urelas | f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81a

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
Size

330KB
MD5

f1e1cde1b78c3011c4d37b778f8f28e0
SHA1

1fe7cf690f5b87e656dc61d2e0855347bf511063
SHA256

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81a
SHA512

31bca1575ae095daf1fcd97dc007c839224addbc90c72435dec7557edbfa98027c2785d7fda7874fe7635c670775a2b0f8eadaed30f4ba66d9044476aba71e9a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw:vHW138/iXWlK885rKlGSekcj66ci1

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2848	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ebsut.exefeodx.exe

pid	Process
2820	ebsut.exe
1928	feodx.exe

Loads dropped DLL 2 IoCs

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exeebsut.exe

pid	Process
2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
2820	ebsut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exeebsut.execmd.exefeodx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebsut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feodx.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

feodx.exe

pid	Process
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe
1928	feodx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exeebsut.exe

description	pid	Process	procid_target
PID 2160 wrote to memory of 2820	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2160 wrote to memory of 2820	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2160 wrote to memory of 2820	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2160 wrote to memory of 2820	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	30
PID 2160 wrote to memory of 2848	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2160 wrote to memory of 2848	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2160 wrote to memory of 2848	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2160 wrote to memory of 2848	2160	f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe	31
PID 2820 wrote to memory of 1928	2820	ebsut.exe	34
PID 2820 wrote to memory of 1928	2820	ebsut.exe	34
PID 2820 wrote to memory of 1928	2820	ebsut.exe	34
PID 2820 wrote to memory of 1928	2820	ebsut.exe	34

C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe
"C:\Users\Admin\AppData\Local\Temp\f8beae60feb8cb699b63cebd50da965c12ea3bc1f1477adf3c930cba1364f81aN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\ebsut.exe
  "C:\Users\Admin\AppData\Local\Temp\ebsut.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\feodx.exe
    "C:\Users\Admin\AppData\Local\Temp\feodx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
3a85ad7e26b9ba614e2c31d19781c991

SHA1
3145733944a8aa72b818f8878b734efa4f3b1a3b

SHA256
785cbb203160b3f082d3b9f1d74a4463dd759228247c63b98f466aab26c7ce16

SHA512
39e6f1b31d76356cd04938b7c27bbb487aecad37a51dc05b047d4245ee479bf0bcacb5cd74152e2d30bfc97019f8de7a5084e8b210d6e620c55f5afdf2046ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4d359068baef6fb345df2d6b8f2341de

SHA1
dbc3c1d1c2978d6ea248fcbd04ace997c53059b7

SHA256
02665acd87046fda4dd31367fea67a70acc6f06ddfd588b0db3743c05ce330d6

SHA512
b4f156057a0f337b5dd9cf5d5e806257d4f7371c9027ba92a42a80bcfa6b9005520091b7013d8019ff7ecd19e101888de53a98efeb1e8de5ccb9f77c4f9ef647

Download Submit
\Users\Admin\AppData\Local\Temp\ebsut.exe

Filesize
330KB

MD5
1675629c03b49ba67f542e88b6f91c48

SHA1
1b440c2ee27fb0e4fdc142655b5adb72e268fb82

SHA256
c40bb69464712afd716206daf35182ca7691611d9347207e6f35cf2c72aa27db

SHA512
de61258e5c7d4d73c2504772bd6e8ab358469be7bf1ec7964251ce87d2f8e63bd581042314034d3fc22ee97a880b1228e8e63d501d2fc3bd63e486ece6258167

Download Submit
\Users\Admin\AppData\Local\Temp\feodx.exe

Filesize
172KB

MD5
c91d32bccbdb5a0b278d8c676f45b25c

SHA1
90a66e10c157931f905c0d4906669179d8a43e55

SHA256
97f0d62a0f5ef0d339794ae03218af5bf5cd6b50cafaf91adcaf0f0f3f937c0b

SHA512
cbfb5d36588c2f1237807c3093b1207602dcc8b015e0f9bd2d26fbce8a7e1c24d926db8494c1b8ebaa1bcd3f3a419d1e8c88bab8d96e3e1a0f59d5b69574182c

Download Submit
memory/1928-50-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1928-51-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1928-43-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1928-49-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1928-48-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1928-42-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/1928-47-0x0000000000D40000-0x0000000000DD9000-memory.dmp

Filesize
612KB

Download
memory/2160-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2160-19-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/2160-16-0x0000000002460000-0x00000000024E1000-memory.dmp

Filesize
516KB

Download
memory/2160-0-0x0000000000220000-0x00000000002A1000-memory.dmp

Filesize
516KB

Download
memory/2820-21-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2820-41-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2820-39-0x00000000034C0000-0x0000000003559000-memory.dmp

Filesize
612KB

Download
memory/2820-25-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2820-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2820-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download