urelas | 878ae2005915822f5fd5241cfc259d27faa8f199f6745901010ac2ed01ce400a

General

Target

395c38101d250916b001a9e8d9eafb50N.exe
Size

84KB
MD5

395c38101d250916b001a9e8d9eafb50
SHA1

5bf1034a461c4c3127c3df1ddef2219ee02e4425
SHA256

878ae2005915822f5fd5241cfc259d27faa8f199f6745901010ac2ed01ce400a
SHA512

14a1d43a05dbb4ac43c2c8c7be714955f27e9502853f0115a6814c3aef28e3d75d967d081c2edb865dfbe236001bbaf4d1dbcbe04c11ed241e507cb55d2fbaef
SSDEEP

1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURj:JznH976dUCnuniDP

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2212 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2444 huter.exe
Loads dropped DLL 1 IoCs

Processes:

395c38101d250916b001a9e8d9eafb50N.exe

pid process

2948 395c38101d250916b001a9e8d9eafb50N.exe

pid	process
2212	cmd.exe

pid	process
2444	huter.exe

pid	process
2948	395c38101d250916b001a9e8d9eafb50N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2948-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral1/memory/2948-18-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2444-17-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2444-21-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2444-23-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2444-30-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

395c38101d250916b001a9e8d9eafb50N.exehuter.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	395c38101d250916b001a9e8d9eafb50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

395c38101d250916b001a9e8d9eafb50N.exe

description	pid	process	target process
PID 2948 wrote to memory of 2444	2948	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 2948 wrote to memory of 2444	2948	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 2948 wrote to memory of 2444	2948	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 2948 wrote to memory of 2444	2948	395c38101d250916b001a9e8d9eafb50N.exe	huter.exe
PID 2948 wrote to memory of 2212	2948	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe
PID 2948 wrote to memory of 2212	2948	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe
PID 2948 wrote to memory of 2212	2948	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe
PID 2948 wrote to memory of 2212	2948	395c38101d250916b001a9e8d9eafb50N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\395c38101d250916b001a9e8d9eafb50N.exe
"C:\Users\Admin\AppData\Local\Temp\395c38101d250916b001a9e8d9eafb50N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\huter.exe
"C:\Users\Admin\AppData\Local\Temp\huter.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2444

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a01dba4c45102fc15292fd5591166536

SHA1
d96191c30e0f09439d8547f4ededbf6726ccd54b

SHA256
cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904

SHA512
277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
56ffe7f698ec4b0f68ea0a402ba975b9

SHA1
0ec5ac70789b67d00a9f626905223a6898402453

SHA256
0f412d5407cae82abac8277e8b949d2ac40385eda3716ff5266f52dccb8c50fd

SHA512
0fc18401b6625ab1c8731c22d3f90460c4ce5061a5a5a77bba7e82bd19ea7b86977b8b3e8b8560eb20c9fcfbfc0887fbf223a955434440c23d257662e8072840

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
84KB

MD5
9a2d8c4479c84ac98a289036960fdaf2

SHA1
2c6e7017fbded9d8c6e54668ec76f0b1218d18ed

SHA256
0f02114711850378785e072acdf35c9eaf5103742ae3937609ff179e5367a6cb

SHA512
495ac17a0ec5dc3a57b0b76ad0b709d4a0553d6d9cae7495004bb80e39d31771f8801c6deb53d389d1999715b6b1bf2a5598da4115668ea06a955e791ce9c127

Download Submit
memory/2444-17-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2444-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2444-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2444-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-15-0x0000000002900000-0x0000000002931000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads