urelas | 8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc

General

Target

8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe
Size

359KB
MD5

dfb3779c551d4ee4e50a4621b6145411
SHA1

6a0cb76aa520332950e67d3f9a99ee425f50626a
SHA256

8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc
SHA512

5940eb5edab888cbee06ef9d34c03f651f62824ac7915f005037e4df47f84da07703be8b88ae9eb8a3ae5cb5a343f871d4fb5a144e077ae5a679a033976bc717
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0hx:MUyI6QmPPPqVspa

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1508 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

vapal.exesukomy.exetobop.exe

pid process

2356 vapal.exe
2576 sukomy.exe
1608 tobop.exe

pid	process
1508	cmd.exe

pid	process
2356	vapal.exe
2576	sukomy.exe
1608	tobop.exe

Loads dropped DLL 5 IoCs

Processes:

8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exevapal.exesukomy.exe

pid	process
2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe
2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe
2356	vapal.exe
2356	vapal.exe
2576	sukomy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

tobop.exe

pid	process
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe
1608	tobop.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exevapal.exesukomy.exe

description	pid	process	target process
PID 2300 wrote to memory of 2356	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	vapal.exe
PID 2300 wrote to memory of 2356	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	vapal.exe
PID 2300 wrote to memory of 2356	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	vapal.exe
PID 2300 wrote to memory of 2356	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	vapal.exe
PID 2300 wrote to memory of 1508	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	cmd.exe
PID 2300 wrote to memory of 1508	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	cmd.exe
PID 2300 wrote to memory of 1508	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	cmd.exe
PID 2300 wrote to memory of 1508	2300	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	cmd.exe
PID 2356 wrote to memory of 2576	2356	vapal.exe	sukomy.exe
PID 2356 wrote to memory of 2576	2356	vapal.exe	sukomy.exe
PID 2356 wrote to memory of 2576	2356	vapal.exe	sukomy.exe
PID 2356 wrote to memory of 2576	2356	vapal.exe	sukomy.exe
PID 2576 wrote to memory of 1608	2576	sukomy.exe	tobop.exe
PID 2576 wrote to memory of 1608	2576	sukomy.exe	tobop.exe
PID 2576 wrote to memory of 1608	2576	sukomy.exe	tobop.exe
PID 2576 wrote to memory of 1608	2576	sukomy.exe	tobop.exe
PID 2576 wrote to memory of 2920	2576	sukomy.exe	cmd.exe
PID 2576 wrote to memory of 2920	2576	sukomy.exe	cmd.exe
PID 2576 wrote to memory of 2920	2576	sukomy.exe	cmd.exe
PID 2576 wrote to memory of 2920	2576	sukomy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe
"C:\Users\Admin\AppData\Local\Temp\8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\vapal.exe
  "C:\Users\Admin\AppData\Local\Temp\vapal.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\sukomy.exe
    "C:\Users\Admin\AppData\Local\Temp\sukomy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\tobop.exe
      "C:\Users\Admin\AppData\Local\Temp\tobop.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:2920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d39bff0c204a4b32f12a70e423230646

SHA1
421fc33bad6c5309dec4aebc77cde5a0e4854a69

SHA256
39fad9c63cac7ef7546a6c9ec8df759c9182dfe9bac6a1d359ab413c72c10aa7

SHA512
96ba3464549ee28bf70cd61c167d808fe54d1804d13ed6f053435e3fba6fc1c871c790af84c4f0352ebe447e413e6e30be1b789cdcc289b9f1d5b6da7235e1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ac926ca01536b1d4d56b67b6751ab85d

SHA1
7aab13f276b0e51018b6da743695f7091ce53960

SHA256
50e83e8378b349b377c4cefd0137058770311f67808f708124f704fc7e0e7235

SHA512
7c14e646d63be31c1c076ac5dbc588f77b395c30d9645594eb1a645ceddce3399ce6cdba9070ccdfadb7ac28fc49de8ca728238d9019168ea8f501571f28c4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f51c4c16fb346693262997e682b57fd1

SHA1
6dfb8fda9df8b01de25db62e06b352bdef96249a

SHA256
56b0e268721c7e1c94112b573bc8fe761a57d5e166587038d016a42539d27eb3

SHA512
d0378c0b7a97460f5bc574a6da9d9087171be3c6b3c643b7b1a1b7a7c3c20e50ed722ec923cf399b8175bc3198b89fe018d85d97b543d4ad15b30bc9bda6b5cd

Download Submit
\Users\Admin\AppData\Local\Temp\tobop.exe

Filesize
107KB

MD5
82ca8f61d4475c834da0de51cca68441

SHA1
5759d0be393e0cc5f315e3e4e9c464c63e00d057

SHA256
528cc09a09ec264e748b66789875dda29fe9d4ff255516f196573597714e9796

SHA512
0ff33fc808fbd54efce7e50c1eafba2502c6fd9fc21edbfd1b525106b4e1459ab72b2d76492022b97d6d873c031a27bfd4477448ea5bf248eea627e7eceb62bf

Download Submit
\Users\Admin\AppData\Local\Temp\vapal.exe

Filesize
359KB

MD5
7db75944f4467efadee916b68b7e0c31

SHA1
625cca88040493cfa3645397a8b909f76c019c5c

SHA256
779b11c0e944d66d6c82609bb734ab62f897e8b03152403ffc2234265355e54d

SHA512
249de6dde3ab08664ed0b62c609f7bd1df690b1507c9d558677b834d1519db8a4a5a1325143f9ef34dac845d6b178f919341c8e9ba8b4329402179eb3c56f188

Download Submit
memory/1608-57-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1608-52-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1608-61-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1608-60-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1608-59-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1608-58-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/1608-56-0x0000000000850000-0x00000000008D5000-memory.dmp

Filesize
532KB

Download
memory/2300-10-0x0000000002260000-0x00000000022B9000-memory.dmp

Filesize
356KB

Download
memory/2300-12-0x0000000002260000-0x00000000022B9000-memory.dmp

Filesize
356KB

Download
memory/2300-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2300-21-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2356-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-53-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2576-41-0x0000000003240000-0x00000000032C5000-memory.dmp

Filesize
532KB

Download
memory/2576-35-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads