urelas | 64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10

General

Target

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe
Size

523KB
MD5

f63a21522ee20927dce21ac0ca16fd67
SHA1

6f641ba07f4f5489aeade99a87dc67ffa4b34c6e
SHA256

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10
SHA512

1a7cb6d0943d97560240b3652320e11dc01ae6d9f625dc45db233a3f2e8d18ec51c18734b0900452a6719c317075e122ec3f8cea5bb019a64918c4e8db43c58e
SSDEEP

6144:aGdLSOXVv/UfFP2OuNPo9oXZOYR26JAcn1GK8CpbVmQPnKAJMQ42CfDmZzcpbs:aGZSOXx/UdPEpn26Jtn11F59XTwmZP

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

848 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

badou.exejygaq.exe

pid process

2972 badou.exe
1872 jygaq.exe
Loads dropped DLL 2 IoCs

Processes:

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exebadou.exe

pid process

2904 64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe
2972 badou.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
848	cmd.exe

pid	process
2972	badou.exe
1872	jygaq.exe

pid	process
2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe
2972	badou.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exebadou.exe

description	pid	process	target process
PID 2904 wrote to memory of 2972	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	badou.exe
PID 2904 wrote to memory of 2972	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	badou.exe
PID 2904 wrote to memory of 2972	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	badou.exe
PID 2904 wrote to memory of 2972	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	badou.exe
PID 2904 wrote to memory of 848	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	cmd.exe
PID 2904 wrote to memory of 848	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	cmd.exe
PID 2904 wrote to memory of 848	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	cmd.exe
PID 2904 wrote to memory of 848	2904	64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe	cmd.exe
PID 2972 wrote to memory of 1872	2972	badou.exe	jygaq.exe
PID 2972 wrote to memory of 1872	2972	badou.exe	jygaq.exe
PID 2972 wrote to memory of 1872	2972	badou.exe	jygaq.exe
PID 2972 wrote to memory of 1872	2972	badou.exe	jygaq.exe

C:\Users\Admin\AppData\Local\Temp\64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe
"C:\Users\Admin\AppData\Local\Temp\64cb9b1354a44abee386b4f2259608a815de3543f518c9715484d2ce0b59cf10.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\badou.exe
  "C:\Users\Admin\AppData\Local\Temp\badou.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\jygaq.exe
    "C:\Users\Admin\AppData\Local\Temp\jygaq.exe"
    3⤵
    - Executes dropped EXE
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3256c70f9911bde58da3b256ab7ca9f0

SHA1
c975fdc479150bd7c2cb8c8e618a3eb25e165510

SHA256
7d3a267d4ff5c05d414eef157986ad40e08afb388d29c0ca9992109247bb103f

SHA512
76c5d630f0553903c3c70dcff156b097812fad2f6b72459ab9949eac80d05c1a568af8569fcb4a4e1a46ba85cb21f2171a6fdd4bc137b594306f8b404caeb450

Download Submit
C:\Users\Admin\AppData\Local\Temp\badou.exe

Filesize
523KB

MD5
1c471aec96f47aec7c05539fdbeba5fe

SHA1
23e5206a7ce9021b682397a2bb3ec2736676f5b9

SHA256
a2e355984aa9da83c3914bb38f317fa8d9570e8f29825748694142070b922a41

SHA512
d250b40a4a5e488581aa7752525437c483d1441f8e4c65ab2614f4cd30f223dbfc1769ed75d4e312521cdf6fa8e62ce260237012186c4deff4b1281f0383ffda

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
28211a53283bcc8ae3af7f0c29d33f40

SHA1
2d68172e7c327faede3a6103bdfd10197a8b4fd1

SHA256
484ccf8cf3cf095b29eaa79e544482263e20dd007858a3980685058dabc0f2b0

SHA512
68be59af8ec0259d42ac11a838c908c7e4f6b027fb292eac71e853acfba3f1dc6ca024dfc8e8efacc64f05309dbfdb2cff0ec962457b029c9221dbce0b65a6c0

Download Submit
\Users\Admin\AppData\Local\Temp\jygaq.exe

Filesize
231KB

MD5
551e39605ec6a2ce01f63140c3cc22c1

SHA1
3635ff04e04b20d1fe8fe3623d8d4db100ba9d04

SHA256
74b4c9087d88e18b6b425ae2bee9feae21a15bc6b3477f3adb3f2b01bc8a7ce5

SHA512
800e532df810575ea3178becc76f7eab5f792c4bc168a636002e4fe9bd05f41e6a17d7a5f903df87a56a81822c382d385d15fd3a0ca466ce7c748d458825c1d8

Download Submit
memory/1872-43-0x0000000000D00000-0x0000000000DB3000-memory.dmp

Filesize
716KB

Download
memory/2904-0-0x0000000000FD0000-0x000000000105F000-memory.dmp

Filesize
572KB

Download
memory/2904-21-0x0000000000FD0000-0x000000000105F000-memory.dmp

Filesize
572KB

Download
memory/2904-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2904-17-0x0000000002520000-0x00000000025AF000-memory.dmp

Filesize
572KB

Download
memory/2972-19-0x0000000001060000-0x00000000010EF000-memory.dmp

Filesize
572KB

Download
memory/2972-26-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2972-24-0x0000000001060000-0x00000000010EF000-memory.dmp

Filesize
572KB

Download
memory/2972-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2972-42-0x0000000001060000-0x00000000010EF000-memory.dmp

Filesize
572KB

Download
memory/2972-39-0x0000000003D30000-0x0000000003DE3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing