urelas | b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490

General

Target

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
Size

6.5MB
MD5

80ce7f98edfdd8fe48863438b86eddbc
SHA1

3ac14ddab6abb60e46cb537eba13c441032009ae
SHA256

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490
SHA512

da5a971230c05a263a245c6c9ff941bbf6f3a112f3a221d97ce4be04bdb9c37b2801abef0fee7bc0d5de0c6e33ed3b57a7cd8b60cc8b29da12210bbf7e20d1b1
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSX:i0LrA2kHKQHNk3og9unipQyOaOX

Score

10^/10

urelas trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

UPX dump on OEP (original entry point) 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ahajf.exe	UPX
behavioral2/memory/4508-70-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/4508-75-0x0000000000400000-0x0000000000599000-memory.dmp	UPX
behavioral2/memory/4508-76-0x0000000000400000-0x0000000000599000-memory.dmp	UPX

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exeboheu.exeyjyjju.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	boheu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	yjyjju.exe

Executes dropped EXE 3 IoCs

Processes:

boheu.exeyjyjju.exeahajf.exe

pid process

5052 boheu.exe
3776 yjyjju.exe
4508 ahajf.exe

pid	process
5052	boheu.exe
3776	yjyjju.exe
4508	ahajf.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ahajf.exe	upx
behavioral2/memory/4508-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4508-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4508-76-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exeboheu.exeyjyjju.exeahajf.exe

pid	process
2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
5052	boheu.exe
5052	boheu.exe
3776	yjyjju.exe
3776	yjyjju.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe
4508	ahajf.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exeboheu.exeyjyjju.exe

description	pid	process	target process
PID 2244 wrote to memory of 5052	2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	boheu.exe
PID 2244 wrote to memory of 5052	2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	boheu.exe
PID 2244 wrote to memory of 5052	2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	boheu.exe
PID 2244 wrote to memory of 2528	2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	cmd.exe
PID 2244 wrote to memory of 2528	2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	cmd.exe
PID 2244 wrote to memory of 2528	2244	b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe	cmd.exe
PID 5052 wrote to memory of 3776	5052	boheu.exe	yjyjju.exe
PID 5052 wrote to memory of 3776	5052	boheu.exe	yjyjju.exe
PID 5052 wrote to memory of 3776	5052	boheu.exe	yjyjju.exe
PID 3776 wrote to memory of 4508	3776	yjyjju.exe	ahajf.exe
PID 3776 wrote to memory of 4508	3776	yjyjju.exe	ahajf.exe
PID 3776 wrote to memory of 4508	3776	yjyjju.exe	ahajf.exe
PID 3776 wrote to memory of 1192	3776	yjyjju.exe	cmd.exe
PID 3776 wrote to memory of 1192	3776	yjyjju.exe	cmd.exe
PID 3776 wrote to memory of 1192	3776	yjyjju.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe
"C:\Users\Admin\AppData\Local\Temp\b2051422e61b650f35f2a3d6c4ac5eb12f3791153ed8bbb5fd95bb6f88a83490.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\boheu.exe
  "C:\Users\Admin\AppData\Local\Temp\boheu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Users\Admin\AppData\Local\Temp\yjyjju.exe
    "C:\Users\Admin\AppData\Local\Temp\yjyjju.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\ahajf.exe
      "C:\Users\Admin\AppData\Local\Temp\ahajf.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:1192
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:8
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
047258f69b43a63ed080fab58ccc3870

SHA1
5f977c66a3c9c4ba4eb7fd64a328e3fb276021c3

SHA256
e4247ed07ae9d58a17b8a358208d99b84de0f42a9a6627a7d2a025eabdb5ed25

SHA512
eba77558ca6a4421d2adc948186831e4ffba740cf85b95bcf41f560891e8da610c7adcbd166dcb8714d4444ec407b0204884db63b52d0f647093876b41240980

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c7f8edd0387a632f56ccc6d6fc5997bf

SHA1
af3272060b186d6f56d832965fe6b618c41abb70

SHA256
73f92c0e0de1dee4fc276efd5d46190949cd4860d940da398cb80d051f74b1ad

SHA512
f58774c90ac735df1501667783e1f777b37aba47e3bf82f9c7368eacb94a84c864b9cc816a00768a674d80d025a462b362d9ae8a85565ad2507e515b14f18711

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahajf.exe

Filesize
459KB

MD5
e09a0d00412c35e4588ecc1ba715e229

SHA1
72ea8c4eff2aa7368a87e0f4a1568d9593ac8c6d

SHA256
2c72af82bc070c3b865abcb1149a82a8a8b70bd8da10da9801be1a057e5b1b2f

SHA512
58be6d6bb0027cff20c8bafbf264534d173d9a9303b9f887b8715d10e4239a45406a443b34d3cedbc350c36da6d56f0bb27f8d8d0ac24ccec4741f4b5b164f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\boheu.exe

Filesize
6.5MB

MD5
24bacb84cacd060e3db28a23708b9c5b

SHA1
6db7d95a2fdc727f775e80f1d56185b8cd093c16

SHA256
4604200e5d70ac245c37b03df2fe3eece9a84978268321f3dd407c8afb6798e8

SHA512
4fd2313a2b08594259bf7faea5f8301d44457c3024598ffa5a200d0cd448f22f307e883b6ea6938deed9052b0c96def2f8f79b0b3efde9b433c8644894d1bc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d53fb5f2719d2ff57ed83200088ee4a5

SHA1
0f0e0b35676323fb09c37d9cb0e33f5611fffa68

SHA256
1e5254fa8d1bdcd75b4f051abee69bcaf7b0831cc6080cb5aa3598b1c8499aae

SHA512
e8dff6f1d3161953a1fc457ca323e8cda6e15d05cbd2b2fccd58dda76d72c3b10bc0b6af7f8bf12ebe55b986966983124cef90794aeb032777e5a959025138e7

Download Submit
memory/2244-6-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2244-3-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2244-2-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2244-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2244-11-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2244-5-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2244-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2244-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2244-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2244-7-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2244-8-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2244-4-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3776-56-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3776-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3776-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3776-53-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/3776-54-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/3776-55-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3776-52-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3776-51-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4508-76-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4508-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4508-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5052-35-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/5052-34-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/5052-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5052-29-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/5052-30-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/5052-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5052-31-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/5052-32-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/5052-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5052-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5052-33-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/5052-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads