Malware

About “Troj/Urelas-Q” infection

Malware Removal

The Troj/Urelas-Q is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Troj/Urelas-Q virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Attempts to connect to a dead IP:Port (4 unique times)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Possible date expiration check, exits too soon after checking local time
  • Dynamic (imported) function loading detected
  • Enumerates running processes
  • Repeatedly searches for a not-found process, may want to run with startbrowser=1 option
  • Reads data out of its own binary image
  • A process created a hidden window
  • Drops a binary and executes it
  • Unconventionial language used in binary resources: Korean
  • The binary contains an unknown PE section name indicative of packing
  • The binary likely contains encrypted or compressed data.
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Uses Windows utilities for basic functionality
  • Deletes its original binary from disk
  • A process attempted to delay the analysis task by a long amount of time.
  • Created a process from a suspicious location

How to determine Troj/Urelas-Q?



File Info:

name: E898F81C7C260FE8BB36.mlw
path: /opt/CAPEv2/storage/binaries/aeb5fb75d83d020df12f75bd3c791b6b663a0caffd2a66611966701f6178728f
crc32: 8B2BE783
md5: e898f81c7c260fe8bb36d82c285be42d
sha1: 98a7055d7a30cc2993b68284affb20b2b8c05cd3
sha256: aeb5fb75d83d020df12f75bd3c791b6b663a0caffd2a66611966701f6178728f
sha512: a9b886e668cf8677ae05cb736b31e86ef5f872f468c42a6ccd4926cf719d19c2d9aa72aeadae4c331ca5896e024105344a50ba3feb24cc8ea8f7c07da2207bfb
ssdeep: 6144:0C5UZXR3HvXTpplfUhjkvss0kKDHiG0c4v413vCPXOeVHB:VUZXRXv1p1Uhjw0fDHiGD2w36PJ
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T189442314F65BC4F0F918CDB6064DE086976270F88B2258B45FC1EF89B6B52F20AD674B
sha3_384: 1f3367a64e90db070ca619b14f0fdfffbe970180a508a6570cb163f99a88f1cf5b261126eac892ca3d9e107aed652a4b
ep_bytes: 60be00e041008dbe0030feff5783cdff
timestamp: 2013-10-19 00:37:26


Version Info:

0: [No Data]

Troj/Urelas-Q also known as:

BkavW32.AIDetect.malware2
Elasticmalicious (high confidence)
DrWebTrojan.AVKill.33547
MicroWorld-eScanGen:Heur.Mint.SP.Urelas.1
FireEyeGeneric.mg.e898f81c7c260fe8
CAT-QuickHealTrojan.Gupboot.G.mue
CylanceUnsafe
ZillyaBackdoor.Plite.Win32.68
SangforTrojan.Win32.Save.a
K7AntiVirusBackdoor ( 0053e8561 )
K7GWBackdoor ( 0053e8561 )
CrowdStrikewin/malicious_confidence_70% (D)
BitDefenderThetaAI:Packer.B0F0461C1F
VirITTrojan.Win32.Generic.EBL
CyrenW32/Plite.D.gen!Eldorado
SymantecBackdoor.Matsnu.B
ESET-NOD32a variant of Win32/Urelas.S
ClamAVWin.Trojan.Gupboot-9
KasperskyHEUR:Trojan.Win32.Generic
BitDefenderGen:Heur.Mint.SP.Urelas.1
NANO-AntivirusTrojan.Win32.Wecod.ekcccv
SUPERAntiSpywareTrojan.Agent/Gen-Urelas
AvastWin32:Dropper-NJB [Drp]
TencentTrojan.Win32.Agent.aeq
SophosTroj/Urelas-Q
ComodoTrojWare.Win32.Gupboot.AGQ@5t8mho
BaiduWin32.Trojan.Urelas.a
VIPRETrojan.Win32.Urelas.o (v)
McAfee-GW-EditionBehavesLike.Win32.Ridnu.dc
EmsisoftGen:Heur.Mint.SP.Urelas.1 (B)
SentinelOneStatic AI – Malicious PE
JiangminBackdoor/Plite.w
AviraTR/Dropper.Gen
MAXmalware (ai score=85)
Antiy-AVLTrojan/Generic.ASCommon.177
KingsoftHeur.SSC.2687371.1216.(kcloud)
MicrosoftTrojan:Win32/Sabsik.FL.B!ml
ZoneAlarmHEUR:Trojan.Win32.Generic
GDataGen:Heur.Mint.SP.Urelas.1
CynetMalicious (score: 100)
McAfeeGenericRXAA-AA!E898F81C7C26
VBA32SScope.Backdoor.Urelas.3114
MalwarebytesMalware.AI.4226506291
APEXMalicious
RisingTrojan.Gupboot!1.9CEA (RDMK:cmRtazqjfHjIyR0l64q6BkQjFPXe)
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/Generic.AC.1C5A9A!tr
AVGWin32:Dropper-NJB [Drp]
Cybereasonmalicious.c7c260
PandaTrj/Genetic.gen

How to remove Troj/Urelas-Q?

Troj/Urelas-Q removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment