urelas | 957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4

General

Target

957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe
Size

1.1MB
MD5

1cd06da3cd3bca9f799fcc8df4fd76d0
SHA1

d24eef01099a4daa0c26b273baf541de2cf5f577
SHA256

957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4
SHA512

b4a285b5596a4e04ef650bd6fadb8abb32418a2cd3271e3a2b4d0f7d990130e932f33c6af25e0d549c857145c6fc5cb59b1fe221594f0495709d619bb05fe175
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Y1:tcykpY5852j6aJGl5cqB8

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	vasyj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	jujegi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe

Executes dropped EXE 3 IoCs

pid	Process
1468	vasyj.exe
3408	jujegi.exe
264	buydv.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023ce0-32.dat	upx
behavioral2/memory/264-39-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/264-43-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vasyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jujegi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buydv.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe
264	buydv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1468	3508	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	86
PID 3508 wrote to memory of 1468	3508	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	86
PID 3508 wrote to memory of 1468	3508	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	86
PID 3508 wrote to memory of 3604	3508	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	87
PID 3508 wrote to memory of 3604	3508	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	87
PID 3508 wrote to memory of 3604	3508	957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe	87
PID 1468 wrote to memory of 3408	1468	vasyj.exe	89
PID 1468 wrote to memory of 3408	1468	vasyj.exe	89
PID 1468 wrote to memory of 3408	1468	vasyj.exe	89
PID 3408 wrote to memory of 264	3408	jujegi.exe	110
PID 3408 wrote to memory of 264	3408	jujegi.exe	110
PID 3408 wrote to memory of 264	3408	jujegi.exe	110
PID 3408 wrote to memory of 4816	3408	jujegi.exe	111
PID 3408 wrote to memory of 4816	3408	jujegi.exe	111
PID 3408 wrote to memory of 4816	3408	jujegi.exe	111

C:\Users\Admin\AppData\Local\Temp\957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe
"C:\Users\Admin\AppData\Local\Temp\957041f222e9267bb1f7fdbb4aed006e0dc4ba8c4922a07b43a55dc7fe2b17f4N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\vasyj.exe
  "C:\Users\Admin\AppData\Local\Temp\vasyj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\jujegi.exe
    "C:\Users\Admin\AppData\Local\Temp\jujegi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\buydv.exe
      "C:\Users\Admin\AppData\Local\Temp\buydv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
0745769dfcccc782a1be035c72ad5a80

SHA1
9eb4ee056290e078c9c4f0f90baf021f6f6918bb

SHA256
57ad03f6a04ee18621a62d12f077903c7f466498dfe4873fb64b0478fd3f470e

SHA512
64e2e54800767bf7b9049e4d3321174c2e49f5b8f1dae861eef3472993e2cdfbdbf4ccd3635329612b8c18068e99a715d02019b6652acd349e33d09533931d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
32b3adf8bbd2009a02d6fceedcf7ec09

SHA1
2a7e156c842cd506979232be042d9e6ad76d8494

SHA256
c6926ee52dbf3379ee9f9afa8817376c16d08ee9c423c9ee68229635bb54738d

SHA512
530db2077a555ea21b51d98736f84c54689935068bece63c82a8f3731b4c56159bb1368760f28fbb73a95b81a124c54bbe42791477384c20714ced7c10a5308b

Download Submit
C:\Users\Admin\AppData\Local\Temp\buydv.exe

Filesize
459KB

MD5
6550c55380861f75967b2d47af33c2da

SHA1
d701b617d704c4fbbb285896425219c3ec20fede

SHA256
2d4dd81fb1f1db55b4da0fad4f4b5a97a8a57f74deec41f9ab1f5d9e4febdafb

SHA512
1edb97310befc976513dca32163eae6b6f5f84323fca3408a4a64ea7807a11e2d80d21edb6d1bc2f571c0371896535192f0ad4852cb46cd170ab2978992a3c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c498b2f83d14afb258c68c3ae460e0f7

SHA1
cf0b825e6ada4ff310f559c0a9cc334c6e7bbe69

SHA256
d134b9307ec21e35b1bc75f81c2cf0d655e3002d4e9d9f5689222347927c0781

SHA512
2adcdef1476e6ad688d91fce0e375a0734ff38bfdd8a5a2eaff63e920b4efb51b4800eaa9687cc23cc3deefb19a81e2141c5e74183e7d2221848e82e56d3f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vasyj.exe

Filesize
1.1MB

MD5
c67ae8900016f2c0ddf69acfb17e9aed

SHA1
80405d7ad78b77a39690669e5c7029015620e352

SHA256
311b5fbc9abcc6c074d7c46f3f8f58f8f362ccce995abdc749a958e10ce06bac

SHA512
15dc4aca866582a567be8c7bcc6d227e26324abb530285f651e56a69f4ab07fc653fda94eb7bbcf9cc798cdfe9e6f69f4bb16cd83b29f25b3de718b862ef945f

Download Submit
memory/264-43-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/264-39-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1468-24-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1468-14-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3408-40-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3408-26-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3508-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/3508-15-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing