urelas | 77e68befe0ae0a15e4175a05b8bc5fa893c61c369b9f4e0c28bffbb3065d4d9a

General

Target

17f662c3625667180de515e38991f200N.exe
Size

323KB
MD5

17f662c3625667180de515e38991f200
SHA1

91e50623179d3493446695997673fc49481f6906
SHA256

77e68befe0ae0a15e4175a05b8bc5fa893c61c369b9f4e0c28bffbb3065d4d9a
SHA512

cfcc7a751970fb9aa752c02589073620e5e0ac5ccbc0af3200050d9732b8cf1bb33825064c43195f8a302d3c170cdb2436614f26934cbf27160aaa691a97c1de
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYe:vHW138/iXWlK885rKlGSekcj66cir

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2736 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

fihyq.exexitus.exe

pid process

2464 fihyq.exe
2064 xitus.exe
Loads dropped DLL 2 IoCs

Processes:

17f662c3625667180de515e38991f200N.exefihyq.exe

pid process

784 17f662c3625667180de515e38991f200N.exe
2464 fihyq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2736	cmd.exe

pid	process
2464	fihyq.exe
2064	xitus.exe

pid	process
784	17f662c3625667180de515e38991f200N.exe
2464	fihyq.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

xitus.exe

pid	process
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe
2064	xitus.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

17f662c3625667180de515e38991f200N.exefihyq.exe

description	pid	process	target process
PID 784 wrote to memory of 2464	784	17f662c3625667180de515e38991f200N.exe	fihyq.exe
PID 784 wrote to memory of 2464	784	17f662c3625667180de515e38991f200N.exe	fihyq.exe
PID 784 wrote to memory of 2464	784	17f662c3625667180de515e38991f200N.exe	fihyq.exe
PID 784 wrote to memory of 2464	784	17f662c3625667180de515e38991f200N.exe	fihyq.exe
PID 784 wrote to memory of 2736	784	17f662c3625667180de515e38991f200N.exe	cmd.exe
PID 784 wrote to memory of 2736	784	17f662c3625667180de515e38991f200N.exe	cmd.exe
PID 784 wrote to memory of 2736	784	17f662c3625667180de515e38991f200N.exe	cmd.exe
PID 784 wrote to memory of 2736	784	17f662c3625667180de515e38991f200N.exe	cmd.exe
PID 2464 wrote to memory of 2064	2464	fihyq.exe	xitus.exe
PID 2464 wrote to memory of 2064	2464	fihyq.exe	xitus.exe
PID 2464 wrote to memory of 2064	2464	fihyq.exe	xitus.exe
PID 2464 wrote to memory of 2064	2464	fihyq.exe	xitus.exe

C:\Users\Admin\AppData\Local\Temp\17f662c3625667180de515e38991f200N.exe
"C:\Users\Admin\AppData\Local\Temp\17f662c3625667180de515e38991f200N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\fihyq.exe
"C:\Users\Admin\AppData\Local\Temp\fihyq.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\Temp\xitus.exe
"C:\Users\Admin\AppData\Local\Temp\xitus.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
- Deletes itself
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
d02b31cff146b76b26c598b6a9c30016

SHA1
da5f3b1fa9bd330b622143d984ad4a31898b5ffb

SHA256
e751b0a8272716fbe8152bb15b1cff9e66d7fac9f03139f6dae581fc1d6a345b

SHA512
a02301efd8887e7500cd9add8a34445bb0da11edd39a7400eb5679655b48eb426fbca9173ceed54a953b35fe9953181b098cf7c8b069a0989ba7b707bb46f3d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ab6ae133d78b6ad21f830b2d7b9b8feb

SHA1
3e5ac88c967331d37559130f260b39679ae22854

SHA256
de163efeb3081e16f29a201042b9a29274369c0112996da638643597dca60377

SHA512
059b845a8017f485ce8c4177a411dd684c02af65f9c9549dfcc74ab8e5f61b9a69d9b4ab84de4b54fb37db5c36fab3f7a3d71315502313b73c029b51eb6f7b63

Download Submit
\Users\Admin\AppData\Local\Temp\fihyq.exe

Filesize
323KB

MD5
e312130f53da3da11b444aab5b9b1f5d

SHA1
27967fa888d007a5cd625480c12e5f93be43fc1d

SHA256
c76e1a38fa547c0c51194d3ba3bb8bace2eabd8b9cbff23ce9fdc37071414758

SHA512
1165220560a836903ac2c80b8e75112088fd19bc22d09a6dabcd2bc1eab7c16cdc53ed9bdca9e06db15ca498ea3210d6c85093c6e45c9136f3dc7c554cbe0136

Download Submit
\Users\Admin\AppData\Local\Temp\xitus.exe

Filesize
172KB

MD5
cb44571c3b2c9657dd6b7c5121e291a1

SHA1
ca916429ada7356d8e38eafc9a3f88e412490679

SHA256
f6fd9749f3809639a2520463655e8d088bc42f734bb4d30db9f793895f4db9e0

SHA512
2b209eacd4e949b84fd3f2cfde35aaeaeca99351c31942628cf7f0061a602ae9d7410841910ed45c3db592e255ff9fffdf332e82b7d754c67ac6fb3e24241628

Download Submit
memory/784-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/784-20-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/784-0-0x0000000000300000-0x0000000000381000-memory.dmp

Filesize
516KB

Download
memory/784-17-0x0000000002D50000-0x0000000002DD1000-memory.dmp

Filesize
516KB

Download
memory/2064-40-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/2064-41-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/2064-45-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/2064-46-0x0000000000950000-0x00000000009E9000-memory.dmp

Filesize
612KB

Download
memory/2464-23-0x0000000000A60000-0x0000000000AE1000-memory.dmp

Filesize
516KB

Download
memory/2464-18-0x0000000000A60000-0x0000000000AE1000-memory.dmp

Filesize
516KB

Download
memory/2464-39-0x0000000000A60000-0x0000000000AE1000-memory.dmp

Filesize
516KB

Download
memory/2464-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing