urelas | c8e9d09ad447ee95b879b7a55829d94a1aac2ecc6546942b9e08f7e3e5709088

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe
Size

394KB
MD5

b1d6b726bf6ac63749e5eba6b5c7694c
SHA1

277f12fb1583b2996f67dd8276df3f5db79cd1a6
SHA256

8ffef1554685604bf346da838d7d7477f9a9eecec52ce86a29e5db6c5cf6cc75
SHA512

62d271e31c9bd3fcc1708202d636ae3635afc1b922d048cdfe41c0f2fe509d2ba8c7f3586c1738a6ee7bfd8dce0910496104177b4239218d9c9960386e64d362
SSDEEP

6144:pzwArTEDSCs5wL0DKlpn/URBudL7qRBpkvfsModogZ/SvnDTH9QRO:pMmQDSCs5wo0e8L7qRbQUugennHGO

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2548 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

toajl.exeybrio.exe

pid process

296 toajl.exe
380 ybrio.exe
Loads dropped DLL 2 IoCs

Processes:

[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exetoajl.exe

pid process

2336 [DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe
296 toajl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2548	cmd.exe

pid	process
296	toajl.exe
380	ybrio.exe

pid	process
2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe
296	toajl.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

ybrio.exe

pid	process
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe
380	ybrio.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exetoajl.exe

description	pid	process	target process
PID 2336 wrote to memory of 296	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	toajl.exe
PID 2336 wrote to memory of 296	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	toajl.exe
PID 2336 wrote to memory of 296	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	toajl.exe
PID 2336 wrote to memory of 296	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	toajl.exe
PID 2336 wrote to memory of 2548	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	cmd.exe
PID 2336 wrote to memory of 2548	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	cmd.exe
PID 2336 wrote to memory of 2548	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	cmd.exe
PID 2336 wrote to memory of 2548	2336	[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe	cmd.exe
PID 296 wrote to memory of 380	296	toajl.exe	ybrio.exe
PID 296 wrote to memory of 380	296	toajl.exe	ybrio.exe
PID 296 wrote to memory of 380	296	toajl.exe	ybrio.exe
PID 296 wrote to memory of 380	296	toajl.exe	ybrio.exe

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]b1d6b726bf6ac63749e5eba6b5c7694c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\toajl.exe
"C:\Users\Admin\AppData\Local\Temp\toajl.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296

C:\Users\Admin\AppData\Local\Temp\ybrio.exe
"C:\Users\Admin\AppData\Local\Temp\ybrio.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
Filesize
306B

MD5
ce28fe0cf6e96268d06a194813d45267

SHA1
fc7af643d652305d05a0b1aa3dd00e88e0c38cc2

SHA256
6eb0f8cfc18eadd7eb89140e578033681df0908c61f218092ea0a3a9e059d01a

SHA512
37e858153c4f6dfeaeebedcb9b5da907f71a603d1fc4e1508139e69e6ccce3a6f104c8e367c13bc48e9ad7679d8473a356b46ae514844252cd1e5f49fe56cc35

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
6c21c90f2a0e4125e00b86df65db7cfc

SHA1
04d1716cd07605aad2954f2cd00126916a0ef648

SHA256
54e20c62118409bba1bccf02eb04132bd44d17822c49f69e7f39b28f15f870a4

SHA512
8d593b49c901eaf7c95bc74d2448e8f941c8b5d29230bbc5ac3e6b9f0af2fd938078576643d8b7e62668534caa9a1e4be1e83ce70a7b6762880139cd3a4d4781

Download Submit
C:\Users\Admin\AppData\Local\Temp\toajl.exe
Filesize
394KB

MD5
ca75486e7f7955828fa3aa4b3827a778

SHA1
e2160effd11f6d82efa7c7b386796e281a6f09e7

SHA256
f920873d9c11d423f3d363301d522f097956102c828db8d0cddd339c21f6a6c0

SHA512
a602a561d3df8b2be625847b99312f433b49450c413aabf9777e3b9780bc2c2eac33818e344cc7a993109502e3255c1fb1a6c63021446fc14d1289fa25cfe5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\toajl.exe
Filesize
394KB

MD5
34d037e0eaeeed2275dd356546250985

SHA1
b5fdd96d5bb506d628a05e7c92227cbf56bcdb1d

SHA256
1e011e7c96c3955420660a50dcbb58fe8a672d16aacfe4a974b6fd25b4ee1b83

SHA512
b2b40efd3a795a9434bffd7f51ca996f6beb7df985951e11ef18ecdcc73858153bb5b1c817cde4d87e11021c1ab68a20b169a47d68379d986c35b9864a4976d4

Download Submit
\Users\Admin\AppData\Local\Temp\ybrio.exe
Filesize
175KB

MD5
f8560bb73fc09b32c67af30f726fa86a

SHA1
e11e7326e196cf6f1506a2d3b652a75cc7d95e7e

SHA256
39125b86831d7a7daa159ca0b4143af19be26e881a2f8a67973a1babfc8aa810

SHA512
9237686f74fcdbacb08ab1bbe3bfadf3ea66b7e4a5ce482ca5f92d24ae6582b861acd340af2fb16d692f5a95e84d500980892ae9652b33da7b5ace7e5e773587

Download Submit
memory/296-11-0x0000000001180000-0x00000000011E5000-memory.dmp

Filesize
404KB

Download
memory/296-26-0x0000000001180000-0x00000000011E5000-memory.dmp

Filesize
404KB

Download
memory/380-32-0x0000000000130000-0x00000000001C0000-memory.dmp

Filesize
576KB

Download
memory/380-28-0x0000000000130000-0x00000000001C0000-memory.dmp

Filesize
576KB

Download
memory/380-31-0x0000000000130000-0x00000000001C0000-memory.dmp

Filesize
576KB

Download
memory/380-33-0x0000000000130000-0x00000000001C0000-memory.dmp

Filesize
576KB

Download
memory/380-34-0x0000000000130000-0x00000000001C0000-memory.dmp

Filesize
576KB

Download
memory/380-35-0x0000000000130000-0x00000000001C0000-memory.dmp

Filesize
576KB

Download
memory/2336-9-0x00000000006A0000-0x0000000000705000-memory.dmp

Filesize
404KB

Download
memory/2336-18-0x0000000000040000-0x00000000000A5000-memory.dmp

Filesize
404KB

Download
memory/2336-0-0x0000000000040000-0x00000000000A5000-memory.dmp

Filesize
404KB

Download