urelas | c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4

General

Target

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe
Size

94KB
MD5

4aa063ba4fb63ff349391c6592e4e14a
SHA1

b1640b759c5fbbb35ce1faab74c63866d4c0a54b
SHA256

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4
SHA512

2466a38f714d8255c846b0502618d41179c1c0fccbdcfd7ad5a43628811aa768b447c0a7edf4f1898cc1fd90be5457710df05788dadfc67d7f6fc6077e239651
SSDEEP

1536:NzPr/365lm9HM3RgIHYBv1osX1XCDN/on9CW:NzTS5lm9aRgCkgR/onEW

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Detects executables built or packed with MPress PE compressor 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2084-0-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
\Users\Admin\AppData\Local\Temp\gajo.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2908-10-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2084-19-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2908-22-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2908-28-0x0000000000400000-0x000000000043D000-memory.dmp	INDICATOR_EXE_Packed_MPress

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2628 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

gajo.exe

pid process

2908 gajo.exe
Loads dropped DLL 1 IoCs

Processes:

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe

pid process

2084 c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2628	cmd.exe

pid	process
2908	gajo.exe

pid	process
2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe

description	pid	process	target process
PID 2084 wrote to memory of 2908	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	gajo.exe
PID 2084 wrote to memory of 2908	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	gajo.exe
PID 2084 wrote to memory of 2908	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	gajo.exe
PID 2084 wrote to memory of 2908	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	gajo.exe
PID 2084 wrote to memory of 2628	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	cmd.exe
PID 2084 wrote to memory of 2628	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	cmd.exe
PID 2084 wrote to memory of 2628	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	cmd.exe
PID 2084 wrote to memory of 2628	2084	c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe
"C:\Users\Admin\AppData\Local\Temp\c3d6c7c9f909a3b7d54ffa0634d453ec2f48b973d439d9ce502df646da42f8d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\gajo.exe
  "C:\Users\Admin\AppData\Local\Temp\gajo.exe"
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1087c055d0fee4376df6dc2d15798798

SHA1
031b4f38b16d0539c8d1892bfa0846cb6b69db06

SHA256
b73f7cfc0876d0d4664b1b07e080c3f9b04226a1d55ea0cc25e6c0f47897acf4

SHA512
08e96825b9fbeb61c25d9bc666baf254e2c01cb231748460b9f13cbabe3d4c880f5a3a1d6a55ba31ff777f34050f7f28675ed53d07cd1b3f95a70a38ff8cd2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
b765cf78bd8e5d1eb92ef5aa91716198

SHA1
954f22c754565a4c1d61f38e73a1b19ad1cdbce0

SHA256
cfe385e5d94452ebce5cf5443af521dd70ad42a9c90be6b57e5616ba8d9a932e

SHA512
abf4ad7858f694bd9cfe825833426eaaf1d0752f515db1848c1350bbe0fb1348d8a4f61cb41c7c48704ad0a00f6ed3b4b25d36644795f20c59f36c61cb2736f4

Download Submit
\Users\Admin\AppData\Local\Temp\gajo.exe

Filesize
94KB

MD5
ce5f13d54950b0d268d8e52287060a37

SHA1
014ce6d123320407c7f70227f1d6843fba9fb92e

SHA256
4d819579224af8d84cc2b008720267ac9da31cb84a11466f334bb116c442ed3a

SHA512
6fc08cfe433bb6ad9319ae04ea24d8e3b554fdd3ac2b32e4c51bd37ecea8132e3fbaf6dc47451e8ca620db2254ab72303fac005ab05b0b8ebc79ff488a0b01a5

Download Submit
memory/2084-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2084-9-0x0000000002050000-0x000000000208D000-memory.dmp

Filesize
244KB

Download
memory/2084-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing