urelas | 9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb

General

Target

161db86eb5f9237449a1027c1f63f310N.exe
Size

84KB
MD5

161db86eb5f9237449a1027c1f63f310
SHA1

db84b6c68774555ec724c737798e289818b25eaf
SHA256

9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb
SHA512

cd369f9b767ce4513e0bb42e365ea7f7c34de683b61dcbda0c51ab0dd76964ecade34d25f1639bf65bbb12bd49ff032601f0cefd6be0318bd34712d739a7391e
SSDEEP

1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURF+:JznH976dUCnuniDI

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2888 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

2880 huter.exe
Loads dropped DLL 1 IoCs

Processes:

161db86eb5f9237449a1027c1f63f310N.exe

pid process

2248 161db86eb5f9237449a1027c1f63f310N.exe

pid	process
2888	cmd.exe

pid	process
2880	huter.exe

pid	process
2248	161db86eb5f9237449a1027c1f63f310N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral1/memory/2880-10-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2248-19-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2880-22-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2880-24-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2880-31-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

161db86eb5f9237449a1027c1f63f310N.exehuter.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	161db86eb5f9237449a1027c1f63f310N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

161db86eb5f9237449a1027c1f63f310N.exe

description	pid	process	target process
PID 2248 wrote to memory of 2880	2248	161db86eb5f9237449a1027c1f63f310N.exe	huter.exe
PID 2248 wrote to memory of 2880	2248	161db86eb5f9237449a1027c1f63f310N.exe	huter.exe
PID 2248 wrote to memory of 2880	2248	161db86eb5f9237449a1027c1f63f310N.exe	huter.exe
PID 2248 wrote to memory of 2880	2248	161db86eb5f9237449a1027c1f63f310N.exe	huter.exe
PID 2248 wrote to memory of 2888	2248	161db86eb5f9237449a1027c1f63f310N.exe	cmd.exe
PID 2248 wrote to memory of 2888	2248	161db86eb5f9237449a1027c1f63f310N.exe	cmd.exe
PID 2248 wrote to memory of 2888	2248	161db86eb5f9237449a1027c1f63f310N.exe	cmd.exe
PID 2248 wrote to memory of 2888	2248	161db86eb5f9237449a1027c1f63f310N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe
"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a01dba4c45102fc15292fd5591166536

SHA1
d96191c30e0f09439d8547f4ededbf6726ccd54b

SHA256
cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904

SHA512
277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
5334015acd267d9ce6e95138f9ed96b2

SHA1
5f0c2ba5938255d9fe446a438a61f37c361fa48d

SHA256
e4d78041ef89777362e4ee0c9a0350529f3e3b497052f718c02258f486f6ecd9

SHA512
3318c6ebb272b190d9745196da2fd29baf79fab2af3518cc7c980667d1197bade7ca0561330d3bd8dafd8bafe4895c1e878d97d8abadf9fefbc2c1267a6b74a8

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
84KB

MD5
c823d0ea71e50abd7b92247b560a6a8f

SHA1
e64be127faed759c8802fed04a6421271512fc42

SHA256
72d9404e525ce99d0b60e0f08a01b074bdf9d2b3cfbea09583be4f8c454fedaa

SHA512
a3a96bab9126a3659e37a382c4dd65aa43f62ff5973c60de6386b8718b35f25cfb9dbf1d649e5efd33c051976ded9a8f63f1d96fd5c9a4d04cec19ae4aeb749a

Download Submit
memory/2248-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2248-9-0x0000000002BD0000-0x0000000002C01000-memory.dmp

Filesize
196KB

Download
memory/2248-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-10-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-24-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2880-31-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads