urelas | dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f

General

Target

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
Size

6.5MB
MD5

4afa41328865de81b2f78463262327ee
SHA1

5244e4c8b551579c8b88b3f1f3fa6778e41020de
SHA256

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f
SHA512

d30554c80b73b94864a7df78a0318c4d1ee8288ccdd25f2446dc953c7b3e1e5e352311220060e802fe3b68e1475494ed9a75caf1a2df9b67e304305bc6e7f1c3
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSy:i0LrA2kHKQHNk3og9unipQyOaOy

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\mevue.exe	UPX
behavioral1/memory/692-164-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral1/memory/692-177-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2556 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

secux.exedygoqe.exemevue.exe

pid process

2544 secux.exe
1516 dygoqe.exe
692 mevue.exe

pid	process
2556	cmd.exe

pid	process
2544	secux.exe
1516	dygoqe.exe
692	mevue.exe

Loads dropped DLL 5 IoCs

Processes:

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exesecux.exedygoqe.exe

pid	process
2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
2544	secux.exe
2544	secux.exe
1516	dygoqe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\mevue.exe	upx
behavioral1/memory/692-164-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/692-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exesecux.exedygoqe.exemevue.exe

pid	process
2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
2544	secux.exe
1516	dygoqe.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe
692	mevue.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exesecux.exedygoqe.exe

description	pid	process	target process
PID 2248 wrote to memory of 2544	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	secux.exe
PID 2248 wrote to memory of 2544	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	secux.exe
PID 2248 wrote to memory of 2544	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	secux.exe
PID 2248 wrote to memory of 2544	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	secux.exe
PID 2248 wrote to memory of 2556	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	cmd.exe
PID 2248 wrote to memory of 2556	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	cmd.exe
PID 2248 wrote to memory of 2556	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	cmd.exe
PID 2248 wrote to memory of 2556	2248	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	cmd.exe
PID 2544 wrote to memory of 1516	2544	secux.exe	dygoqe.exe
PID 2544 wrote to memory of 1516	2544	secux.exe	dygoqe.exe
PID 2544 wrote to memory of 1516	2544	secux.exe	dygoqe.exe
PID 2544 wrote to memory of 1516	2544	secux.exe	dygoqe.exe
PID 1516 wrote to memory of 692	1516	dygoqe.exe	mevue.exe
PID 1516 wrote to memory of 692	1516	dygoqe.exe	mevue.exe
PID 1516 wrote to memory of 692	1516	dygoqe.exe	mevue.exe
PID 1516 wrote to memory of 692	1516	dygoqe.exe	mevue.exe
PID 1516 wrote to memory of 3016	1516	dygoqe.exe	cmd.exe
PID 1516 wrote to memory of 3016	1516	dygoqe.exe	cmd.exe
PID 1516 wrote to memory of 3016	1516	dygoqe.exe	cmd.exe
PID 1516 wrote to memory of 3016	1516	dygoqe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
"C:\Users\Admin\AppData\Local\Temp\dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\secux.exe
"C:\Users\Admin\AppData\Local\Temp\secux.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\dygoqe.exe
"C:\Users\Admin\AppData\Local\Temp\dygoqe.exe" OK
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\mevue.exe
"C:\Users\Admin\AppData\Local\Temp\mevue.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:692

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
- Deletes itself
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
c564bba8842f529111146c574841492e

SHA1
fb93c59a6cdfe1630551bd1291cd303f5c158f53

SHA256
e9544b646d4cf90e89195c1e425f3f6db820dbc620a7e9861df71a2c0d0e219b

SHA512
f3b2deaaf40046b6a3f3e11376a3826ce338617eb021a662bfdc64ecf5e719b6d232d0acb6eecd466ec68be6455c98425e6318ae78958b082b19d82a99014949

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
340B

MD5
a9888fff7b64366094a4c1a86c60a5ea

SHA1
fa51198d954ea4e11e40762fa700080b6d9489d5

SHA256
272b35e37e2f4195f8795992dd256837b0baeaefa190276c6b7393ffff0164a2

SHA512
ed110ddf288bf2a6b23a7aaa7da6d422d422bd2eac4fbd44eca13d80408212667193461d55ed2705979d77ba4cba1918ff5b8f7b4b12588e43ba4d7ecd5183ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
dadeb38554631be51cb08fff7b940352

SHA1
6202b8b48b8bdcd1dfac440a55c246097cbc7ed8

SHA256
a8a7d79d35c0b861869bee63ee6af3a203ad77be36a4e4f09d5fee4e1e4d9774

SHA512
91c6c985aa99f6b57f167aefb022b89df7aec85ac40f85d151906a67523e6b3a301fe695a6dcb80c8df36f1c9627a475211cfc41a9ab26b0aa5f0bc85c51c5d4

Download Submit
\Users\Admin\AppData\Local\Temp\mevue.exe
Filesize
459KB

MD5
7e1089bfad1e167ac148c6be1e1ac783

SHA1
97d08f43876f63c8390f079a1ae520463b518a5d

SHA256
f34d6c0186eed801ec377e07ed8f2db1af168df9f727ef65e898206d8fb1ccbb

SHA512
3bea8165d8da45be1a14da2a1cfd65b7f12ce29918bf02382fffa15f7def5ed37a41f65c4cf54088a882cd9866ad5f24ac08c2f4b32f98ae960683ba12896f16

Download Submit
\Users\Admin\AppData\Local\Temp\secux.exe
Filesize
6.5MB

MD5
7f321f10a63775bd2595ba96860db9fc

SHA1
b252d8e4468ec2ff282ec841479e9bbb651a69fb

SHA256
6705e03d4873b44dcd080474adbcec87a83dded1a18fb56a1fe2b9ec8aa255f0

SHA512
e4a7c446273f1d97469512cc8eb81a6a741ac37ab3a393bfc2ccb4b5bdc5c47bc9e70120a74775c014077708b0023353fb0318445d490c9d79e495742afeacd8

Download Submit
memory/692-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/692-164-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1516-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1516-160-0x0000000004680000-0x0000000004819000-memory.dmp

Filesize
1.6MB

Download
memory/2248-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2248-62-0x0000000003870000-0x000000000435C000-memory.dmp

Filesize
10.9MB

Download
memory/2248-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2248-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2248-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2248-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2248-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2248-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2248-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2248-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2248-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2248-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2248-21-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2248-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2248-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2248-58-0x0000000003870000-0x000000000435C000-memory.dmp

Filesize
10.9MB

Download
memory/2248-34-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2248-31-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2248-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2248-29-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2248-36-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2248-26-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2248-24-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2248-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2544-88-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2544-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2544-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2544-73-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2544-115-0x0000000003C80000-0x000000000476C000-memory.dmp

Filesize
10.9MB

Download
memory/2544-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2544-75-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2544-78-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2544-80-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2544-83-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2544-85-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2544-90-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2544-65-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads