urelas | 9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9

General

Target

9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe
Size

321KB
MD5

89a9418d44c300c42d5748bdd3d43ee1
SHA1

c2c8e8a017d1de44de1f19335b6852693f39a857
SHA256

9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9
SHA512

26eaa63a388bd9316971f0633b38e1ab22abf0e5bfd626e68decc17e957ef8cccd9ba32924e7cd07bd70cd1216e1f32ed0b6eded8e16e0b166c79f103fb3a774
SSDEEP

6144:PU0USPuHKKAsgBZg178Z+Snk6Fpwlw8RmuZSz8VdPbMK95BL7jGjFUHpJ+MBx:2SPXSzJSk6FpwlzmupVdjx5B/mFYJ+c

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2800 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

tecij.exejefuj.exe

pid process

2488 tecij.exe
748 jefuj.exe
Loads dropped DLL 2 IoCs

Processes:

9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exetecij.exe

pid process

2204 9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe
2488 tecij.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2800	cmd.exe

pid	process
2488	tecij.exe
748	jefuj.exe

pid	process
2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe
2488	tecij.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

jefuj.exe

pid	process
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe
748	jefuj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exetecij.exe

description	pid	process	target process
PID 2204 wrote to memory of 2488	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	tecij.exe
PID 2204 wrote to memory of 2488	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	tecij.exe
PID 2204 wrote to memory of 2488	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	tecij.exe
PID 2204 wrote to memory of 2488	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	tecij.exe
PID 2204 wrote to memory of 2800	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	cmd.exe
PID 2204 wrote to memory of 2800	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	cmd.exe
PID 2204 wrote to memory of 2800	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	cmd.exe
PID 2204 wrote to memory of 2800	2204	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	cmd.exe
PID 2488 wrote to memory of 748	2488	tecij.exe	jefuj.exe
PID 2488 wrote to memory of 748	2488	tecij.exe	jefuj.exe
PID 2488 wrote to memory of 748	2488	tecij.exe	jefuj.exe
PID 2488 wrote to memory of 748	2488	tecij.exe	jefuj.exe

C:\Users\Admin\AppData\Local\Temp\9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe
"C:\Users\Admin\AppData\Local\Temp\9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\tecij.exe
"C:\Users\Admin\AppData\Local\Temp\tecij.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\jefuj.exe
"C:\Users\Admin\AppData\Local\Temp\jefuj.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
b9e68af5859ed8d9a741221472c859ba

SHA1
8724a5cd8064a4504cedaf4767300f0f73e2b312

SHA256
6baf496a845c18968445341f44406278d7a07e741500540d6aaee6bbe64b9f3e

SHA512
5bbcd37c56a67ab3f9986eb0d364864ea7ba8ff20699f45d1f9a43ea319750078cdf3f2e74ff73417069b45c332a57e08e8ef544a3b67ba2f0e456a9cd39bd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
cbe94e79c4bc34b83cc166ba2953cbda

SHA1
13600966b0eb2e5ea48472d99be08b3865887c92

SHA256
88fce11fc04a75f5f88203ff3f4dab7a9d85d29c96ef9ffeb2e8f9baee088b5b

SHA512
ad65433b41172355817897625581dd802704cd9d49151c5dc2617e510c143208e4be790f951ec9d078a08e3e715a42f7da5b6ab27a08c3b167a3a50493177024

Download Submit
\Users\Admin\AppData\Local\Temp\jefuj.exe
Filesize
186KB

MD5
a4581991a174ac7d6ae80350601d453e

SHA1
ed2c72c8eee54f3113cd17b83f5a604366e30526

SHA256
e83c787cf06bdca2164f55c7f4f5a42b534cdac735085a987ac097790b76bb8f

SHA512
f6248e3b2dcc37d2a2fdd773cf9e138ef847172374f01a353e67cb91625671280f3c408ecf451663b70e09f50102d0867d8b51b70de8ed5e787cf4f57a538efd

Download Submit
\Users\Admin\AppData\Local\Temp\tecij.exe
Filesize
321KB

MD5
7f5ea090971b295a77cd8677b89a0c10

SHA1
762f54971dd4201c7b6c42a9882791aa9907151d

SHA256
f177795ee0df28354d4615ae372959636f1992123379863d9c47a5df59b4e5bd

SHA512
e806d45e2f2a1a6ca800cc5f47e2928c5cdf4f11a05aabeb6760c10ebff99ac2b3dc149519c5399d202e1bf6467be5ed126a0d76778584fa98101f547a1308d3

Download Submit
memory/748-59-0x0000000000A50000-0x0000000000AE6000-memory.dmp

Filesize
600KB

Download
memory/748-58-0x0000000000A50000-0x0000000000AE6000-memory.dmp

Filesize
600KB

Download
memory/748-57-0x0000000000A50000-0x0000000000AE6000-memory.dmp

Filesize
600KB

Download
memory/748-56-0x0000000000A50000-0x0000000000AE6000-memory.dmp

Filesize
600KB

Download
memory/748-55-0x0000000000A50000-0x0000000000AE6000-memory.dmp

Filesize
600KB

Download
memory/748-51-0x0000000000A50000-0x0000000000AE6000-memory.dmp

Filesize
600KB

Download
memory/2204-0-0x0000000001190000-0x0000000001214000-memory.dmp

Filesize
528KB

Download
memory/2204-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2204-2-0x0000000001190000-0x0000000001214000-memory.dmp

Filesize
528KB

Download
memory/2204-11-0x00000000029F0000-0x0000000002A74000-memory.dmp

Filesize
528KB

Download
memory/2204-29-0x0000000001190000-0x0000000001214000-memory.dmp

Filesize
528KB

Download
memory/2488-24-0x00000000000C0000-0x0000000000144000-memory.dmp

Filesize
528KB

Download
memory/2488-50-0x00000000000C0000-0x0000000000144000-memory.dmp

Filesize
528KB

Download
memory/2488-47-0x0000000003510000-0x00000000035A6000-memory.dmp

Filesize
600KB

Download
memory/2488-15-0x00000000000C0000-0x0000000000144000-memory.dmp

Filesize
528KB

Download
memory/2488-16-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2488-34-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2488-32-0x00000000000C0000-0x0000000000144000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing