urelas | 4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8

General

Target

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe
Size

399KB
MD5

d95620e95fc27136f7ed060ca4ddad5f
SHA1

495fe9777d72145a86e2ba49a6718a57e41cba39
SHA256

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8
SHA512

5603240c90411e55ec0afc2379a135d693effdbf2765983bfa12b82cd2006b07bf19694ad415db8211c8d9f4200146e0cafd88bcda0ccdaaa4085957552a5d01
SSDEEP

6144:1sa1jZVgy03se7k5kBTTg7YMz6j8GuHEqqtKKUrBwj3bT3RzV:rtVgyuse2kBXg7Cj81cKK7jfRV

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2620 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

utkoh.exetujyu.exe

pid process

1816 utkoh.exe
376 tujyu.exe

pid	process
2620	cmd.exe

pid	process
1816	utkoh.exe
376	tujyu.exe

Loads dropped DLL 4 IoCs

Processes:

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exeutkoh.exe

pid	process
2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe
2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe
1816	utkoh.exe
1816	utkoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

tujyu.exe

pid	process
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe
376	tujyu.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exeutkoh.exe

description	pid	process	target process
PID 2132 wrote to memory of 1816	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	utkoh.exe
PID 2132 wrote to memory of 1816	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	utkoh.exe
PID 2132 wrote to memory of 1816	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	utkoh.exe
PID 2132 wrote to memory of 1816	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	utkoh.exe
PID 2132 wrote to memory of 2620	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	cmd.exe
PID 2132 wrote to memory of 2620	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	cmd.exe
PID 2132 wrote to memory of 2620	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	cmd.exe
PID 2132 wrote to memory of 2620	2132	4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe	cmd.exe
PID 1816 wrote to memory of 376	1816	utkoh.exe	tujyu.exe
PID 1816 wrote to memory of 376	1816	utkoh.exe	tujyu.exe
PID 1816 wrote to memory of 376	1816	utkoh.exe	tujyu.exe
PID 1816 wrote to memory of 376	1816	utkoh.exe	tujyu.exe

C:\Users\Admin\AppData\Local\Temp\4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe
"C:\Users\Admin\AppData\Local\Temp\4beb8b876c35290dcc4fe31800b5140a754613dc3a07dd97d60d376227b2d7c8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\utkoh.exe
"C:\Users\Admin\AppData\Local\Temp\utkoh.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\tujyu.exe
"C:\Users\Admin\AppData\Local\Temp\tujyu.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:376

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
e184f5b14ab81f71cacf25420cfcf4f5

SHA1
73584660a64fe1a8b33de78025aa205d801c6a9f

SHA256
776e2eb30664f339452de1a7a6b98dbf50a43137234bf4e59d4a4fcda9c11e35

SHA512
a33fd5f05577d5f0523d76068de03c9b0b7a700e2173b50f18cd1101c9abc36affabb9a7706fe9f561a0ec4107b85fac4cc6739b50738ba8502b2af0e683887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
e8152dfa7f5845cc0191cf41b06a2821

SHA1
75a661467ec5f4f5af9043629dd1e006ba68cbb1

SHA256
2b97c23d973ab9d82f6bec655491946d6b4f50758bc39a70254e732df57226d5

SHA512
e2734a085348354cff62107a42736f5d3f2aea7740e21276b18b06e7f7d7fb4c9e803f6c9ba9ae84d3026b92bb2f62736542d35e7f7c665138fb2030cea337c9

Download Submit
\Users\Admin\AppData\Local\Temp\tujyu.exe
Filesize
206KB

MD5
dcc403fa96a7c436674085843fd4f95d

SHA1
c2cacaf20e74556ed65f4236a71c538a58c71720

SHA256
5a047acea316090029071ee9a9e19c2c695e4a2c6524a7a0f5997d8b6889d853

SHA512
f4461a9bc139cd7355454239fa2ccf7006d02ee8116800d6ddc5214e88f83f15c1e3764b32f6c3965db1634b8cba8d8dec669d6a4c3528fefc8ee98a7dc69733

Download Submit
\Users\Admin\AppData\Local\Temp\utkoh.exe
Filesize
399KB

MD5
4a6827becba9d16e60af59362eb8b525

SHA1
c482a73d63de0441bd9aa776cb2de643b305969b

SHA256
7c369fb4572d7943d2198ba5666eeab8847830a6ea70dc4ea43f5f7b0861bc44

SHA512
03561248d185026b99cc345a07f21dadce1f16ad755225a9cdb792295e21f355798ebf6434251c898052c3ba4909e5545fa9278cb4a50444a8ad6ccf0bf9e2d1

Download Submit
memory/376-39-0x0000000000970000-0x0000000000A0B000-memory.dmp

Filesize
620KB

Download
memory/376-43-0x0000000000970000-0x0000000000A0B000-memory.dmp

Filesize
620KB

Download
memory/376-42-0x0000000000970000-0x0000000000A0B000-memory.dmp

Filesize
620KB

Download
memory/376-41-0x0000000000970000-0x0000000000A0B000-memory.dmp

Filesize
620KB

Download
memory/376-40-0x0000000000970000-0x0000000000A0B000-memory.dmp

Filesize
620KB

Download
memory/376-37-0x0000000000970000-0x0000000000A0B000-memory.dmp

Filesize
620KB

Download
memory/1816-33-0x0000000003390000-0x000000000342B000-memory.dmp

Filesize
620KB

Download
memory/1816-34-0x0000000003390000-0x000000000342B000-memory.dmp

Filesize
620KB

Download
memory/1816-35-0x0000000000290000-0x00000000002F8000-memory.dmp

Filesize
416KB

Download
memory/1816-22-0x0000000000290000-0x00000000002F8000-memory.dmp

Filesize
416KB

Download
memory/2132-0-0x0000000000AE0000-0x0000000000B48000-memory.dmp

Filesize
416KB

Download
memory/2132-6-0x0000000000700000-0x0000000000768000-memory.dmp

Filesize
416KB

Download
memory/2132-18-0x0000000000700000-0x0000000000768000-memory.dmp

Filesize
416KB

Download
memory/2132-21-0x0000000000AE0000-0x0000000000B48000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads