urelas | 9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb

General

Target

161db86eb5f9237449a1027c1f63f310N.exe
Size

84KB
MD5

161db86eb5f9237449a1027c1f63f310
SHA1

db84b6c68774555ec724c737798e289818b25eaf
SHA256

9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb
SHA512

cd369f9b767ce4513e0bb42e365ea7f7c34de683b61dcbda0c51ab0dd76964ecade34d25f1639bf65bbb12bd49ff032601f0cefd6be0318bd34712d739a7391e
SSDEEP

1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURF+:JznH976dUCnuniDI

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

161db86eb5f9237449a1027c1f63f310N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation	161db86eb5f9237449a1027c1f63f310N.exe

Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

772 huter.exe

pid	process
772	huter.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3632-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral2/memory/772-14-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3632-18-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/772-21-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/772-23-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/772-29-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

161db86eb5f9237449a1027c1f63f310N.exehuter.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	161db86eb5f9237449a1027c1f63f310N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

161db86eb5f9237449a1027c1f63f310N.exe

description	pid	process	target process
PID 3632 wrote to memory of 772	3632	161db86eb5f9237449a1027c1f63f310N.exe	huter.exe
PID 3632 wrote to memory of 772	3632	161db86eb5f9237449a1027c1f63f310N.exe	huter.exe
PID 3632 wrote to memory of 772	3632	161db86eb5f9237449a1027c1f63f310N.exe	huter.exe
PID 3632 wrote to memory of 1476	3632	161db86eb5f9237449a1027c1f63f310N.exe	cmd.exe
PID 3632 wrote to memory of 1476	3632	161db86eb5f9237449a1027c1f63f310N.exe	cmd.exe
PID 3632 wrote to memory of 1476	3632	161db86eb5f9237449a1027c1f63f310N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe
"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a01dba4c45102fc15292fd5591166536

SHA1
d96191c30e0f09439d8547f4ededbf6726ccd54b

SHA256
cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904

SHA512
277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
84KB

MD5
c0d0014cbb2dab1f19018c9a684932cd

SHA1
070a9bf13ffe41026a2e02b91c27535ffe09085f

SHA256
6ad7cd2f528bc3f711d5b95ce5738b1af8263e7c24c0c630a5007da8f2430519

SHA512
e5375192b24f647dbc195299b274aed2ad3efe49696dc315309b7331ab49f0c3ebb2c809d4848ecb6dee80322e52ef21e4fd20000471531e96a38631d35a7290

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
5334015acd267d9ce6e95138f9ed96b2

SHA1
5f0c2ba5938255d9fe446a438a61f37c361fa48d

SHA256
e4d78041ef89777362e4ee0c9a0350529f3e3b497052f718c02258f486f6ecd9

SHA512
3318c6ebb272b190d9745196da2fd29baf79fab2af3518cc7c980667d1197bade7ca0561330d3bd8dafd8bafe4895c1e878d97d8abadf9fefbc2c1267a6b74a8

Download Submit
memory/772-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/772-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/772-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/772-29-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3632-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3632-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads