urelas | 4410d3de681f8c4f4cb4f55fe465384c4d0d5e9403e505d4f7ab78e16e9e991e

General

Target

NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe
Size

289KB
MD5

cbe905ebeb4510ebbeae76aacfac70e0
SHA1

c6e815b74120f8e9aa50d3eb45af24a895e3c6e4
SHA256

4410d3de681f8c4f4cb4f55fe465384c4d0d5e9403e505d4f7ab78e16e9e991e
SHA512

308e219b417b7bdab974830111fd3568a02015f08ac8942b1e96d8ea97acdc70a9176e3438fcba93d3a4beeb029d7199eb2ed1704e6b483cfce44af7ee346ddc
SSDEEP

6144:1VzEZ5YgoSsj/ZQUWvYqDUbsbX6EdK77RXW7VGwrLO8O7Pf:a7oSOWUWvXbX5g7pW7Jg

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.182

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\International\Geo\Nation	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe

Executes dropped EXE 1 IoCs

pid	Process
4864	sander.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2856-0-0x0000000000960000-0x00000000009FC000-memory.dmp	upx
behavioral2/memory/2856-1-0x0000000000960000-0x00000000009FC000-memory.dmp	upx
behavioral2/memory/2856-2-0x0000000000960000-0x00000000009FC000-memory.dmp	upx
behavioral2/files/0x0006000000022e00-8.dat	upx
behavioral2/files/0x0006000000022e00-10.dat	upx
behavioral2/files/0x0006000000022e00-12.dat	upx
behavioral2/memory/4864-13-0x0000000000300000-0x000000000039C000-memory.dmp	upx
behavioral2/memory/2856-16-0x0000000000960000-0x00000000009FC000-memory.dmp	upx
behavioral2/memory/4864-19-0x0000000000300000-0x000000000039C000-memory.dmp	upx
behavioral2/memory/4864-26-0x0000000000300000-0x000000000039C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 4864	2856	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	92
PID 2856 wrote to memory of 4864	2856	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	92
PID 2856 wrote to memory of 4864	2856	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	92
PID 2856 wrote to memory of 324	2856	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	93
PID 2856 wrote to memory of 324	2856	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	93
PID 2856 wrote to memory of 324	2856	NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cbe905ebeb4510ebbeae76aacfac70e0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
287B

MD5
e5e2df68e6158600bf30e8444cffaef4

SHA1
f70fb7d2c97bad899d4db34f84b1db260cb88ce5

SHA256
d3e5489f1e1fefa0eb79519d1df6e1adeb16d9832362dbb9a3bae3ed3c6a3271

SHA512
e5063d720663677cf43520db22fcb60d59ac71582b8029e956ffab0995c8c1ad6604cc2eeb1fec077c588559e4a8833fa5d700a9d42d7b516e2fb26587a1982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
478fec1df0aef79beb699928cb2787fa

SHA1
dfff00b9eceaebff908ca9681320d4c770f14814

SHA256
c186c06d9bed7785981b05d4c474afd33a83f9ef0e8f5a558505a44af519ec30

SHA512
9875eb579e6ab7d8595be86eb53bb8aec6b6d09af4f96742aea1dbcf21fda7e1b7bb561ad5bdbc560472d94e76eca975e33d8ca9ae6e30d1261b86dbb511cf6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
289KB

MD5
b3659aec42ada775a8abdcd9459e3271

SHA1
5c295fc969e02b584043588ceb629dc0ffc41425

SHA256
3f00e6120e71946aff6e3f08cad2659eb2fd99bb74bf0d045473bc8728306efc

SHA512
5bdfce92a04cbbe6d0561a3b722150b25e9169afc0e788e01a2ebfbefbca3f0b18f721993179fee90b71a56f1a2691b8e3544d14b9ce5901022c0aa9cfa7a70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
289KB

MD5
b3659aec42ada775a8abdcd9459e3271

SHA1
5c295fc969e02b584043588ceb629dc0ffc41425

SHA256
3f00e6120e71946aff6e3f08cad2659eb2fd99bb74bf0d045473bc8728306efc

SHA512
5bdfce92a04cbbe6d0561a3b722150b25e9169afc0e788e01a2ebfbefbca3f0b18f721993179fee90b71a56f1a2691b8e3544d14b9ce5901022c0aa9cfa7a70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
289KB

MD5
b3659aec42ada775a8abdcd9459e3271

SHA1
5c295fc969e02b584043588ceb629dc0ffc41425

SHA256
3f00e6120e71946aff6e3f08cad2659eb2fd99bb74bf0d045473bc8728306efc

SHA512
5bdfce92a04cbbe6d0561a3b722150b25e9169afc0e788e01a2ebfbefbca3f0b18f721993179fee90b71a56f1a2691b8e3544d14b9ce5901022c0aa9cfa7a70f

Download Submit
memory/2856-0-0x0000000000960000-0x00000000009FC000-memory.dmp

Filesize
624KB

Download
memory/2856-1-0x0000000000960000-0x00000000009FC000-memory.dmp

Filesize
624KB

Download
memory/2856-2-0x0000000000960000-0x00000000009FC000-memory.dmp

Filesize
624KB

Download
memory/2856-16-0x0000000000960000-0x00000000009FC000-memory.dmp

Filesize
624KB

Download
memory/4864-13-0x0000000000300000-0x000000000039C000-memory.dmp

Filesize
624KB

Download
memory/4864-19-0x0000000000300000-0x000000000039C000-memory.dmp

Filesize
624KB

Download
memory/4864-26-0x0000000000300000-0x000000000039C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing