urelas | d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0

General

Target

d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe
Size

368KB
MD5

b725608c76d7a01dc966c2707604e459
SHA1

5e31cf379c12e2f3582fb4df5ade53ab660af3ed
SHA256

d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0
SHA512

14e17966aa916da982ffe5ac71857aea1a0f78715b94d9a9926645f094856647b04a6b312d2292702dc95c466f3c3723854677bce1b579a841d137ec26447ade
SSDEEP

6144:1o3whi+1Py3V0a24kOn+Sr72iyjmhuKtUYiw52hVOcvBRMHkWYHpf:YKf1PyKa2anKjm3OYZ2hocvHt

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2080 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

uwduu.exevuzun.exe

pid process

1740 uwduu.exe
1984 vuzun.exe
Loads dropped DLL 2 IoCs

Processes:

d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exeuwduu.exe

pid process

2208 d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe
1740 uwduu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2080	cmd.exe

pid	process
1740	uwduu.exe
1984	vuzun.exe

pid	process
2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe
1740	uwduu.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

vuzun.exe

pid	process
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe
1984	vuzun.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exeuwduu.exe

description	pid	process	target process
PID 2208 wrote to memory of 1740	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	uwduu.exe
PID 2208 wrote to memory of 1740	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	uwduu.exe
PID 2208 wrote to memory of 1740	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	uwduu.exe
PID 2208 wrote to memory of 1740	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	uwduu.exe
PID 2208 wrote to memory of 2080	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	cmd.exe
PID 2208 wrote to memory of 2080	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	cmd.exe
PID 2208 wrote to memory of 2080	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	cmd.exe
PID 2208 wrote to memory of 2080	2208	d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe	cmd.exe
PID 1740 wrote to memory of 1984	1740	uwduu.exe	vuzun.exe
PID 1740 wrote to memory of 1984	1740	uwduu.exe	vuzun.exe
PID 1740 wrote to memory of 1984	1740	uwduu.exe	vuzun.exe
PID 1740 wrote to memory of 1984	1740	uwduu.exe	vuzun.exe

C:\Users\Admin\AppData\Local\Temp\d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe
"C:\Users\Admin\AppData\Local\Temp\d84041eca0858276599f1048ad508174f1c7b921b515d2e479ac6bf2af0092c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\uwduu.exe
"C:\Users\Admin\AppData\Local\Temp\uwduu.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\vuzun.exe
"C:\Users\Admin\AppData\Local\Temp\vuzun.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
340B

MD5
d8d32f009fabd581949daf20760a0771

SHA1
d7866caf29c9ae663fc25df9a27cd78ed54427ed

SHA256
418bcf5544a11af04be49a29d2828a16b5dac2f9766db1c17e9cf3a3f6d327f8

SHA512
a702b075baa7f65e1e8ef0ed12099e4a5b872b182eb6720be33fb94c59cbf2d47ae40bad514eebf222fe7a353e938ee32a4321c7fc4e918c900167da3f65a31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
c67f898a344702747717e8c66ff94a4b

SHA1
0c7439a5811b66c46a5bd75644a9ee16b96f8546

SHA256
32ffa30660e9341f27978b86739ea3388ecb5be51f1082cbff870915fa20674b

SHA512
f821b5eb5cd67e804601062a9e99f59b844dcbea9d7893748853643d689d979ddc56a3f2f660e67b426d28125652be9050e265e25b57ce29a29fe95291702874

Download Submit
\Users\Admin\AppData\Local\Temp\uwduu.exe
Filesize
368KB

MD5
2c1be357ec900e6def485c90210873a6

SHA1
52407acdf7e4067094589bcb407aa14f5788b979

SHA256
96ea9e6d3e143e5b5c442b03c19cbf59fd3fe32f0c0378b32c85f74a4cc24845

SHA512
a2e3657a3762f957aad1a195181321b6c4cb46de6b4ab2c11783fa1b4e8c636e3cbda9ed8c845fc1dfbc8c8646a98aaea8cbf6e272d901d1da20b46768418542

Download Submit
\Users\Admin\AppData\Local\Temp\vuzun.exe
Filesize
208KB

MD5
1b4370cd1785fefbd6493d5b80ac625d

SHA1
7c36fe984876d421371741dc923b682dc16be6bb

SHA256
2849fa730629e9cc84fa172014c0b7bd875e9787f3d74737939b77d7e39def79

SHA512
0382af2c076756acedf333b516890ab7d8a722346730fb82676a85c3b2a64d407c03486222cda5b1272e4ed53a8396e5a719e69ef5a9498265b3bf974037962d

Download Submit
memory/1740-23-0x0000000000D80000-0x0000000000DE2000-memory.dmp

Filesize
392KB

Download
memory/1740-31-0x00000000033D0000-0x0000000003483000-memory.dmp

Filesize
716KB

Download
memory/1740-13-0x0000000000D80000-0x0000000000DE2000-memory.dmp

Filesize
392KB

Download
memory/1740-30-0x0000000000D80000-0x0000000000DE2000-memory.dmp

Filesize
392KB

Download
memory/1984-35-0x0000000001330000-0x00000000013E3000-memory.dmp

Filesize
716KB

Download
memory/1984-32-0x0000000001330000-0x00000000013E3000-memory.dmp

Filesize
716KB

Download
memory/1984-34-0x0000000001330000-0x00000000013E3000-memory.dmp

Filesize
716KB

Download
memory/1984-36-0x0000000001330000-0x00000000013E3000-memory.dmp

Filesize
716KB

Download
memory/1984-37-0x0000000001330000-0x00000000013E3000-memory.dmp

Filesize
716KB

Download
memory/1984-38-0x0000000001330000-0x00000000013E3000-memory.dmp

Filesize
716KB

Download
memory/2208-1-0x0000000000390000-0x00000000003F2000-memory.dmp

Filesize
392KB

Download
memory/2208-0-0x0000000000390000-0x00000000003F2000-memory.dmp

Filesize
392KB

Download
memory/2208-9-0x0000000002260000-0x00000000022C2000-memory.dmp

Filesize
392KB

Download
memory/2208-20-0x0000000000390000-0x00000000003F2000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing