urelas | e12617f50b99a3afd880a1723094ae872e7989d8ac982a1bac3999fe4178c02b

General

Target

NEAS.b844358cbb8600301a083f41d3de6780.exe
Size

381KB
MD5

b844358cbb8600301a083f41d3de6780
SHA1

24953b3ee557d9de78c6ab74c44333ec1ff86e8e
SHA256

e12617f50b99a3afd880a1723094ae872e7989d8ac982a1bac3999fe4178c02b
SHA512

a5a83d2be2841772da9962778ffe2ca68fe21d5ed9c11a4b78ed391c925d7f08ef1b0f053faa5bdb5613e057690f43a0c638133f89cd500363e76d69d2293165
SSDEEP

6144:A6wArTEDSCs5wL0Spe5OpvGfnGUtdeHYhZpLkA:AfmQDSCs5woiCOpvmnqH0

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	NEAS.b844358cbb8600301a083f41d3de6780.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	ijixf.exe

Executes dropped EXE 1 IoCs

pid	Process
3868	ijixf.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3328-0-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/3328-1-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/files/0x0007000000022ce3-7.dat	upx
behavioral2/files/0x0007000000022ce3-9.dat	upx
behavioral2/files/0x0007000000022ce3-11.dat	upx
behavioral2/memory/3868-12-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/3328-15-0x0000000000400000-0x0000000000461000-memory.dmp	upx
behavioral2/memory/3868-18-0x0000000000400000-0x0000000000461000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3328 wrote to memory of 3868	3328	NEAS.b844358cbb8600301a083f41d3de6780.exe	96
PID 3328 wrote to memory of 3868	3328	NEAS.b844358cbb8600301a083f41d3de6780.exe	96
PID 3328 wrote to memory of 3868	3328	NEAS.b844358cbb8600301a083f41d3de6780.exe	96
PID 3328 wrote to memory of 228	3328	NEAS.b844358cbb8600301a083f41d3de6780.exe	97
PID 3328 wrote to memory of 228	3328	NEAS.b844358cbb8600301a083f41d3de6780.exe	97
PID 3328 wrote to memory of 228	3328	NEAS.b844358cbb8600301a083f41d3de6780.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.b844358cbb8600301a083f41d3de6780.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b844358cbb8600301a083f41d3de6780.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Users\Admin\AppData\Local\Temp\ijixf.exe
  "C:\Users\Admin\AppData\Local\Temp\ijixf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
286B

MD5
189d59dc41cd2db2621fd0d243b9e86b

SHA1
0fb033ffbe02e2f3c119c4979a1e3b077cc3f04f

SHA256
de6b55a320640f73935ef313eda87fa4e49c35d2f8e8b12ceff8c86d5ef78dc7

SHA512
cff8f379dcd17f57edc98d149988ef357ea499285ab7949bb33ed704f2c3faecf138a109ce07ac5cfe3f2f7776c1aad27fcece6ffeb6b5b068bc06010b1e4419

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8d112dc7065fd3e483f1d80bfcc78a68

SHA1
dc089f807db1ea73c1a93deff64985650cfcdbb2

SHA256
38260b6f26bc78c8514ceeaa882903cf232175bfad14c879cd05b295037b599a

SHA512
918af653f8199a773b6959cf8ff3a262fefbcb1fa42c4c625d611d6681a17a9760deec61d59ddffe276cd5280d54a1faa0f809b015968ecd0010a8c9d6bdcb00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijixf.exe

Filesize
382KB

MD5
9f4a46076ca05e5810c91d94c81fb553

SHA1
acb3af69de072ef523fcb064cb40d5aed2c0fbbb

SHA256
ec0e409eaf99d89975db77ac7bf77ef512546ad0ea464a8f3426eb92d647f878

SHA512
726706d07ead175483bf975bd7f27cad1169942d7a82001b24f238933a2061663ea65476934e75aa1c449797a7db301ac277d2be07a8ccbdc8cd36330b6765a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijixf.exe

Filesize
382KB

MD5
9f4a46076ca05e5810c91d94c81fb553

SHA1
acb3af69de072ef523fcb064cb40d5aed2c0fbbb

SHA256
ec0e409eaf99d89975db77ac7bf77ef512546ad0ea464a8f3426eb92d647f878

SHA512
726706d07ead175483bf975bd7f27cad1169942d7a82001b24f238933a2061663ea65476934e75aa1c449797a7db301ac277d2be07a8ccbdc8cd36330b6765a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijixf.exe

Filesize
382KB

MD5
9f4a46076ca05e5810c91d94c81fb553

SHA1
acb3af69de072ef523fcb064cb40d5aed2c0fbbb

SHA256
ec0e409eaf99d89975db77ac7bf77ef512546ad0ea464a8f3426eb92d647f878

SHA512
726706d07ead175483bf975bd7f27cad1169942d7a82001b24f238933a2061663ea65476934e75aa1c449797a7db301ac277d2be07a8ccbdc8cd36330b6765a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tabix.exe

Filesize
176B

MD5
e6fe2af123b71cdef47f43a6ad271b73

SHA1
f0f1580327502d4d6c61feb83e336d0839b87890

SHA256
b17c0e654eea53d89d2b1427a7788b319d26b0f2460a63797846177798c218e3

SHA512
19f6766396e3d0b8778288164a93c9057ea837064df0dfdf32dfe090d08d005a2d0486943a8a299f1bc4108ad1e7e41fbd7da6bee5f0e68a653638080c270e9a

Download Submit
memory/3328-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3328-1-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3328-15-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3868-12-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3868-18-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing