urelas | 4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb

General

Target

4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe
Size

339KB
MD5

449a290c9f026bfbb8d6fdf999ef89d2
SHA1

d64276f96356441534de07b1ca062764611584e3
SHA256

4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb
SHA512

afa5e0d0e05824152492ed00462f970ab53ebcebc6faa49a0f4836b2cc4b7d5948edfe662db867c66c1de47fadbaefddad42d539b591401525ab972909587e5f
SSDEEP

6144:b/qE9d70WIH9wFHf+MQYVA5TDT44zuQOIFlUMazNWHT7+U:uGIWiiHWnesT/483OciyL

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\xejea.exe	UPX
behavioral1/memory/820-41-0x0000000000230000-0x00000000002E7000-memory.dmp	UPX
behavioral1/memory/820-44-0x0000000000230000-0x00000000002E7000-memory.dmp	UPX
behavioral1/memory/820-45-0x0000000000230000-0x00000000002E7000-memory.dmp	UPX
behavioral1/memory/820-46-0x0000000000230000-0x00000000002E7000-memory.dmp	UPX
behavioral1/memory/820-47-0x0000000000230000-0x00000000002E7000-memory.dmp	UPX
behavioral1/memory/820-48-0x0000000000230000-0x00000000002E7000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2172 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

wicol.exexejea.exe

pid process

1712 wicol.exe
820 xejea.exe
Loads dropped DLL 2 IoCs

Processes:

4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exewicol.exe

pid process

2220 4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe
1712 wicol.exe

pid	process
2172	cmd.exe

pid	process
1712	wicol.exe
820	xejea.exe

pid	process
2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe
1712	wicol.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\xejea.exe	upx
behavioral1/memory/820-41-0x0000000000230000-0x00000000002E7000-memory.dmp	upx
behavioral1/memory/820-44-0x0000000000230000-0x00000000002E7000-memory.dmp	upx
behavioral1/memory/820-45-0x0000000000230000-0x00000000002E7000-memory.dmp	upx
behavioral1/memory/820-46-0x0000000000230000-0x00000000002E7000-memory.dmp	upx
behavioral1/memory/820-47-0x0000000000230000-0x00000000002E7000-memory.dmp	upx
behavioral1/memory/820-48-0x0000000000230000-0x00000000002E7000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

xejea.exe

pid	process
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe
820	xejea.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exewicol.exe

description	pid	process	target process
PID 2220 wrote to memory of 1712	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	wicol.exe
PID 2220 wrote to memory of 1712	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	wicol.exe
PID 2220 wrote to memory of 1712	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	wicol.exe
PID 2220 wrote to memory of 1712	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	wicol.exe
PID 2220 wrote to memory of 2172	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	cmd.exe
PID 2220 wrote to memory of 2172	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	cmd.exe
PID 2220 wrote to memory of 2172	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	cmd.exe
PID 2220 wrote to memory of 2172	2220	4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe	cmd.exe
PID 1712 wrote to memory of 820	1712	wicol.exe	xejea.exe
PID 1712 wrote to memory of 820	1712	wicol.exe	xejea.exe
PID 1712 wrote to memory of 820	1712	wicol.exe	xejea.exe
PID 1712 wrote to memory of 820	1712	wicol.exe	xejea.exe

C:\Users\Admin\AppData\Local\Temp\4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe
"C:\Users\Admin\AppData\Local\Temp\4ba506ffd4dcfc2893296d53f556ac68ed3180449a0bf6037d6522e0553344fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\wicol.exe
"C:\Users\Admin\AppData\Local\Temp\wicol.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\xejea.exe
"C:\Users\Admin\AppData\Local\Temp\xejea.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7dbe6b009533dd951847e225e08a06d5

SHA1
bdacb3a08f66d73d4ea73022f69d1865b79918c1

SHA256
7db0bdabc9a491ba1db3a5f0a88d712423ea157729bdeaf89fb9d833782b6ac6

SHA512
30ec501e4e8bd8989727af2c89dce9f18d7b9e9dbdbbe209628671fdd20a1f27f0b2d3e485e47b24b2eb33d38daa3af2982c39798cba8a31461c6149391ab987

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2a0e79b9315fd2fd84c9f355e8c6aef1

SHA1
36b2490da4ad3f004658d7faabefba593aa5432d

SHA256
26f3e8a9a98d45c6e8da3b47d3d23b69c94b016fd92a1ad3315184b9532bf1a5

SHA512
3600b738382f85f368f73eeae29af99938a59bfa1cca4a7304fabec03e96684fc9e815298565ff9ca001dbb168a95d0fc232eb4583fd9cb48c7b2e7272892ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wicol.exe

Filesize
339KB

MD5
5b8b585260b77bfdb693206228b02bd6

SHA1
36172628de3297dc1653e8e926522a820fd4f096

SHA256
cdfe25a448a28ba146e27afcd601cf9930d3f8c09164f5f1224d9199d322f742

SHA512
d38addaf6e25349b717ea7bcac188cf287b3771bf109d0b33eb033884c93761cb3692c4bb7e55f9079053c7eeb6cd8a6e91e05292ca22ff610bb300d2223039b

Download Submit
\Users\Admin\AppData\Local\Temp\wicol.exe

Filesize
339KB

MD5
8e3dd7caa5f6898d69e31fef94915f66

SHA1
44bf72ae02e7395689a0f68e09d4330fd7988fa0

SHA256
82b391576a8349959b5129e08656437e5fa56e04f29617a15894243e54861741

SHA512
6151f24cf10004ab4c10cfc6ff38ccb6a6da9c0f21433ccf31f991802295c27e7cb76cd53bf2d335627e115a759daa1711ab14143d03777ec591955250339a19

Download Submit
\Users\Admin\AppData\Local\Temp\xejea.exe

Filesize
226KB

MD5
5248bf5f213b9669d0f525d1f677d470

SHA1
624cd461e345b987f9543a443608b1f7653496ed

SHA256
9f2dcf1789915ec69dd7b1848911efbc06fdf1baa2c84382e67ba2281beea177

SHA512
2b55d2666ee4d6da3eded4f00eb5793cd7284f717bb585bc2c4996990a88d5d5df5685585e25ab3dc8d64ebe52a5ef7990a4ee144f9ef1810abc332a5dfd2d22

Download Submit
memory/820-41-0x0000000000230000-0x00000000002E7000-memory.dmp

Filesize
732KB

Download
memory/820-48-0x0000000000230000-0x00000000002E7000-memory.dmp

Filesize
732KB

Download
memory/820-47-0x0000000000230000-0x00000000002E7000-memory.dmp

Filesize
732KB

Download
memory/820-46-0x0000000000230000-0x00000000002E7000-memory.dmp

Filesize
732KB

Download
memory/820-45-0x0000000000230000-0x00000000002E7000-memory.dmp

Filesize
732KB

Download
memory/820-44-0x0000000000230000-0x00000000002E7000-memory.dmp

Filesize
732KB

Download
memory/1712-12-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/1712-40-0x0000000000260000-0x00000000002E8000-memory.dmp

Filesize
544KB

Download
memory/1712-24-0x0000000000260000-0x00000000002E8000-memory.dmp

Filesize
544KB

Download
memory/1712-11-0x0000000000260000-0x00000000002E8000-memory.dmp

Filesize
544KB

Download
memory/2220-21-0x00000000003A0000-0x0000000000428000-memory.dmp

Filesize
544KB

Download
memory/2220-0-0x00000000003A0000-0x0000000000428000-memory.dmp

Filesize
544KB

Download
memory/2220-9-0x0000000002A80000-0x0000000002B08000-memory.dmp

Filesize
544KB

Download
memory/2220-1-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads