urelas | 6a5c3542e1f68e12b4f135585bb132ce42e1d82f102728f221f651cb0e9bac8e

Analysis

max time kernel
119s
max time network
77s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb9108d709a49a0ac3184418b0b2a450N.exe
Size

6.5MB
MD5

bb9108d709a49a0ac3184418b0b2a450
SHA1

b2f4bb601ac7ed99564eb76e61403deeb86158b3
SHA256

6a5c3542e1f68e12b4f135585bb132ce42e1d82f102728f221f651cb0e9bac8e
SHA512

310a2a6884751a59f5378e0f416a7b99a2408ad89575e00c008a54f22b6f04caa54508c4cce2624ddf0ea1fa32895bf5b28dacbb1ba5a641ef9ededb402192d2
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSu:i0LrA2kHKQHNk3og9unipQyOaOu

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2860 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

teuzr.exevyowej.exetokus.exe

pid process

408 teuzr.exe
2648 vyowej.exe
1684 tokus.exe
Loads dropped DLL 5 IoCs

Processes:

bb9108d709a49a0ac3184418b0b2a450N.exeteuzr.exevyowej.exe

pid process

2308 bb9108d709a49a0ac3184418b0b2a450N.exe
2308 bb9108d709a49a0ac3184418b0b2a450N.exe
408 teuzr.exe
408 teuzr.exe
2648 vyowej.exe

pid	process
2860	cmd.exe

pid	process
408	teuzr.exe
2648	vyowej.exe
1684	tokus.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\tokus.exe	upx
behavioral1/memory/2648-162-0x0000000004A10000-0x0000000004BA9000-memory.dmp	upx
behavioral1/memory/1684-164-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1684-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bb9108d709a49a0ac3184418b0b2a450N.execmd.exeteuzr.exevyowej.exetokus.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb9108d709a49a0ac3184418b0b2a450N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teuzr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyowej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tokus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bb9108d709a49a0ac3184418b0b2a450N.exeteuzr.exevyowej.exetokus.exe

pid	process
2308	bb9108d709a49a0ac3184418b0b2a450N.exe
408	teuzr.exe
2648	vyowej.exe
1684	tokus.exe
1684	tokus.exe
1684	tokus.exe
1684	tokus.exe
1684	tokus.exe
1684	tokus.exe
1684	tokus.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bb9108d709a49a0ac3184418b0b2a450N.exeteuzr.exevyowej.exe

description	pid	process	target process
PID 2308 wrote to memory of 408	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	teuzr.exe
PID 2308 wrote to memory of 408	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	teuzr.exe
PID 2308 wrote to memory of 408	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	teuzr.exe
PID 2308 wrote to memory of 408	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	teuzr.exe
PID 2308 wrote to memory of 2860	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	cmd.exe
PID 2308 wrote to memory of 2860	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	cmd.exe
PID 2308 wrote to memory of 2860	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	cmd.exe
PID 2308 wrote to memory of 2860	2308	bb9108d709a49a0ac3184418b0b2a450N.exe	cmd.exe
PID 408 wrote to memory of 2648	408	teuzr.exe	vyowej.exe
PID 408 wrote to memory of 2648	408	teuzr.exe	vyowej.exe
PID 408 wrote to memory of 2648	408	teuzr.exe	vyowej.exe
PID 408 wrote to memory of 2648	408	teuzr.exe	vyowej.exe
PID 2648 wrote to memory of 1684	2648	vyowej.exe	tokus.exe
PID 2648 wrote to memory of 1684	2648	vyowej.exe	tokus.exe
PID 2648 wrote to memory of 1684	2648	vyowej.exe	tokus.exe
PID 2648 wrote to memory of 1684	2648	vyowej.exe	tokus.exe
PID 2648 wrote to memory of 1632	2648	vyowej.exe	cmd.exe
PID 2648 wrote to memory of 1632	2648	vyowej.exe	cmd.exe
PID 2648 wrote to memory of 1632	2648	vyowej.exe	cmd.exe
PID 2648 wrote to memory of 1632	2648	vyowej.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe
"C:\Users\Admin\AppData\Local\Temp\bb9108d709a49a0ac3184418b0b2a450N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\teuzr.exe
  "C:\Users\Admin\AppData\Local\Temp\teuzr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Users\Admin\AppData\Local\Temp\vyowej.exe
    "C:\Users\Admin\AppData\Local\Temp\vyowej.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\tokus.exe
      "C:\Users\Admin\AppData\Local\Temp\tokus.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
e6b49eb79580575e0694517f00203669

SHA1
cd8fc2a65b6853a2223c4f471711179f9fdd6305

SHA256
949b7ff93077e3ec526dd5c7eae825f676b32b020e10a72123822515151ce6c9

SHA512
2866a31d8344e10a06c48a8b3a1dee9bcf79e1025d93cfa79ed8c81076248788f2d2d2a97d527b133470fe877918fd01775a3b0255b90e5ba9def4b794a25fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
278B

MD5
31138cca8cdd75c0cb5b82357b465987

SHA1
7a4bd4989a4056c7891b6da44aa19ec9e055b155

SHA256
c8d084cf1cde1c714cd4edc8fc578a9f7c8bf0c6301c4f8a507d5198950bbdd4

SHA512
2dca974bd197d77ef2fdac2a9edf125c5bbdf40efc2f736af18dbba877bc6584c41af9748f6bec13a2aa506ccb8ec971bc16371c30edd7016682eac402f31c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55769237c9349ce4a2ae93e2c72335a3

SHA1
b93400a40645d874d21932cfa251201974ab6942

SHA256
7a37934c062a589a70d73009e7ceeb2ee2ea076fc07a6f1f1195b520a66827f2

SHA512
c60d055788c972ece620d22fa58d27eef47f1c99d43fe11b7b380c43ab3d7fd1e61e7bab419096062678e025b773213321659481dbc2678fab84ee95aeb6599c

Download Submit
C:\Users\Admin\AppData\Local\Temp\teuzr.exe

Filesize
6.5MB

MD5
4022c2924531cca46c9d14b56def4b5b

SHA1
9e66875bff003caaaa95d0cd96a3f96b2f1c8ccd

SHA256
a61723caf40d132c6f309157f6e3b1c9d16791e34ff32bcde5962ae49707a7c8

SHA512
f80ae9507b2a22631a9399cf5c2ca093fd3bb702da18381b102e2399c7fc12a021fb12739b772656bc6dfa6756604e8d4410acee3b79bfb87973cf7505967364

Download Submit
\Users\Admin\AppData\Local\Temp\tokus.exe

Filesize
459KB

MD5
e11199b17a1744bad821df8fc5e633c8

SHA1
5a18705fd7b9e881162e44d4141ebb2aca9e9bd4

SHA256
c7c12a08dfc943ff9d422ed9cbfb4ea2b8f60c87b629168546a87d2f931c54eb

SHA512
ddc9d985f39c8a36506b11b8b95ebd10dadb6d48bad67ec371e4f2ac36b3be49418cfc966d55d22b63ee2a2882fc0dac621cac27a9acfd742c4079c2aa9949de

Download Submit
memory/408-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/408-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/408-116-0x00000000042D0000-0x0000000004DBC000-memory.dmp

Filesize
10.9MB

Download
memory/408-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/408-113-0x00000000042D0000-0x0000000004DBC000-memory.dmp

Filesize
10.9MB

Download
memory/408-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/408-84-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/408-87-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/408-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/408-89-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1684-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1684-164-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2308-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2308-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2308-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2308-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2308-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2308-52-0x0000000003FC0000-0x0000000004AAC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-53-0x0000000003FC0000-0x0000000004AAC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2308-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2308-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2308-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2308-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2308-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2308-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2308-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2308-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2308-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2308-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2308-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2308-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2308-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2308-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2308-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2648-173-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2648-162-0x0000000004A10000-0x0000000004BA9000-memory.dmp

Filesize
1.6MB

Download