urelas | 5e5c02c531739d8ba66ce5aa431e4443c2d5178a87ad6d957a566b418c445913

General

Target

712e479001a3b483063b6a4d4b5964d0N.exe
Size

84KB
MD5

712e479001a3b483063b6a4d4b5964d0
SHA1

11e47965cf00426997d9f569178c53fcf674a9c2
SHA256

5e5c02c531739d8ba66ce5aa431e4443c2d5178a87ad6d957a566b418c445913
SHA512

a7e6a89ad4d0014370621b45725cd64a40ddb42d30dd7c10bb4b22f5a232e3c3265a80b1be6b9dd0a9d7130642452873ab1b9c1b2e8db00fb51e96df49985045
SSDEEP

1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURd:JznH976dUCnuniDB

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2456 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

huter.exe

pid process

544 huter.exe
Loads dropped DLL 1 IoCs

Processes:

712e479001a3b483063b6a4d4b5964d0N.exe

pid process

2992 712e479001a3b483063b6a4d4b5964d0N.exe

pid	process
2456	cmd.exe

pid	process
544	huter.exe

pid	process
2992	712e479001a3b483063b6a4d4b5964d0N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2992-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\huter.exe	upx
behavioral1/memory/544-16-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2992-18-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/544-21-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/544-23-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/544-30-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

712e479001a3b483063b6a4d4b5964d0N.exehuter.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	712e479001a3b483063b6a4d4b5964d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

712e479001a3b483063b6a4d4b5964d0N.exe

description	pid	process	target process
PID 2992 wrote to memory of 544	2992	712e479001a3b483063b6a4d4b5964d0N.exe	huter.exe
PID 2992 wrote to memory of 544	2992	712e479001a3b483063b6a4d4b5964d0N.exe	huter.exe
PID 2992 wrote to memory of 544	2992	712e479001a3b483063b6a4d4b5964d0N.exe	huter.exe
PID 2992 wrote to memory of 544	2992	712e479001a3b483063b6a4d4b5964d0N.exe	huter.exe
PID 2992 wrote to memory of 2456	2992	712e479001a3b483063b6a4d4b5964d0N.exe	cmd.exe
PID 2992 wrote to memory of 2456	2992	712e479001a3b483063b6a4d4b5964d0N.exe	cmd.exe
PID 2992 wrote to memory of 2456	2992	712e479001a3b483063b6a4d4b5964d0N.exe	cmd.exe
PID 2992 wrote to memory of 2456	2992	712e479001a3b483063b6a4d4b5964d0N.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe
"C:\Users\Admin\AppData\Local\Temp\712e479001a3b483063b6a4d4b5964d0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a01dba4c45102fc15292fd5591166536

SHA1
d96191c30e0f09439d8547f4ededbf6726ccd54b

SHA256
cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904

SHA512
277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
276B

MD5
f938d0796f9bc8a9a5d2d746e9b1b373

SHA1
bb37010a8cb00fdc6709dba3cb29f16b2b86a2c5

SHA256
5f666132f16a5fa4b91310258545cb0446b16ac65130dfa10547ce3329e0c3a4

SHA512
de56e12498f652170ae03dc49ef04f185ff50f5cce30ed1fee4cc4af4c5a76f6b6667ab1cde19886034395f040362cda6b730ded8e12f95127e9b50059222a2c

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
84KB

MD5
5b7c1ae80db04788ea629c036d2d10f1

SHA1
eff59c2afa0a1b6db5c87b630be29de760302f59

SHA256
720afa038c2685de8071cf78f498c7fe536bf59fac3bfed9cce4d7d738b65de7

SHA512
24a0c2a0b4b4be8ed450996ab29968ab3ec2f5da064d8b41a49b2004beea400c2490dc598a31c351c18fe595ddbb943a5b3ada285d6b2821cb7e5e4ee6f5be19

Download Submit
memory/544-16-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/544-21-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/544-23-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/544-30-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2992-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2992-15-0x0000000001E80000-0x0000000001EB1000-memory.dmp

Filesize
196KB

Download
memory/2992-18-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads