urelas | e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f

General

Target

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
Size

6.4MB
MD5

43859040ad488d1f1ceb32cdc9f4da18
SHA1

fdaeeb8b4ad0e3b54a270dd54260e4a841844fd4
SHA256

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f
SHA512

4f2a98e263ac2ae8323dfd38956b7448e119f787d60b0cc1dd031032b0be37e6176ab4ea2c25eaaf3601b158f965831beb51df68be6d48bd81bdeb7717648a88
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSt:i0LrA2kHKQHNk3og9unipQyOaOt

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/880-168-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\pyujb.exe	UPX
behavioral1/memory/880-174-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2584 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

zupop.execocytu.exepyujb.exe

pid process

2716 zupop.exe
2568 cocytu.exe
880 pyujb.exe

pid	process
2584	cmd.exe

pid	process
2716	zupop.exe
2568	cocytu.exe
880	pyujb.exe

Loads dropped DLL 5 IoCs

Processes:

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exezupop.execocytu.exe

pid	process
2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
2716	zupop.exe
2716	zupop.exe
2568	cocytu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/880-168-0x0000000000400000-0x0000000000599000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\pyujb.exe	upx
behavioral1/memory/880-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exezupop.execocytu.exepyujb.exe

pid	process
2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
2716	zupop.exe
2568	cocytu.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe
880	pyujb.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exezupop.execocytu.exe

description	pid	process	target process
PID 2400 wrote to memory of 2716	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	zupop.exe
PID 2400 wrote to memory of 2716	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	zupop.exe
PID 2400 wrote to memory of 2716	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	zupop.exe
PID 2400 wrote to memory of 2716	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	zupop.exe
PID 2400 wrote to memory of 2584	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	cmd.exe
PID 2400 wrote to memory of 2584	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	cmd.exe
PID 2400 wrote to memory of 2584	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	cmd.exe
PID 2400 wrote to memory of 2584	2400	e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe	cmd.exe
PID 2716 wrote to memory of 2568	2716	zupop.exe	cocytu.exe
PID 2716 wrote to memory of 2568	2716	zupop.exe	cocytu.exe
PID 2716 wrote to memory of 2568	2716	zupop.exe	cocytu.exe
PID 2716 wrote to memory of 2568	2716	zupop.exe	cocytu.exe
PID 2568 wrote to memory of 880	2568	cocytu.exe	pyujb.exe
PID 2568 wrote to memory of 880	2568	cocytu.exe	pyujb.exe
PID 2568 wrote to memory of 880	2568	cocytu.exe	pyujb.exe
PID 2568 wrote to memory of 880	2568	cocytu.exe	pyujb.exe
PID 2568 wrote to memory of 1152	2568	cocytu.exe	cmd.exe
PID 2568 wrote to memory of 1152	2568	cocytu.exe	cmd.exe
PID 2568 wrote to memory of 1152	2568	cocytu.exe	cmd.exe
PID 2568 wrote to memory of 1152	2568	cocytu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe
"C:\Users\Admin\AppData\Local\Temp\e3030a1e243f1c4fc193a0b36d23f7cd8afcaf59cce327f0e233d2895b74945f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\zupop.exe
  "C:\Users\Admin\AppData\Local\Temp\zupop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\cocytu.exe
    "C:\Users\Admin\AppData\Local\Temp\cocytu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\pyujb.exe
      "C:\Users\Admin\AppData\Local\Temp\pyujb.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
20e9893e9c6376bcd5b31577cc4cd920

SHA1
2e8311391fc6bedb98f7c364bf412f6f66569c44

SHA256
d02101ad651761c8dc18ffbc905b75aed8084ff0a7f76176676fceb2a901d7cb

SHA512
be455ac818085870d33b6410501b541db6e85e0d82071bbd0a3b90ede9aacdb8e3b4e004c4a88a76d7952633ac76ecdf908e61b49cdae686d50db32baabaac76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
06ed9929f2f81e1a7cc75476f113fa6f

SHA1
ba9c2cd1c970ca075b968f5e41d7a84b827480da

SHA256
236a6a7eca704cfccf4975d16d8c492853814c9f626b4986737a021da28861d9

SHA512
1a98694287f07a773ae9345b8706436e7f5874f617afe7712407be9094190de44a7853266a4aeb92367cceada45a34ace72f9f06fffb8f4ecbfd90b50b94ffd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b2f5d3ac14602beb15ce5860c41c51e5

SHA1
84be677185fdb52ec98999dec755736b714474a0

SHA256
c28076b9fa4643770ad49710a1851e7421cbcaef60cf1c7294e88d77b3851adf

SHA512
25cd82344a82aacfa2ce4201a7a798eb023bb54afbb68c32009c334ed7402565992e6d77c016255a34214256e57a22ed38b844d0edeac7cad36b973465db7fb6

Download Submit
\Users\Admin\AppData\Local\Temp\pyujb.exe

Filesize
459KB

MD5
f4de9870bb36c0e18a53dd695b0c68c5

SHA1
7ef31d6c94cc74a2b9c2bb51669acca48f5d0c96

SHA256
8b1c7755f00236eff2dd1269d5a415341d683aa6221b75a722e665923e3d5d9b

SHA512
e4250ff5ac22ffd649f4531305992e280d665a3871b0dcc13231897a8622284c4d5815696c5b1267f92692e6377eef5517119c3a0ce5735b74f02f4a747f92b8

Download Submit
\Users\Admin\AppData\Local\Temp\zupop.exe

Filesize
6.4MB

MD5
4ee431b1d22a2f1382e6e62a0c91dffc

SHA1
dabdbae6d17c37494b2c637bd4213a5bb8308ea9

SHA256
050fce7a2181455344f96102d6747292a7d0c69a79a016270a5964ee96ee6afc

SHA512
e00df340043dd26c418e96ed996a337462f17858ab589cef09348e8f5cb381b81fe4e545239180ce8a492cd00d15e5b9e223b79667716bc407f482d6b1adc28e

Download Submit
memory/880-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/880-168-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2400-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2400-61-0x0000000003F80000-0x0000000004A6C000-memory.dmp

Filesize
10.9MB

Download
memory/2400-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2400-15-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2400-13-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2400-11-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2400-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2400-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2400-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2400-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2400-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2400-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2400-58-0x0000000003F80000-0x0000000004A6C000-memory.dmp

Filesize
10.9MB

Download
memory/2400-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2400-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2400-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2400-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2400-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2400-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2400-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2400-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2400-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2400-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2400-28-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2568-159-0x00000000047F0000-0x0000000004989000-memory.dmp

Filesize
1.6MB

Download
memory/2568-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2716-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2716-113-0x0000000004540000-0x000000000502C000-memory.dmp

Filesize
10.9MB

Download
memory/2716-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2716-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2716-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2716-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2716-87-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2716-89-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads