urelas | a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325

General

Target

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
Size

6.4MB
MD5

942720ef7700407a8cba784c763d17e6
SHA1

e4575d037ae39d9048b4c3db71a45f98f14bf939
SHA256

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325
SHA512

1da95caa024bef6fa7bde5cb360af8c5d828e587faf1b467b91b87293855b08af7859cdc7fef1ad8af261afc212ccd5a6f18c6bbbf54182e0247076448f276bd
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSW:i0LrA2kHKQHNk3og9unipQyOaOW

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\usxul.exe	UPX
behavioral2/memory/2864-69-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/2864-73-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/2864-74-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exeromoe.exekitylu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	romoe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	kitylu.exe

Executes dropped EXE 3 IoCs

Processes:

romoe.exekitylu.exeusxul.exe

pid process

2400 romoe.exe
4188 kitylu.exe
2864 usxul.exe

pid	process
2400	romoe.exe
4188	kitylu.exe
2864	usxul.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\usxul.exe	upx
behavioral2/memory/2864-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2864-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2864-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exeromoe.exekitylu.exeusxul.exe

pid	process
3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
2400	romoe.exe
2400	romoe.exe
4188	kitylu.exe
4188	kitylu.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe
2864	usxul.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exeromoe.exekitylu.exe

description	pid	process	target process
PID 3084 wrote to memory of 2400	3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	romoe.exe
PID 3084 wrote to memory of 2400	3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	romoe.exe
PID 3084 wrote to memory of 2400	3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	romoe.exe
PID 3084 wrote to memory of 1204	3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	cmd.exe
PID 3084 wrote to memory of 1204	3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	cmd.exe
PID 3084 wrote to memory of 1204	3084	a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe	cmd.exe
PID 2400 wrote to memory of 4188	2400	romoe.exe	kitylu.exe
PID 2400 wrote to memory of 4188	2400	romoe.exe	kitylu.exe
PID 2400 wrote to memory of 4188	2400	romoe.exe	kitylu.exe
PID 4188 wrote to memory of 2864	4188	kitylu.exe	usxul.exe
PID 4188 wrote to memory of 2864	4188	kitylu.exe	usxul.exe
PID 4188 wrote to memory of 2864	4188	kitylu.exe	usxul.exe
PID 4188 wrote to memory of 2256	4188	kitylu.exe	cmd.exe
PID 4188 wrote to memory of 2256	4188	kitylu.exe	cmd.exe
PID 4188 wrote to memory of 2256	4188	kitylu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe
"C:\Users\Admin\AppData\Local\Temp\a40d936aae98d615e0d87b4f93f52cd576ac70019c372bd858921438c934d325.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\romoe.exe
"C:\Users\Admin\AppData\Local\Temp\romoe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\kitylu.exe
"C:\Users\Admin\AppData\Local\Temp\kitylu.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\usxul.exe
"C:\Users\Admin\AppData\Local\Temp\usxul.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
340B

MD5
869e894f5ee558beaff29ff2047f6fe0

SHA1
e2033f962823f33da9e5663c14d405fadc1b8e37

SHA256
6bee8906939435831cc0025592556b4e3bf44a88037ad18cc005aa94fc9b2dc3

SHA512
4a96d4f27b6dcc7db4ed6105c8b69b051c8399ef685638734b7d9f0e12d0fc4302c8fd0fe42943539c4e044e3edc7cffc7b9097f466b584c053a954701acc5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
aa4e22c11df815d919ba53d10f7ba4df

SHA1
3a0ffaa6d044531336d1582ea4fc6b9f1878074f

SHA256
02a35f606024d8c5e694e75c239e638d9ca805876a82ba8d4fcf6844b11dac6d

SHA512
9fe50fadb6132641b25dd5ea58db1c102748bce13860f749aa2cead759200bbac30ab848f8b04a6a60103b688144c0c3a1086a8fd285a191a1ecf7a71e3c2883

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
4519c3ed487722d995839c339256d0fc

SHA1
8a47bed6ded514b58840b5ec554cfc65c451523d

SHA256
e00c0310a7c9886e7d623a210425356e3dbfe8240cb3b1e86d855194820e63e7

SHA512
4bbeed6ad453ef7fa2ed465c5b0fac2123a35ee486ec6cf171cfae00db42db900b0687e3f8906571fede27b96d06fab70dfe73bfae94d9d5b683fe6d0cb4ea51

Download Submit
C:\Users\Admin\AppData\Local\Temp\romoe.exe
Filesize
6.4MB

MD5
47bc1cd494698630c9a2c5c603767a04

SHA1
b09a1fe514d491c74ad38c91b7fd5b62eeff3d28

SHA256
8db50e24dff62b208b1c21df6267dfed7870ce04c21932702f7af16413a52d34

SHA512
9e540b4261f4fcb5cf2c58748ccf0ef958fa90f79ce53bc6b715ba2f0e85aa2b53a6db8888d822727b6c1910d960c55c847c66844a235324b5045b92bb05c3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\usxul.exe
Filesize
459KB

MD5
73bb2c076f640e9026bc8d93b6ddc44b

SHA1
4eab861dc8056a7cbbd0b521ec97bccb9859ba1c

SHA256
97a51c51538d7135f8673250edfb5de18ebcc3f41c9aec4296b4a4dd34dcf1ba

SHA512
1a9d9c02e78cae44f4cde5f034252c6d1a24e1766db43dafc495997e612a1d233b6e139bfb03a5e661b4d8dabce6cdc1f42e07aa7dee9454c920cf4d300c85cd

Download Submit
memory/2400-28-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2400-46-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2400-33-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/2400-29-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2400-30-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2400-31-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2400-32-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/2400-27-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2400-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2400-34-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2864-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2864-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2864-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3084-4-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/3084-7-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3084-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-5-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3084-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-6-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3084-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3084-2-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3084-1-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/3084-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3084-8-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3084-25-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4188-49-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4188-48-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/4188-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4188-50-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4188-51-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/4188-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4188-52-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4188-53-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/4188-54-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4188-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads