urelas | b809293d8b7831b6020b807876033f5e3d17e9847021aef7e6779b85fecd8f87

General

Target

60f05a16b6709dcc47529967d99d0b70_NEAS.exe
Size

6.4MB
MD5

60f05a16b6709dcc47529967d99d0b70
SHA1

0239bcc4dcbb74a37eb452e60e9c47fc54ce34bd
SHA256

b809293d8b7831b6020b807876033f5e3d17e9847021aef7e6779b85fecd8f87
SHA512

f3e3c08b6bbaa8fa7521c8617feaa2358ebdff7621c7a787421945f1d5eacd7a3955762a11d02e6eae423a3ae399125137999d600664ca2fe38424607d35c609
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSp:i0LrA2kHKQHNk3og9unipQyOaOp

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	60f05a16b6709dcc47529967d99d0b70_NEAS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	apypv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	ciegdu.exe

Executes dropped EXE 3 IoCs

pid	Process
3724	apypv.exe
3004	ciegdu.exe
112	oqfog.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000233ec-64.dat	upx
behavioral2/memory/112-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/112-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/112-76-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe
3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe
3724	apypv.exe
3724	apypv.exe
3004	ciegdu.exe
3004	ciegdu.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe
112	oqfog.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 3724	3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe	87
PID 3764 wrote to memory of 3724	3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe	87
PID 3764 wrote to memory of 3724	3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe	87
PID 3764 wrote to memory of 4080	3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe	88
PID 3764 wrote to memory of 4080	3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe	88
PID 3764 wrote to memory of 4080	3764	60f05a16b6709dcc47529967d99d0b70_NEAS.exe	88
PID 3724 wrote to memory of 3004	3724	apypv.exe	90
PID 3724 wrote to memory of 3004	3724	apypv.exe	90
PID 3724 wrote to memory of 3004	3724	apypv.exe	90
PID 3004 wrote to memory of 112	3004	ciegdu.exe	102
PID 3004 wrote to memory of 112	3004	ciegdu.exe	102
PID 3004 wrote to memory of 112	3004	ciegdu.exe	102
PID 3004 wrote to memory of 4604	3004	ciegdu.exe	103
PID 3004 wrote to memory of 4604	3004	ciegdu.exe	103
PID 3004 wrote to memory of 4604	3004	ciegdu.exe	103

C:\Users\Admin\AppData\Local\Temp\60f05a16b6709dcc47529967d99d0b70_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\60f05a16b6709dcc47529967d99d0b70_NEAS.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\apypv.exe
  "C:\Users\Admin\AppData\Local\Temp\apypv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Users\Admin\AppData\Local\Temp\ciegdu.exe
    "C:\Users\Admin\AppData\Local\Temp\ciegdu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\oqfog.exe
      "C:\Users\Admin\AppData\Local\Temp\oqfog.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:4604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
286B

MD5
7cb5901f481c47f43159efe04b1dba03

SHA1
1c7a8fe0b92575b09bda84be01206be0e33b70ce

SHA256
4364897ec3772f5b1b45dfc6489827a7a9d79d4d74a6ac2574e5894201324f4e

SHA512
2c834c9cf9a9783c226efcb015984bd7c9fed6fb948322cd69f370ffc9d6ebf2d2241f2ba71c38a6da34d6e797c4f1f9e4b3924652546b2bedaf66d41d51567a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8dbea57e2f1834670df150dfa280dbdf

SHA1
f1d970cbce3722580b84996c29bb40c731264153

SHA256
0af5a07d956e7ebc05c301e4d661f06090deec10cbd33c1dd822921a2da3c664

SHA512
b2c7c1908b58f0120844bece2870289517ae95aca6a191e8d9ae1d2a2615024bbd00a193fc5dd5dba334f4cb0d4b4aa6c71fec9e36d2eb9acb5ed66d08873f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\apypv.exe

Filesize
6.4MB

MD5
2f88ab690f3d96ca0f3c754fba5b10df

SHA1
f9b87ba4ac55a4dbdd26f3e6885818292ae7cd80

SHA256
772f9f92d85d8490e93a49749b2fe5d8df162a18a34dcfd56f9601e4d6824336

SHA512
af800d38911bae2a13d3c36e07b2c7d8851063349b7311620b5c8480399fb397533ba454cb30b569cc6eef9f9ed96ff8acb0010818e5e9a04e9e143ae9608800

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a69f3ecfabadb2b5fb19569efdef1771

SHA1
4f9bd56cd1347b9e7547241ac84e6e57d7fa5b9b

SHA256
59f99e92e43873e9738a2a459c9f2eaea893d8cf1112563a89c49174df8bc23e

SHA512
b5aa027a7e8977b5bd211b6959e6388eebd88f9b2a48cd122b7c65c544a7f2427319a22604d5610a7b48634a1cb9725f2970a64d86f7a3b482f3f93b805b7d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqfog.exe

Filesize
459KB

MD5
3ac910aa60da052cd84e5c4a9f65e86b

SHA1
e723b3255badaff7cb94a1c2b1760155c1a405ed

SHA256
38d2d3a502d8e3f3f030533accb1b910e9c9332ed7074bb19e6d0c614faace8b

SHA512
6d0759afed0ab4502e7bc9eec75bcf29e4647b2bbf45c841dfc2a66fd0b582ef4eaed13e3e027cb7fd11cd5f0777ef9db7313f3e812d1a71a4d0e27dfe67dc3f

Download Submit
memory/112-76-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/112-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/112-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3004-50-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/3004-51-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/3004-52-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/3004-53-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3004-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3004-54-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/3004-55-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/3004-56-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3004-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3724-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3724-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3724-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3724-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3724-33-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3724-32-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3724-30-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3724-29-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3724-28-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/3724-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3724-31-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3764-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3764-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3764-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3764-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3764-2-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/3764-3-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/3764-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/3764-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3764-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3764-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3764-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/3764-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3764-4-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/3764-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing