urelas | f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530

General

Target

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
Size

6.5MB
MD5

92e0624826b4f17f1fcf2b53e454c216
SHA1

f079f61759d17db1440b09837cdc99817c42a65b
SHA256

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530
SHA512

5b4cfcebe3b2faee309baa3e4d90f4157e055c9044868f95fcec9080a72f76384a31967e0c3ca48435bbcf66ebaa7be5fc718e3c4d86f3c6ec103f4234ea61e3
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSD:i0LrA2kHKQHNk3og9unipQyOaOD

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\abifu.exe	UPX
behavioral2/memory/1752-69-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/1752-73-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exewofux.exeogtoad.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wofux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	ogtoad.exe

Executes dropped EXE 3 IoCs

Processes:

wofux.exeogtoad.exeabifu.exe

pid process

1432 wofux.exe
1544 ogtoad.exe
1752 abifu.exe

pid	process
1432	wofux.exe
1544	ogtoad.exe
1752	abifu.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\abifu.exe	upx
behavioral2/memory/1752-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/1752-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exewofux.exeogtoad.exeabifu.exe

pid	process
2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
1432	wofux.exe
1432	wofux.exe
1544	ogtoad.exe
1544	ogtoad.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe
1752	abifu.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exewofux.exeogtoad.exe

description	pid	process	target process
PID 2220 wrote to memory of 1432	2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	wofux.exe
PID 2220 wrote to memory of 1432	2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	wofux.exe
PID 2220 wrote to memory of 1432	2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	wofux.exe
PID 2220 wrote to memory of 1164	2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	cmd.exe
PID 2220 wrote to memory of 1164	2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	cmd.exe
PID 2220 wrote to memory of 1164	2220	f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe	cmd.exe
PID 1432 wrote to memory of 1544	1432	wofux.exe	ogtoad.exe
PID 1432 wrote to memory of 1544	1432	wofux.exe	ogtoad.exe
PID 1432 wrote to memory of 1544	1432	wofux.exe	ogtoad.exe
PID 1544 wrote to memory of 1752	1544	ogtoad.exe	abifu.exe
PID 1544 wrote to memory of 1752	1544	ogtoad.exe	abifu.exe
PID 1544 wrote to memory of 1752	1544	ogtoad.exe	abifu.exe
PID 1544 wrote to memory of 1608	1544	ogtoad.exe	cmd.exe
PID 1544 wrote to memory of 1608	1544	ogtoad.exe	cmd.exe
PID 1544 wrote to memory of 1608	1544	ogtoad.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe
"C:\Users\Admin\AppData\Local\Temp\f2ba1c1c4fc4f63461c8ed70d2c65edeef172e9d282dc561bab1d88640273530.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\wofux.exe
"C:\Users\Admin\AppData\Local\Temp\wofux.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Local\Temp\ogtoad.exe
"C:\Users\Admin\AppData\Local\Temp\ogtoad.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\abifu.exe
"C:\Users\Admin\AppData\Local\Temp\abifu.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
340B

MD5
825d427f5c1c4332b39ae0841a9fbb4d

SHA1
5836bb85e53beceb20aa6c1ede8fa941bfdd1037

SHA256
2161e402289cedf7c2fd166461968b946279cc72acc1a470b9b4e4bfb6b006d1

SHA512
99171eeb3d8271b6899677f869596b1bd7bed78b5b260322eff42e61b3bd16f9ccfe3bdda8c1a61310cbf459c015ff82c4b15dc088c3b0aba864a42c5479d472

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
f77fbacb034d93b4a66410bc285030d7

SHA1
31d16478d19382d0cefe0eb33ac17ae4361ac8fe

SHA256
95a4090bc7f9d14c507dfb6f5532750709c86ce441bdafa28f66f663d1dc0e9e

SHA512
0695889683229ef4478964b7b201a76e3939c4b78778021c6baff200ca211fa045e3f58d5487a2e0f23db958f31498ae27bdb72896f57299e69eef9aa893e814

Download Submit
C:\Users\Admin\AppData\Local\Temp\abifu.exe
Filesize
459KB

MD5
3e5a25cf11c84c192fe384b69a95d673

SHA1
d57dc941b3954c65e8310b808d2007d3b84d3fde

SHA256
a0c37666ab9f666fff7c884cfb8d6f5e810fa7067299b0a83923a23828b4ff8d

SHA512
944dc2d0a75f0751023c785cc8d9ac352f85b7a648903787931dadaae2d5ddf9c897913dc9660c5efc3266f895a335459da1447d23c26f5028ce20140a8e66b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
65d14e7edd662b8e18be1e04571b9c61

SHA1
9b49bb73f0baf3ebca11ea7fa2163391895fe0f9

SHA256
eeaa4214400930f63b20ff79a96a1779a58ccfcffb2ba0ccc190d093a5003ccc

SHA512
259398c5486eeb27167640437fa70b6b671cba5c8b1a914ff8929e5e2212f27c84bd9b5b638e4cafbe627574dcf83c5ac2865c7aec6c511603e55b651593fe96

Download Submit
C:\Users\Admin\AppData\Local\Temp\wofux.exe
Filesize
6.5MB

MD5
238ab91fe1c0eb6e9607a4d3ace97ca6

SHA1
a90f57afb854b30c2e1652c76139313db4cd9cea

SHA256
f152bd8cf983dbf7b06033b7c014470f23c275155f89ea304efe3208428d619b

SHA512
e15e36d28e798769fffd8d4795f8e852917735247ca11965ea266c6e1a0db8d87052cd1cc685ca0d01a9e5ab634ce3ee50d443eccf43a11e00b16b49dd27128f

Download Submit
memory/1432-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1432-27-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1432-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1432-28-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1432-29-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1432-34-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1432-30-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1432-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1432-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1432-31-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1432-33-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1544-53-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1544-49-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1544-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1544-48-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/1544-51-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1544-52-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1544-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1544-54-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1544-50-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1752-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1752-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2220-10-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2220-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2220-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2220-1-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2220-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2220-25-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2220-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2220-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2220-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2220-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2220-2-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/2220-3-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/2220-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads