urelas | 879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d

General

Target

879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe
Size

81KB
MD5

c20f54b8d46648ee309f1cbe4aa1d3cf
SHA1

95d9433600f98efa9930e161046a0c8f835ddacc
SHA256

879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d
SHA512

800bfe7bb6e98a78f38833e79c78c0cf31e603594eb3ed2047fb0129c030ba31b78058b429ecc3eebe15387be4e0cf85a766df5db1ab33f6529867c775f2deae
SSDEEP

1536:JmBpNDAoG2kf4F+KfQwHq0NVFXqKseZ656KqBxhKYvonouy8GVUVhzf:8hDAb2VHR5aKsDIbTomAoutGVUVxf

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

121.88.5.184

218.54.28.139

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2164-0-0x0000000000190000-0x00000000001C9000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\opert.exe	UPX
behavioral1/memory/2128-16-0x0000000000070000-0x00000000000A9000-memory.dmp	UPX
behavioral1/memory/2164-19-0x0000000000190000-0x00000000001C9000-memory.dmp	UPX
behavioral1/memory/2128-22-0x0000000000070000-0x00000000000A9000-memory.dmp	UPX
behavioral1/memory/2128-28-0x0000000000070000-0x00000000000A9000-memory.dmp	UPX

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1856 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

opert.exe

pid process

2128 opert.exe
Loads dropped DLL 1 IoCs

Processes:

879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe

pid process

2164 879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe

pid	process
1856	cmd.exe

pid	process
2128	opert.exe

pid	process
2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2164-0-0x0000000000190000-0x00000000001C9000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\opert.exe	upx
behavioral1/memory/2128-16-0x0000000000070000-0x00000000000A9000-memory.dmp	upx
behavioral1/memory/2164-19-0x0000000000190000-0x00000000001C9000-memory.dmp	upx
behavioral1/memory/2128-22-0x0000000000070000-0x00000000000A9000-memory.dmp	upx
behavioral1/memory/2128-28-0x0000000000070000-0x00000000000A9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe

description	pid	process	target process
PID 2164 wrote to memory of 2128	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	opert.exe
PID 2164 wrote to memory of 2128	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	opert.exe
PID 2164 wrote to memory of 2128	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	opert.exe
PID 2164 wrote to memory of 2128	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	opert.exe
PID 2164 wrote to memory of 1856	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	cmd.exe
PID 2164 wrote to memory of 1856	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	cmd.exe
PID 2164 wrote to memory of 1856	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	cmd.exe
PID 2164 wrote to memory of 1856	2164	879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe
"C:\Users\Admin\AppData\Local\Temp\879a3e7f3b471579a2ead263007fdd80948757a759223071e48b95b16b40f73d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\opert.exe
  "C:\Users\Admin\AppData\Local\Temp\opert.exe"
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6735bbe93159782090eb9c49dde676c6

SHA1
6edec7009f27d90d36081a9d4a05fc6e6bde28e2

SHA256
f8925f72b19e3a2e14ebfda83d63a10e4a6f218d84cc30fb738caa9a575e1217

SHA512
8c85cef74bcd042b528424c1b99149bf5374c428f61a5f3c99e4f42460453b7a36cd0edbf8f76a042432800ee93916a7650b55e41d06f51566ad2cf3d69be696

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
907ba39051cc8706d3256571323146db

SHA1
51d0869d175945aa386f668fc3b95ca237894129

SHA256
8fcf6432d922581483e7bc249ea0f59d08c041030c2d956fc907b5eeb48aa9f7

SHA512
e57d0b58c7f79526093be90fee3dd968ea50711a9c588c370313d90e7f5db3978221fab56ad56ad1948ddf5bc5c40a93ab575322d9246b28d4225ac19a84de3e

Download Submit
\Users\Admin\AppData\Local\Temp\opert.exe

Filesize
81KB

MD5
5d83fc9fe7a00642c4224fd2a4edbd36

SHA1
acd2bdb19c6cd54d78b5577738f9ae75693d66a6

SHA256
296c7344e10537fa99b85da8156c3025980995a8468980d7a66bba87e570c52e

SHA512
badf45b72ddf75a9c6ca11f3c332378ebc74a864681f24abd4d17c3447e3881e14bdf48d4fb91ff9c37852bc643afa1a58b7ba39d8670c4dc64715cc42e1c1a5

Download Submit
memory/2128-16-0x0000000000070000-0x00000000000A9000-memory.dmp

Filesize
228KB

Download
memory/2128-22-0x0000000000070000-0x00000000000A9000-memory.dmp

Filesize
228KB

Download
memory/2128-28-0x0000000000070000-0x00000000000A9000-memory.dmp

Filesize
228KB

Download
memory/2164-0-0x0000000000190000-0x00000000001C9000-memory.dmp

Filesize
228KB

Download
memory/2164-10-0x00000000002A0000-0x00000000002D9000-memory.dmp

Filesize
228KB

Download
memory/2164-19-0x0000000000190000-0x00000000001C9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads