urelas | 878ae2005915822f5fd5241cfc259d27faa8f199f6745901010ac2ed01ce400a

General

Target

395c38101d250916b001a9e8d9eafb50N.exe
Size

84KB
MD5

395c38101d250916b001a9e8d9eafb50
SHA1

5bf1034a461c4c3127c3df1ddef2219ee02e4425
SHA256

878ae2005915822f5fd5241cfc259d27faa8f199f6745901010ac2ed01ce400a
SHA512

14a1d43a05dbb4ac43c2c8c7be714955f27e9502853f0115a6814c3aef28e3d75d967d081c2edb865dfbe236001bbaf4d1dbcbe04c11ed241e507cb55d2fbaef
SSDEEP

1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURj:JznH976dUCnuniDP

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2128 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2272 huter.exe
Loads dropped DLL 1 IoCs

Processes:

395c38101d250916b001a9e8d9eafb50N.exe

pid process

1000 395c38101d250916b001a9e8d9eafb50N.exe

pid	process
2128	cmd.exe

pid	process
2272	huter.exe

pid	process
1000	395c38101d250916b001a9e8d9eafb50N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1000-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral1/memory/2272-9-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/1000-18-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2272-21-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2272-23-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2272-30-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

395c38101d250916b001a9e8d9eafb50N.exehuter.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	395c38101d250916b001a9e8d9eafb50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

395c38101d250916b001a9e8d9eafb50N.exe

description	pid	process	target process
PID 1000 wrote to memory of 2272	1000	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 1000 wrote to memory of 2272	1000	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 1000 wrote to memory of 2272	1000	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 1000 wrote to memory of 2272	1000	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 1000 wrote to memory of 2128	1000	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe
PID 1000 wrote to memory of 2128	1000	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe
PID 1000 wrote to memory of 2128	1000	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe
PID 1000 wrote to memory of 2128	1000	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\395c38101d250916b001a9e8d9eafb50N.exe
"C:\Users\Admin\AppData\Local\Temp\395c38101d250916b001a9e8d9eafb50N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a01dba4c45102fc15292fd5591166536

SHA1
d96191c30e0f09439d8547f4ededbf6726ccd54b

SHA256
cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904

SHA512
277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
56ffe7f698ec4b0f68ea0a402ba975b9

SHA1
0ec5ac70789b67d00a9f626905223a6898402453

SHA256
0f412d5407cae82abac8277e8b949d2ac40385eda3716ff5266f52dccb8c50fd

SHA512
0fc18401b6625ab1c8731c22d3f90460c4ce5061a5a5a77bba7e82bd19ea7b86977b8b3e8b8560eb20c9fcfbfc0887fbf223a955434440c23d257662e8072840

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
84KB

MD5
f674f5c0090dace977558e6af946c2c4

SHA1
acfc4a3872f4ae4b8f80b35cf3e0402e66d43251

SHA256
c8d5d49bbd7e8426994c775472a3ce30e4d6fc55fb8af8e0b177b06a476a380d

SHA512
1012fd880880dd291ff7877b5be60d03549924095f3ee6131a0e56cadc7bdfb22686e8713f416c32f9ba6db3424cb273f5431d6be2f5db4d96c6731df405fb8d

Download Submit
memory/1000-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1000-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2272-9-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2272-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2272-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2272-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads