urelas | fddb13f88b36b3e522df810d59ab1f1af8fdc829d832e39acfe14dfd92d6c07e

General

Target

cd0a5b65338d5b8938a2f7746d2b7a1b.exe
Size

1.1MB
MD5

cd0a5b65338d5b8938a2f7746d2b7a1b
SHA1

6de316020509a70a2de22c15420f4765e1e85cbd
SHA256

fddb13f88b36b3e522df810d59ab1f1af8fdc829d832e39acfe14dfd92d6c07e
SHA512

2dfb93015c8cafa81bdd6eae3280b0af8e03504b92ffe1a0a88bbe427a613d5fccc3a04a46b5c2fe7283e2521a084d1ddc32e04a0ad726e124fe10b988b77287
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YU:tcykpY5852j6aJGl5cqBH

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	cd0a5b65338d5b8938a2f7746d2b7a1b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	tujac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	ibhiqi.exe

Executes dropped EXE 3 IoCs

pid	Process
2172	tujac.exe
2696	ibhiqi.exe
3392	uslui.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023358-31.dat	upx
behavioral2/memory/3392-37-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3392-43-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe
3392	uslui.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 2172	3120	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	95
PID 3120 wrote to memory of 2172	3120	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	95
PID 3120 wrote to memory of 2172	3120	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	95
PID 3120 wrote to memory of 2644	3120	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	97
PID 3120 wrote to memory of 2644	3120	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	97
PID 3120 wrote to memory of 2644	3120	cd0a5b65338d5b8938a2f7746d2b7a1b.exe	97
PID 2172 wrote to memory of 2696	2172	tujac.exe	99
PID 2172 wrote to memory of 2696	2172	tujac.exe	99
PID 2172 wrote to memory of 2696	2172	tujac.exe	99
PID 2696 wrote to memory of 3392	2696	ibhiqi.exe	115
PID 2696 wrote to memory of 3392	2696	ibhiqi.exe	115
PID 2696 wrote to memory of 3392	2696	ibhiqi.exe	115
PID 2696 wrote to memory of 1012	2696	ibhiqi.exe	116
PID 2696 wrote to memory of 1012	2696	ibhiqi.exe	116
PID 2696 wrote to memory of 1012	2696	ibhiqi.exe	116

C:\Users\Admin\AppData\Local\Temp\cd0a5b65338d5b8938a2f7746d2b7a1b.exe
"C:\Users\Admin\AppData\Local\Temp\cd0a5b65338d5b8938a2f7746d2b7a1b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\tujac.exe
  "C:\Users\Admin\AppData\Local\Temp\tujac.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\ibhiqi.exe
    "C:\Users\Admin\AppData\Local\Temp\ibhiqi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\uslui.exe
      "C:\Users\Admin\AppData\Local\Temp\uslui.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1320 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ae2794a94b37e9e51a7e5a92264c3f70

SHA1
8f5538566bf1addbd4694f0ef552d4d8958d8813

SHA256
9ae581ee59a0368aa83a910fe7f87d76775040cb87875bffcd733f22076dc9a5

SHA512
9a4a72f031185f21b0417bffa52a19d6ee22e34b0bfebe479567eecab4a6dba30259fc4823acf8ddfa0312f25504ca699c79dc786a7b87b737e7908d7b61593c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
276B

MD5
71518b2619df53bd29b44c704e6bc1c1

SHA1
fc039515f860a373ac919d203e0964498570bd4b

SHA256
f0881d66ab9ffae50b4430c05cba3fc110c06399046a12a943511c25bfba6ede

SHA512
3142f6c4922d63da98893afac4d31d51eee1efba343810a3ec2afdd60ff92834c58461460d578656eba85e1377992fd67fc870d7e1a1b4ed9e07df62bf781b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bda18cd99bc49c68ef75b8856f161286

SHA1
508cf53f0c768a4468dc2780af5d8e831abbb68f

SHA256
aac56c8f086e3e4cc9805b4b3f14017834958eda75424254e03100a849206ab7

SHA512
738c6a61cf6020ffa9222fc37ad18eca1334a70a04c578a25bc0e150cafff43d882df7e4f02b4cdd14a98c1abc1b9ad7ab1058f1bde1eb9cd414c3c06661f51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tujac.exe

Filesize
657KB

MD5
e5ae698fb1aa27f581aa1281411c0a52

SHA1
c9ae128ef6dc88b30ad56745a984715117ee9d2d

SHA256
2403d530dcbbea3eef8de41ea1d46b04b4b482474f52780c9b7eeaa39499b1d6

SHA512
bea480b5061a927fdf4b8788d5ea3e7e2b6da2d27518a2d4b1f04a8e54c707617bf365ef842473ba0aa8b4d01fe4c1d1ec58eafe49e7075c76e344d2e96917d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tujac.exe

Filesize
1.1MB

MD5
d0ec45160ed94d152777f63c3cddb3d5

SHA1
88e3836c2546e463d5aa30f940e78aac2764f8e1

SHA256
057432c9ca622121950f91cf0dcd4ef85a324c75b1d2ff5d08c44f10ee9e6c80

SHA512
6db4eee1bce801bc266720206e9cc1c4977154b2f70c6aa0712a929d6c175375dac61347cf7cfcb5a1d723d5b0d4ecf319e064f53835b9d138cf36d43fa41ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uslui.exe

Filesize
459KB

MD5
fd1888f7c42e04468251ca95ce8b222a

SHA1
9d95df412712e459b6ddf7b374cb936a762278c4

SHA256
8e21163eac820aba02468878341287cf0b7da369ffc89710116e9b355fc16f8c

SHA512
d0bbe16eac5079a08b9e742eafeb035f3da2d8975529eb4b5f6c1254365a8cf737e31018b6d252f1959f5ebfc22cd5f2c88695016c6339dc115ddd8bc6c0e0f2

Download Submit
memory/2172-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2696-39-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2696-23-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3120-15-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3120-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3392-37-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3392-41-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3392-43-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3392-45-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing