urelas | dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f

General

Target

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
Size

6.5MB
MD5

4afa41328865de81b2f78463262327ee
SHA1

5244e4c8b551579c8b88b3f1f3fa6778e41020de
SHA256

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f
SHA512

d30554c80b73b94864a7df78a0318c4d1ee8288ccdd25f2446dc953c7b3e1e5e352311220060e802fe3b68e1475494ed9a75caf1a2df9b67e304305bc6e7f1c3
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSy:i0LrA2kHKQHNk3og9unipQyOaOy

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\evsue.exe	UPX
behavioral2/memory/2864-68-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/2864-73-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/2864-74-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exelopaj.exelyviyt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	lopaj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	lyviyt.exe

Executes dropped EXE 3 IoCs

Processes:

lopaj.exelyviyt.exeevsue.exe

pid process

4520 lopaj.exe
2704 lyviyt.exe
2864 evsue.exe

pid	process
4520	lopaj.exe
2704	lyviyt.exe
2864	evsue.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\evsue.exe	upx
behavioral2/memory/2864-68-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2864-73-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2864-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exelopaj.exelyviyt.exeevsue.exe

pid	process
1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
4520	lopaj.exe
4520	lopaj.exe
2704	lyviyt.exe
2704	lyviyt.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe
2864	evsue.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exelopaj.exelyviyt.exe

description	pid	process	target process
PID 1920 wrote to memory of 4520	1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	lopaj.exe
PID 1920 wrote to memory of 4520	1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	lopaj.exe
PID 1920 wrote to memory of 4520	1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	lopaj.exe
PID 1920 wrote to memory of 4368	1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	cmd.exe
PID 1920 wrote to memory of 4368	1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	cmd.exe
PID 1920 wrote to memory of 4368	1920	dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe	cmd.exe
PID 4520 wrote to memory of 2704	4520	lopaj.exe	lyviyt.exe
PID 4520 wrote to memory of 2704	4520	lopaj.exe	lyviyt.exe
PID 4520 wrote to memory of 2704	4520	lopaj.exe	lyviyt.exe
PID 2704 wrote to memory of 2864	2704	lyviyt.exe	evsue.exe
PID 2704 wrote to memory of 2864	2704	lyviyt.exe	evsue.exe
PID 2704 wrote to memory of 2864	2704	lyviyt.exe	evsue.exe
PID 2704 wrote to memory of 3744	2704	lyviyt.exe	cmd.exe
PID 2704 wrote to memory of 3744	2704	lyviyt.exe	cmd.exe
PID 2704 wrote to memory of 3744	2704	lyviyt.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe
"C:\Users\Admin\AppData\Local\Temp\dabfcb8e621640939a8708d5c35c50f9c8890794edf55d96cbd99c735efdfa6f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\lopaj.exe
"C:\Users\Admin\AppData\Local\Temp\lopaj.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\lyviyt.exe
"C:\Users\Admin\AppData\Local\Temp\lyviyt.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\evsue.exe
"C:\Users\Admin\AppData\Local\Temp\evsue.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2027e5b52fb635e4bd70c0a8d77cf111

SHA1
bcb0b79fd64b729249a18eb0ddc806efbe69bf8d

SHA256
3c87038f16a96a9a0b5c10d5e121e44def2ad46af29e04e3f05c548083ce9ffa

SHA512
8dd4b5f313861dce472fbef3813b81955836aba86d733a270b8f6c1f42abfbd4d24b7f3d507e4fee5e1dbf89d32c689b3ef44111f37ccc6e7e063ac445fdb908

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a9888fff7b64366094a4c1a86c60a5ea

SHA1
fa51198d954ea4e11e40762fa700080b6d9489d5

SHA256
272b35e37e2f4195f8795992dd256837b0baeaefa190276c6b7393ffff0164a2

SHA512
ed110ddf288bf2a6b23a7aaa7da6d422d422bd2eac4fbd44eca13d80408212667193461d55ed2705979d77ba4cba1918ff5b8f7b4b12588e43ba4d7ecd5183ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\evsue.exe

Filesize
459KB

MD5
163407cfda0d6992f7f6d83c0b8edc25

SHA1
b38b7aa00c2b1f652efa04667b04a6c478db61f0

SHA256
b9520d9dc2e4b7f0c09e4463531ae5afe16ed4f88e62933b3d2b31506fdf2061

SHA512
df503e8a1512ecc4bd35467f7d07407c0cb7a3a46937ef9aaf61599c88e138c9801ffda70e7cfcb36274cede98a618bdc1a38c0bfe50f87e691aa6d96684cdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8408804701ea2979c37c4557ffb4af52

SHA1
8406335db49e5b585186c8a8e439fb9cf83211b9

SHA256
2a0a0e17a818c7a3717dfa94890579b64ac1df76442f4425011f1cecd9127a5d

SHA512
ae3c672726aa2ee4acb21109342b69046d4a9eab194cbaa8a857d9f426d8c516516f730a1b523d30a1a0ca1fa25578e54a788739ab6b8e0e30f15dd2466bd5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\lopaj.exe

Filesize
6.5MB

MD5
ff4cb2e29cbdc0d59f09ee1b67161065

SHA1
98ba79dfd0ac594a598b7cf969b08cdd0f3df2c5

SHA256
54df795c448c3b107928742316dc9159e7f223dbb30dcb55d23c52153c4f1217

SHA512
730aeff2bb6d820ec31bf0388284d52aebd89e03de9d735b1b163ebbf51f92b446a1f6b510edd1b42f8fb579c4ae4e7339794380a7734c3fc3ea34ed2fcbcdcc

Download Submit
memory/1920-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1920-4-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/1920-5-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1920-2-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1920-1-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1920-6-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1920-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1920-25-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1920-7-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1920-8-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1920-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1920-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1920-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-52-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2704-51-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2704-70-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-48-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2704-49-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2704-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2704-54-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/2704-53-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2704-50-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2864-68-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2864-73-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2864-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4520-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4520-30-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/4520-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4520-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4520-31-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/4520-34-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4520-32-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4520-33-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads