urelas | 5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629

General

Target

5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe
Size

6.5MB
MD5

d025ce44f2d111405a6647bdc69dae58
SHA1

d2bd73a3bb19800f4a500f08e01ee2b1afff319b
SHA256

5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629
SHA512

3c3a8f9d7c317ea37353f3ad9f4f5e37602c4516ec905c34b27657e0bdcea19f67c4fc56f3b73a750cc9fc8f1e140a47fe4dc509ccb438db6edd6f5997cf1591
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSZ:i0LrA2kHKQHNk3og9unipQyOaOZ

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zines.exe	UPX
behavioral2/memory/4396-71-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/4396-75-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/4396-78-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exexucej.exevolezu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	xucej.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	volezu.exe

Executes dropped EXE 3 IoCs

Processes:

xucej.exevolezu.exezines.exe

pid process

4736 xucej.exe
1112 volezu.exe
4396 zines.exe

pid	process
4736	xucej.exe
1112	volezu.exe
4396	zines.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zines.exe	upx
behavioral2/memory/4396-71-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4396-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4396-78-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exexucej.exevolezu.exezines.exe

pid	process
4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe
4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe
4736	xucej.exe
4736	xucej.exe
1112	volezu.exe
1112	volezu.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe
4396	zines.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exexucej.exevolezu.exe

description	pid	process	target process
PID 4180 wrote to memory of 4736	4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe	xucej.exe
PID 4180 wrote to memory of 4736	4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe	xucej.exe
PID 4180 wrote to memory of 4736	4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe	xucej.exe
PID 4180 wrote to memory of 3684	4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe	cmd.exe
PID 4180 wrote to memory of 3684	4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe	cmd.exe
PID 4180 wrote to memory of 3684	4180	5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe	cmd.exe
PID 4736 wrote to memory of 1112	4736	xucej.exe	volezu.exe
PID 4736 wrote to memory of 1112	4736	xucej.exe	volezu.exe
PID 4736 wrote to memory of 1112	4736	xucej.exe	volezu.exe
PID 1112 wrote to memory of 4396	1112	volezu.exe	zines.exe
PID 1112 wrote to memory of 4396	1112	volezu.exe	zines.exe
PID 1112 wrote to memory of 4396	1112	volezu.exe	zines.exe
PID 1112 wrote to memory of 3092	1112	volezu.exe	cmd.exe
PID 1112 wrote to memory of 3092	1112	volezu.exe	cmd.exe
PID 1112 wrote to memory of 3092	1112	volezu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe
"C:\Users\Admin\AppData\Local\Temp\5f169b56830ff1be1feacf781cd916d09ad7b1ca095e1ea619e88b7984d32629.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4180

C:\Users\Admin\AppData\Local\Temp\xucej.exe
"C:\Users\Admin\AppData\Local\Temp\xucej.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\volezu.exe
"C:\Users\Admin\AppData\Local\Temp\volezu.exe" OK
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\zines.exe
"C:\Users\Admin\AppData\Local\Temp\zines.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
4⤵
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
2⤵
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
340B

MD5
dc3595707c1a720da4c915a5624ec7f4

SHA1
4d076a0c55e0ea356848956a953b5aeaa1652d7e

SHA256
f2be1001369e80b247ca4fae4053889b989a47450d9537fbabfd25fb1fcbcb0b

SHA512
4aab65ff5559d10cbe0268a6d20ce03315e99b939b12ef5cab18091c1b22f14fd7da7cbf34f0addea019fa18de3a6f0220ebe45b8bc3f8092c821e3b8ad53c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
Filesize
224B

MD5
65f64d802c091542b9af641f2b5eed13

SHA1
19a76466baa4ab4d3a9f05014356910bd5cd316c

SHA256
4e7284713eb018b05c24152f35137435c154c3e4fc845d036a586b9a5dc301cb

SHA512
bde5bc256870f211bf4c459450a05e81233fc4245528ccdabf8c26e913f035279f57ac2ec7b5d33ecf52549dcacb264751d7a4bcb010b6c4ffc6c0c3923e2d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini
Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
Filesize
512B

MD5
11ed0cd3c8c526b18c0f91b07f83f4d4

SHA1
f0ffad6001d1a9ace306b504a57a8f0856fe82a8

SHA256
1f7347fedc1a343a3d954285f615c15e2d7ad3d457a690e46796e8e008c0b351

SHA512
ce7b5489e0f7370608c3ebd59932ad2e3e16ec7c0ad07f774aece648e867d6b37a7c15e4f7684cb777d8788f29a918681cce3815d76e63f5b7a86dbea897ade0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xucej.exe
Filesize
6.5MB

MD5
d09bea1c5cd1f557cd7f22956985a5b5

SHA1
e57dbf7730cf3ec3009d9eb8e926447defd41312

SHA256
52b20abbe915ab141b602c0a2638ba2edf0fe5f1a2b5e16b237a4186bf6d75f7

SHA512
b9934fa7f814b6f1a04c3d6a6218dd85d91ef0282ccbc57a11832960626045f951592d585f63ce728383834b9a174dbd59890c00b9e38ffdcc9d5b32200dde84

Download Submit
C:\Users\Admin\AppData\Local\Temp\zines.exe
Filesize
459KB

MD5
a7076955c76fc7a7c899aef335ac0075

SHA1
1e9c90f9a40ace71296ec727c8f6eeaa1b8c42f3

SHA256
b83b793d0c4f39b2177ca488010363431fab8096c48175a33456c7510e760443

SHA512
36764df9cd9e866e4eb5332cf8fa36bf48709b402054f329c8ca0f425931ae6e0bbc0306134503b3bf0d00c1b1948177d0bd8c494c5da8c3485860f65cad6a41

Download Submit
memory/1112-54-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1112-55-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1112-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1112-56-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/1112-50-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1112-53-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1112-51-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1112-52-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1112-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4180-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4180-1-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/4180-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4180-4-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/4180-3-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4180-2-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4180-8-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/4180-7-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4180-6-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4180-5-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4180-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4180-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4180-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4396-71-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4396-78-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4396-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4736-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4736-29-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/4736-30-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4736-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4736-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4736-31-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/4736-32-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/4736-35-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/4736-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4736-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads