urelas | 97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24

General

Target

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe
Size

619KB
MD5

90c0231150a3ad592f124b8fb89c94d0
SHA1

60c692ea970051dba63797f175fb20668a34c5b0
SHA256

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24
SHA512

f1747aa6bf856d1875b973f0bded047ca9e97f6b07b2c1158af0fbe381c222fcf893e48cbeaaced62b829fb92db13b2b46c6d4305e118d158263f5920c4d2506
SSDEEP

12288:8dBNKTCqqwXCcdgTY9+MvA+BisqYpxHte1oSC:8LjQC+Ps0Ya

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1376 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

sudah.execuqoo.exe

pid process

1844 sudah.exe
1776 cuqoo.exe
Loads dropped DLL 2 IoCs

Processes:

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exesudah.exe

pid process

1728 97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe
1844 sudah.exe

pid	process
1376	cmd.exe

pid	process
1844	sudah.exe
1776	cuqoo.exe

pid	process
1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe
1844	sudah.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1728-0-0x0000000000400000-0x000000000048B000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\sudah.exe	upx
behavioral1/memory/1728-16-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1844-19-0x0000000000400000-0x000000000048B000-memory.dmp	upx
behavioral1/memory/1844-26-0x0000000000400000-0x000000000048B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cuqoo.exe

pid	process
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe
1776	cuqoo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exesudah.exe

description	pid	process	target process
PID 1728 wrote to memory of 1844	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	sudah.exe
PID 1728 wrote to memory of 1844	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	sudah.exe
PID 1728 wrote to memory of 1844	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	sudah.exe
PID 1728 wrote to memory of 1844	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	sudah.exe
PID 1728 wrote to memory of 1376	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	cmd.exe
PID 1728 wrote to memory of 1376	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	cmd.exe
PID 1728 wrote to memory of 1376	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	cmd.exe
PID 1728 wrote to memory of 1376	1728	97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe	cmd.exe
PID 1844 wrote to memory of 1776	1844	sudah.exe	cuqoo.exe
PID 1844 wrote to memory of 1776	1844	sudah.exe	cuqoo.exe
PID 1844 wrote to memory of 1776	1844	sudah.exe	cuqoo.exe
PID 1844 wrote to memory of 1776	1844	sudah.exe	cuqoo.exe

C:\Users\Admin\AppData\Local\Temp\97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe
"C:\Users\Admin\AppData\Local\Temp\97d95bca4274344dfe5dfaaecbb19447429cfb5bb915cba14967423c16858f24.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\sudah.exe
  "C:\Users\Admin\AppData\Local\Temp\sudah.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\cuqoo.exe
    "C:\Users\Admin\AppData\Local\Temp\cuqoo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
04de77754541ae43691060d4233f6a20

SHA1
58c0c2163d25ffcf2537d37e5e7ec05fc3a65594

SHA256
c51c129f255bc738961be5f7ecd71c8250c07c18a488003a745105eb976702a5

SHA512
39bc7e3b5b4586bef04a88b12b26779df72f255f713a9807c89b0641232dd5a757e7d818cbec820657a30978ad5bdfd2baeaf2cdb6bb1e9c6228e1b2724c8f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
51c449fa7c5bd3614829f9b637eff483

SHA1
e6f0f7e50aa192d6c78750df243253fbaa907ba1

SHA256
3a6f8fd1283afb3fc5eefdc0f9c07bbf176cdbabe9c3ea9fff71511741873615

SHA512
8c9c26f0fdcb35f4a4f65e1be52c39e57ee88925437a0815b54b45568708d13a2d8892af2550e657132d4bb482a37a668c0caf0d2efb670ac9df75aabe57293e

Download Submit
\Users\Admin\AppData\Local\Temp\cuqoo.exe

Filesize
241KB

MD5
e509dc123cbaf1e8c5f1e41ea6ebabc2

SHA1
9a37ebd8fbddacfc468dd2d720efd3d1b229a156

SHA256
15e8d6a219e2f335f671e79d4e893642067644a43434c65291e40cb82460cb89

SHA512
3a8ecd5c91db23dc6814dcde044b9a7e5b172055144011f7550e6d0b7d823c67af037bd32af869320d7f63a041f595c2f37619e6c993bd3d4f82d35454d50d39

Download Submit
\Users\Admin\AppData\Local\Temp\sudah.exe

Filesize
619KB

MD5
f27f86177a70496282fa64323d16fb62

SHA1
fbb0d4adff0556a257c6aa6b0c55e07fbc9389ed

SHA256
ec61538c36ecbbd867f35262cc764a53c2fba9700e9d69670c3e14c0ce6d3c3c

SHA512
872332395049645198819166f272a99462582791fbafdfb415af68e3f8db53a93714034c295276eba6ada99faa1985be5e30420f315d08b2bab77da329465678

Download Submit
memory/1728-16-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1728-0-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1776-27-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/1776-29-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/1776-30-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/1776-31-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/1776-32-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/1776-33-0x0000000000B40000-0x0000000000BF6000-memory.dmp

Filesize
728KB

Download
memory/1844-19-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1844-26-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads