urelas | fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Size

324KB
MD5

ccb3964dd622fcc600a569de60895175
SHA1

ae99f1714cfe9c8811dbd0d6fa28d55189017d75
SHA256

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de
SHA512

af877883057fee997f0da3f0cd229923ab221e6841b84062b5dadf08f42e4d00dd5a1de42a095d4bc51d9a3ecbd9041e952d55a8eb8e0d208fe5dfc563aaa35b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2552	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

fubon.execudoj.exe

pid	Process
2596	fubon.exe
2880	cudoj.exe

Loads dropped DLL 2 IoCs

Processes:

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exefubon.exe

pid	Process
2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
2596	fubon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exefubon.execmd.execudoj.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fubon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cudoj.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

cudoj.exe

pid	Process
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe
2880	cudoj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exefubon.exe

description	pid	Process	procid_target
PID 2604 wrote to memory of 2596	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	30
PID 2604 wrote to memory of 2596	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	30
PID 2604 wrote to memory of 2596	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	30
PID 2604 wrote to memory of 2596	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	30
PID 2604 wrote to memory of 2552	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	31
PID 2604 wrote to memory of 2552	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	31
PID 2604 wrote to memory of 2552	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	31
PID 2604 wrote to memory of 2552	2604	fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe	31
PID 2596 wrote to memory of 2880	2596	fubon.exe	34
PID 2596 wrote to memory of 2880	2596	fubon.exe	34
PID 2596 wrote to memory of 2880	2596	fubon.exe	34
PID 2596 wrote to memory of 2880	2596	fubon.exe	34

C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe
"C:\Users\Admin\AppData\Local\Temp\fb581c355b684b49484e4792417cc298d5c194a36dea2b8c8a9e970ee54589de.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\fubon.exe
  "C:\Users\Admin\AppData\Local\Temp\fubon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\cudoj.exe
    "C:\Users\Admin\AppData\Local\Temp\cudoj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e577ae7de95af5cbc09c3b55681bbc2

SHA1
417fdb014059cab8357a87f8b761cb0d3adc083b

SHA256
df822d01c41a8c4a5177f77c5702d4018863179d071defafc98c400a547f252e

SHA512
2fdb0ed8c97fecfa63576e7f2ce7628302044cf0438d783265bf772fe2730bebcb833f51bb029126864a8171644f0069b1ede2e5a58507449d84629b87f0d691

Download Submit
C:\Users\Admin\AppData\Local\Temp\fubon.exe

Filesize
324KB

MD5
079a42e9bc0cf4030e6c5781c013a4d7

SHA1
6dc71972ad00cd12519bd0d63168f821a97796bb

SHA256
54dae0a2a487e7f5f02f184902274b5bb0c1548ea30237425da7b6f5919a0ef0

SHA512
b615b3c58311226ac1b1f67945fdaa8631bbefcdd51541a887f6cf85a0d2f9fa7589e46f545bce75c51bd99e58a0dc1f6b99310ad017a51d24a532a04390bf2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6426c3f6d87e9a27502aa87458e094ae

SHA1
d8d84223cd356920d540a2c55ba712495f0f3dee

SHA256
992d1b065a50a306d4d6d6edc45b0faf7b47054bf653ce04d2be53cf3acec797

SHA512
99d5ff9c72515757ee5037c2d03eb7653bc0a3a2ee2ff3f28059d9409a19c3ff11eec0453f97bfd710d5e69d1b68322acfe2324afe2aa693b142b8a6fc178013

Download Submit
\Users\Admin\AppData\Local\Temp\cudoj.exe

Filesize
172KB

MD5
6f55ca51fc9f58cf1dbc7e54d2c6036f

SHA1
cb5bd7509598e2d77dadebb88cc6b9db87922f39

SHA256
24fe9ea75e5e5a046b781615804ba2866620cd300ed17631b3a14eb7866db6f8

SHA512
1b67d82ac9c504fd6a22324584d4fb0cda045084477ab66b7caabf0f27713ce30b4230c5bf5975f58f0f0b669214c457da7b9a51f667062ceb1e984a1542436c

Download Submit
memory/2596-20-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/2596-37-0x00000000035F0000-0x0000000003689000-memory.dmp

Filesize
612KB

Download
memory/2596-41-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/2596-24-0x0000000000AE0000-0x0000000000B61000-memory.dmp

Filesize
516KB

Download
memory/2596-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2604-17-0x0000000002870000-0x00000000028F1000-memory.dmp

Filesize
516KB

Download
memory/2604-0-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2604-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2604-19-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2880-45-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2880-42-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2880-47-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2880-48-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2880-49-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2880-50-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download
memory/2880-51-0x0000000000250000-0x00000000002E9000-memory.dmp

Filesize
612KB

Download