urelas | 2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b

General

Target

2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
Size

6.4MB
MD5

85a8af248df0dd7e6ce1e93672b33dd1
SHA1

ce35098d1267a22f0b42bacd5e0e3a1f9a1ed7fe
SHA256

2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b
SHA512

3b8383903729ce713c97d25fd4e36d8928a9ecaf43eb3775444402015febf7ea41702ebc4d62670b45a6f4278d90a67a7aa991049054f3eb817093f2b90ee9ea
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS8:i0LrA2kHKQHNk3og9unipQyOaO8

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\veube.exe	UPX
behavioral2/memory/5036-67-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/5036-72-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/5036-73-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exeanryo.exexyvafe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	anryo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	xyvafe.exe

Executes dropped EXE 3 IoCs

Processes:

anryo.exexyvafe.exeveube.exe

pid process

3492 anryo.exe
2800 xyvafe.exe
5036 veube.exe

pid	process
3492	anryo.exe
2800	xyvafe.exe
5036	veube.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\veube.exe	upx
behavioral2/memory/5036-67-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/5036-72-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/5036-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exeanryo.exexyvafe.exeveube.exe

pid	process
5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
3492	anryo.exe
3492	anryo.exe
2800	xyvafe.exe
2800	xyvafe.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe
5036	veube.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exeanryo.exexyvafe.exe

description	pid	process	target process
PID 5068 wrote to memory of 3492	5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	anryo.exe
PID 5068 wrote to memory of 3492	5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	anryo.exe
PID 5068 wrote to memory of 3492	5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	anryo.exe
PID 5068 wrote to memory of 3800	5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	cmd.exe
PID 5068 wrote to memory of 3800	5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	cmd.exe
PID 5068 wrote to memory of 3800	5068	2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe	cmd.exe
PID 3492 wrote to memory of 2800	3492	anryo.exe	xyvafe.exe
PID 3492 wrote to memory of 2800	3492	anryo.exe	xyvafe.exe
PID 3492 wrote to memory of 2800	3492	anryo.exe	xyvafe.exe
PID 2800 wrote to memory of 5036	2800	xyvafe.exe	veube.exe
PID 2800 wrote to memory of 5036	2800	xyvafe.exe	veube.exe
PID 2800 wrote to memory of 5036	2800	xyvafe.exe	veube.exe
PID 2800 wrote to memory of 2488	2800	xyvafe.exe	cmd.exe
PID 2800 wrote to memory of 2488	2800	xyvafe.exe	cmd.exe
PID 2800 wrote to memory of 2488	2800	xyvafe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe
"C:\Users\Admin\AppData\Local\Temp\2ad4606d30bfbc2f1659547fe56cdd7f7397c818dec53f25f936c48b7411dc0b.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\anryo.exe
"C:\Users\Admin\AppData\Local\Temp\anryo.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\xyvafe.exe
"C:\Users\Admin\AppData\Local\Temp\xyvafe.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\veube.exe
"C:\Users\Admin\AppData\Local\Temp\veube.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
4b1e9d2cbd88c549e527cf223c868247

SHA1
af2fb9d53cc0eca9f49c4a399dd7748381f52add

SHA256
e1b431d27989ceb34cf9104069cec2dcfaa3e9f758c23570fa413ccb4d485468

SHA512
8c22774a7801cc0985f397359945f1e20a101ed06824f8f6ef2b833112c611beaba313218148309ba26388a768edc32d356cfc08ffc0b07c82f18cc5cb5dd167

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cd9d1a7db7f73e7f3773329020842a6b

SHA1
09a6a0b3fd3f62cab8be5c2cf49d0c4e388361b8

SHA256
7c46aa41569a54ef2a90e1b0a837489a6fdd843b33beb11f4dfba88fa62f95f0

SHA512
9ad10f63af78b2d46e2018c6635de91d2c8416e24bcb95cf0ddd08b552468e04b01b4a51d62cd3bdbb43ec7ee4765378dc3c8afd9c8c0d38a54d77f041b39b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\anryo.exe

Filesize
6.4MB

MD5
84f327d56dcc952ac5b1ee666abdf110

SHA1
6e78a2c4df1a054cca8e02c5644df5f6e84d2d64

SHA256
14bd83aafe2f0806277af6ae1ebb0e47a813f91864234f32670b141ac7157923

SHA512
53f897c7a7bab8001c6ac396c70efd4d762933742495294e88100adb5b026c0449b260ac5f356204ea0128b679dd472e5cc641f08ca06b1c09b6fd7f4fabf018

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
827cf50c819af9c3177fef6a441cbae5

SHA1
ad814024b14dab7828409063ca64541392a2f89e

SHA256
cd5fff03ffc4877b7d1580c48d9609f0300ea513ef1d4b528468e473f0ae8f1c

SHA512
b2add640f812cb7a99adddc007f9341aca11f141dbb9b536bfb715b25f7ca80d96791400d6f780e4cc8631864e558132d2244d9cdbcec5a76a322c96d3cacdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\veube.exe

Filesize
459KB

MD5
51955c7682df07bac7121fc39f0b8826

SHA1
3370186f5f5e0a944d4ec5df225aa3a5dcadcef1

SHA256
692cdd192fcb20a6f21d13cf1a5da5ee3e90569eaa8876a54f28cda191bd548a

SHA512
a931a47cedf72037f256d71262df1f6a74b990bb917cbace1c4ce5d5fae4d8bffd223e2c2be2ccd940c9ea9dafedb4d8f82883b3cafc28baa7d02f9cdab83a8f

Download Submit
memory/2800-50-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2800-51-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2800-54-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2800-52-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2800-53-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/2800-49-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2800-69-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-28-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/3492-30-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3492-29-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3492-27-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3492-33-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3492-32-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3492-31-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/3492-34-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-46-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5036-67-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5036-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5036-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5068-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5068-4-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/5068-5-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/5068-10-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5068-6-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/5068-7-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/5068-9-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/5068-25-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/5068-1-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/5068-2-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/5068-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/5068-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5068-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads