdf5e364af3ab2f01cb9d77969f570b2f672cb99b419c1a1d041b3656

Download Submit
\Users\Admin\AppData\Local\Temp\tuorl.exe

Filesize
459KB

MD5
461589898a27884e4b6c9475b2500d14

SHA1
ab944236cdc054c7ea9d3d115ddbd96103f1cc0b

SHA256
f7e9fe9699e14e827a9058dcdf4a6c5e21a9e599458ed2762ad9ee235abba830

SHA512
2dc34bee9e61598747f18af60a19c33ac7f76d58ee2948e1f98a5ee305b1bfff840022fe30a7d4cc790c5d7bb8e7436bf971503c757a8301e6c544cf92ba7ece

Download Submit
memory/1132-170-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1132-176-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2108-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2108-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2108-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2108-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2108-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2108-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2108-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2108-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2108-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2108-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2108-61-0x0000000003F80000-0x0000000004A6C000-memory.dmp

Filesize
10.9MB

Download
memory/2108-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2108-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2108-22-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2108-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2108-59-0x0000000003F80000-0x0000000004A6C000-memory.dmp

Filesize
10.9MB

Download
memory/2108-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2108-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2108-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2108-26-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2108-29-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2108-31-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2108-34-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2108-36-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2524-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2524-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2524-112-0x0000000004400000-0x0000000004EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2524-78-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2524-80-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2524-88-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2524-90-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2708-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2708-161-0x0000000004820000-0x00000000049B9000-memory.dmp

Filesize
1.6MB

Download
memory/2708-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads