urelas | 91d9bb403c6ce7eece8eaf345dca0e1baf5bf4591e6b426ba3d921fcb177405c

General

Target

NEAS.c0b531f0de9f7e8305b537535f9f0620.exe
Size

200KB
MD5

c0b531f0de9f7e8305b537535f9f0620
SHA1

63bb2cd5430eb483f7878378e8f9607f678a20a2
SHA256

91d9bb403c6ce7eece8eaf345dca0e1baf5bf4591e6b426ba3d921fcb177405c
SHA512

86a67320786bb7fab27d0c4cf8ce3824e571f8588fde2c8fc373cae20fd68f1e986a89abbb352857501959688cc3680308d3b07725a3812902900fdb93742fff
SSDEEP

1536:Ti+N6u0utYGsoK2mEGIBp+WWN7YfEj77iZ76vVGU2AjZ1g9B5McLaRQLd764cGPP:eYYutRQSc/7c6tJZm9B5MuaRQLd7643H

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3777073499-70821052-905318652-1000\Control Panel\International\Geo\Nation	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe

Executes dropped EXE 1 IoCs

pid	Process
4660	huter.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4796-0-0x00000000001C0000-0x00000000001F3000-memory.dmp	upx
behavioral2/memory/4796-3-0x00000000001C0000-0x00000000001F3000-memory.dmp	upx
behavioral2/files/0x0007000000022c81-7.dat	upx
behavioral2/files/0x0007000000022c81-12.dat	upx
behavioral2/files/0x0007000000022c81-14.dat	upx
behavioral2/memory/4660-13-0x00000000009D0000-0x0000000000A03000-memory.dmp	upx
behavioral2/memory/4796-20-0x00000000001C0000-0x00000000001F3000-memory.dmp	upx
behavioral2/memory/4660-21-0x00000000009D0000-0x0000000000A03000-memory.dmp	upx
behavioral2/memory/4660-22-0x00000000009D0000-0x0000000000A03000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4660	4796	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	90
PID 4796 wrote to memory of 4660	4796	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	90
PID 4796 wrote to memory of 4660	4796	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	90
PID 4796 wrote to memory of 3108	4796	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	91
PID 4796 wrote to memory of 3108	4796	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	91
PID 4796 wrote to memory of 3108	4796	NEAS.c0b531f0de9f7e8305b537535f9f0620.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.c0b531f0de9f7e8305b537535f9f0620.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c0b531f0de9f7e8305b537535f9f0620.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55d2fdd1432483e3ba86ebeccfe130b6

SHA1
7280b14d708800fd15303b2caa8628a0fbd7aa08

SHA256
5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb

SHA512
36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
200KB

MD5
56c4192dd030f3f40472fd14fad5f241

SHA1
b051b029849746e52eb3db4b927d7969dcc913b7

SHA256
c0b3c9a5da39d314b515571f87240d5c381eb4a06cc11c073a9389e14e923b80

SHA512
a9f9ea02629ca2f287bad5b76ad261a1bfc4ec230dfddd0a574369f39de34614b3313f195c52552c6c25358a3edff4463c421d26dbc748b15a36304b2e9243aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
200KB

MD5
56c4192dd030f3f40472fd14fad5f241

SHA1
b051b029849746e52eb3db4b927d7969dcc913b7

SHA256
c0b3c9a5da39d314b515571f87240d5c381eb4a06cc11c073a9389e14e923b80

SHA512
a9f9ea02629ca2f287bad5b76ad261a1bfc4ec230dfddd0a574369f39de34614b3313f195c52552c6c25358a3edff4463c421d26dbc748b15a36304b2e9243aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
200KB

MD5
56c4192dd030f3f40472fd14fad5f241

SHA1
b051b029849746e52eb3db4b927d7969dcc913b7

SHA256
c0b3c9a5da39d314b515571f87240d5c381eb4a06cc11c073a9389e14e923b80

SHA512
a9f9ea02629ca2f287bad5b76ad261a1bfc4ec230dfddd0a574369f39de34614b3313f195c52552c6c25358a3edff4463c421d26dbc748b15a36304b2e9243aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
284B

MD5
f5a61de5ee53ebfca2fc9d1623139f34

SHA1
9be2fde4755926cc9069abc3564cb504184e3c9e

SHA256
bd4fd831110fd056d68d76900ec8562fd697d4190dd9c807f5bf51ffdb1842ff

SHA512
c6b5dcb543aeb56ddacfbeb6bbe8d7c411f672b8cc4e282627f7ce969518ae8e41a1a2d2afe01bf0066d41faa37bb348bc7f3e9166ab17d5d65f654488c347aa

Download Submit
memory/4660-13-0x00000000009D0000-0x0000000000A03000-memory.dmp

Filesize
204KB

Download
memory/4660-21-0x00000000009D0000-0x0000000000A03000-memory.dmp

Filesize
204KB

Download
memory/4660-22-0x00000000009D0000-0x0000000000A03000-memory.dmp

Filesize
204KB

Download
memory/4796-0-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download
memory/4796-3-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download
memory/4796-20-0x00000000001C0000-0x00000000001F3000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing