urelas | 9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db

General

Target

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
Size

6.5MB
MD5

99376ee4ed70611e27327a144ce46553
SHA1

49bdca60f10a3b2957824c16b0bc862224fb0d59
SHA256

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db
SHA512

bcaa3490a23d7614aa888c6cd344d3f0a5c7a3ababdcc26646a6475ee3696c8d02a6930c9007cc2c149fff9881151dc0f81141626c511935aa64941a54954320
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSW:i0LrA2kHKQHNk3og9unipQyOaOW

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mojoh.exe	UPX
behavioral2/memory/5020-70-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/5020-74-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exenowov.exebuguco.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	nowov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	buguco.exe

Executes dropped EXE 3 IoCs

Processes:

nowov.exebuguco.exemojoh.exe

pid process

1920 nowov.exe
2232 buguco.exe
5020 mojoh.exe

pid	process
1920	nowov.exe
2232	buguco.exe
5020	mojoh.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mojoh.exe	upx
behavioral2/memory/5020-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/5020-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exenowov.exebuguco.exemojoh.exe

pid	process
4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
1920	nowov.exe
1920	nowov.exe
2232	buguco.exe
2232	buguco.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe
5020	mojoh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exenowov.exebuguco.exe

description	pid	process	target process
PID 4080 wrote to memory of 1920	4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	nowov.exe
PID 4080 wrote to memory of 1920	4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	nowov.exe
PID 4080 wrote to memory of 1920	4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	nowov.exe
PID 4080 wrote to memory of 460	4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	cmd.exe
PID 4080 wrote to memory of 460	4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	cmd.exe
PID 4080 wrote to memory of 460	4080	9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe	cmd.exe
PID 1920 wrote to memory of 2232	1920	nowov.exe	buguco.exe
PID 1920 wrote to memory of 2232	1920	nowov.exe	buguco.exe
PID 1920 wrote to memory of 2232	1920	nowov.exe	buguco.exe
PID 2232 wrote to memory of 5020	2232	buguco.exe	mojoh.exe
PID 2232 wrote to memory of 5020	2232	buguco.exe	mojoh.exe
PID 2232 wrote to memory of 5020	2232	buguco.exe	mojoh.exe
PID 2232 wrote to memory of 4036	2232	buguco.exe	cmd.exe
PID 2232 wrote to memory of 4036	2232	buguco.exe	cmd.exe
PID 2232 wrote to memory of 4036	2232	buguco.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe
"C:\Users\Admin\AppData\Local\Temp\9f28507fa16d84eefa10b851f2a9ecdbdceade2af7a97b6d1974b75e8063b7db.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\nowov.exe
"C:\Users\Admin\AppData\Local\Temp\nowov.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\buguco.exe
"C:\Users\Admin\AppData\Local\Temp\buguco.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\mojoh.exe
"C:\Users\Admin\AppData\Local\Temp\mojoh.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
994a5ec7e19de459ba156d24f14a6fe7

SHA1
5d30972269a7468f80267f13c6cafa156a5d0a56

SHA256
32ffc0db52cc85930d31f5c997bac3c75c4349485bbf769f90a08e2de91806b8

SHA512
ea24550e7787cc220fa9c13625bd40a4da03da671ab4f63677a5bc24055e5fe441c006fad716363f392c47b02d8e42674db8092d7db917a80846eb215023efe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ae4a9081a57d1c97b8ec91d28e3a56dc

SHA1
efb57ac011fac06621bb8775c2fb944f1caf6b70

SHA256
be7f633203439be4bcad8e4ebc3047e646cb12f89ce8597779dadaa77fd83e39

SHA512
d5a88d75abfe2b95b62561426220c4a03decaa895ce13d37cec9f01c92e20e72809f632937e63c93b494dcd0246d9a25b7d446ae9183038a14b349f4071de183

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9992314955f5a01f567f9bc7feed8f0c

SHA1
1338ae854db675326d10ed2ca17731de6b05bca2

SHA256
bfe82e881b92d21cabc9ceb6156559d7ce2d597f27d20920880d41f6e9997452

SHA512
ec83750e89cb4a8c41d9335c9fd78bec9740c52b9c2299b31743dc81c247b3ac345cb891ce1b2cdd58fa8019848d6da85e1cbb6b00ec79f2908cf2124f1e32f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mojoh.exe

Filesize
459KB

MD5
0c1bd6239e26ff8ea2043e88a2718c74

SHA1
e86c9d86ecd2feb31dca755e65a1485e32ed64c9

SHA256
eec9aee3d47a18a39f7e77ac650463ba0bab156cd2305ff6f78271f2eb361bad

SHA512
2d60b6f047a76ae857b674fbb457048dc25ff9a4cfa4fccf724efd516b37902c6e5217dcc11c7f2c16df927b7c39f4d77f22401b4715beb7b37ee2f64be73099

Download Submit
C:\Users\Admin\AppData\Local\Temp\nowov.exe

Filesize
6.5MB

MD5
50b25aaae5c5e305395bd615825c8209

SHA1
6e2f1d2d12698998a97e8a4f35a8d9c5b7cc2d7d

SHA256
fdf73257e683f4ef74d942da25f5fd809fce0feda385597443d751bcb9e3cba9

SHA512
62400f2dbebb92fff8e5ec0c57fcca6baa2282140b6cca8596b4ad3e1bb2a320c691f468181dcaca8a305087190bd6f39fca90cd2f6c61c6ddb2800095027d0d

Download Submit
memory/1920-30-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1920-29-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1920-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1920-31-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1920-32-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1920-28-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/1920-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1920-33-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1920-34-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1920-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1920-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-53-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2232-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-52-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/4080-4-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/4080-2-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4080-5-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4080-6-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4080-7-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/4080-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4080-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4080-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4080-1-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/4080-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4080-3-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4080-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4080-8-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/5020-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5020-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads