urelas | 2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b

General

Target

2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
Size

6.4MB
MD5

85a8af248df0dd7e6ce1e93672b33dd1
SHA1

ce35098d1267a22f0b42bacd5e0e3a1f9a1ed7fe
SHA256

2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b
SHA512

3b8383903729ce713c97d25fd4e36d8928a9ecaf43eb3775444402015febf7ea41702ebc4d62670b45a6f4278d90a67a7aa991049054f3eb817093f2b90ee9ea
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS8:i0LrA2kHKQHNk3og9unipQyOaO8

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000014185-155.dat	UPX
behavioral1/memory/1880-159-0x00000000046C0000-0x0000000004859000-memory.dmp	UPX
behavioral1/memory/1752-161-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/1752-174-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2676	hufug.exe
1880	vocyle.exe
1752	agtox.exe

Loads dropped DLL 5 IoCs

pid	Process
2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
2676	hufug.exe
2676	hufug.exe
1880	vocyle.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000014185-155.dat	upx
behavioral1/memory/1880-159-0x00000000046C0000-0x0000000004859000-memory.dmp	upx
behavioral1/memory/1752-161-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1752-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
2676	hufug.exe
1880	vocyle.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe
1752	agtox.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2676	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	28
PID 2176 wrote to memory of 2676	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	28
PID 2176 wrote to memory of 2676	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	28
PID 2176 wrote to memory of 2676	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	28
PID 2176 wrote to memory of 2648	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	29
PID 2176 wrote to memory of 2648	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	29
PID 2176 wrote to memory of 2648	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	29
PID 2176 wrote to memory of 2648	2176	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	29
PID 2676 wrote to memory of 1880	2676	hufug.exe	31
PID 2676 wrote to memory of 1880	2676	hufug.exe	31
PID 2676 wrote to memory of 1880	2676	hufug.exe	31
PID 2676 wrote to memory of 1880	2676	hufug.exe	31
PID 1880 wrote to memory of 1752	1880	vocyle.exe	34
PID 1880 wrote to memory of 1752	1880	vocyle.exe	34
PID 1880 wrote to memory of 1752	1880	vocyle.exe	34
PID 1880 wrote to memory of 1752	1880	vocyle.exe	34
PID 1880 wrote to memory of 1696	1880	vocyle.exe	35
PID 1880 wrote to memory of 1696	1880	vocyle.exe	35
PID 1880 wrote to memory of 1696	1880	vocyle.exe	35
PID 1880 wrote to memory of 1696	1880	vocyle.exe	35

C:\Users\Admin\AppData\Local\Temp\2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
"C:\Users\Admin\AppData\Local\Temp\2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\hufug.exe
  "C:\Users\Admin\AppData\Local\Temp\hufug.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\vocyle.exe
    "C:\Users\Admin\AppData\Local\Temp\vocyle.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\agtox.exe
      "C:\Users\Admin\AppData\Local\Temp\agtox.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b59e7fa31311ec15ced5082d6aef01ed

SHA1
599b522253458155596ad97d4550ed3a6c9eedf9

SHA256
551d736c45c7798ab1dff0ee3c17494e2cd8717be96d8e8dba808840a8ab13fa

SHA512
8a5b2a50659193448a6b264f97bbf33b023c4d20ba169b5532a2c7f47f7e6ad86ea4b73b3ef52ff360342c0a032fab99bf955a3dddf57a28661a257268c31007

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
4b1e9d2cbd88c549e527cf223c868247

SHA1
af2fb9d53cc0eca9f49c4a399dd7748381f52add

SHA256
e1b431d27989ceb34cf9104069cec2dcfaa3e9f758c23570fa413ccb4d485468

SHA512
8c22774a7801cc0985f397359945f1e20a101ed06824f8f6ef2b833112c611beaba313218148309ba26388a768edc32d356cfc08ffc0b07c82f18cc5cb5dd167

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ed838ddb7a55429a09b656c18c683739

SHA1
a1b900e6ec602bd604d9bab37508120a4d9b95c6

SHA256
02492088dad89b8f09758f59b94759f3c70c8ea23f19bc6a9d797a9a96723198

SHA512
d3fc27abf3ddf19d1547bc8e76d418489e5635a51e7815e16abd256e1327b5a24df3f670d0a2e9e2b69e55a343701bf0e3cde97facaf7488ac0b20ef1262b69d

Download Submit
\Users\Admin\AppData\Local\Temp\agtox.exe

Filesize
459KB

MD5
669c4f5fd2311f63439c369ddaf6742d

SHA1
949407c22d2706fb2f2082ea2030635f297d6de1

SHA256
912f0257a1c6c18bbf32cf3a0313d5d67dd3204de617278ce3b4cd796c3407ed

SHA512
3ad049ca91844b03af3e378e8dabf65e10194dc4c10090966d4210d194f7b29df842534e5eced1cac3409e753acfbae80cdb9830aa93f1012134b06c79896586

Download Submit
\Users\Admin\AppData\Local\Temp\hufug.exe

Filesize
6.4MB

MD5
728a16ee016cbcde178cf655ec09b2b3

SHA1
883502059572a8dd59cb0ff88a67ae3ce78f731f

SHA256
49c315a4bf075641d76f69e49247b206af86f9613ab2e4db2a9b02b458902474

SHA512
d48261a470a310bd7973309094596faf0ef284fea8c302ab386ba3e09dc946a9ae193e6ec249e035633cca736fff9ac1e0e386fc01a7fae8b85040103c14defa

Download Submit
memory/1752-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1752-161-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1880-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1880-159-0x00000000046C0000-0x0000000004859000-memory.dmp

Filesize
1.6MB

Download
memory/2176-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2176-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2176-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2176-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2176-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2176-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2176-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2176-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2176-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2176-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2176-18-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2176-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2176-20-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2176-51-0x0000000003EE0000-0x00000000049CC000-memory.dmp

Filesize
10.9MB

Download
memory/2176-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2176-50-0x0000000003EE0000-0x00000000049CC000-memory.dmp

Filesize
10.9MB

Download
memory/2176-62-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2176-23-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2176-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2176-35-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2176-33-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2176-30-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2176-28-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2176-25-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2676-111-0x00000000043B0000-0x0000000004E9C000-memory.dmp

Filesize
10.9MB

Download
memory/2676-112-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2676-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2676-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2676-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2676-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2676-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing