urelas | a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757e

General

Target

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
Size

6.5MB
MD5

79890be584a693a9115d5daa6f1e02f0
SHA1

d5efa5308b9fa963ec06a83818331db6f2367ad4
SHA256

a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757e
SHA512

f2e06a398f0fe3a35ef2b06967866d9219d4be290b7e0748f078d0fafe04e16f0614d9df6f8f4ed0dd8a0420c11ef71cec703474d71c068fa38eace2efdf4090
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVS8r:i0LrA2kHKQHNk3og9unipQyOaOy

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	fofao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	nuhugo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe

Executes dropped EXE 3 IoCs

pid	Process
4448	fofao.exe
5068	nuhugo.exe
1968	nigoc.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023cd0-63.dat	upx
behavioral2/memory/1968-69-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/1968-74-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fofao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuhugo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nigoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
4448	fofao.exe
4448	fofao.exe
5068	nuhugo.exe
5068	nuhugo.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe
1968	nigoc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4448	4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	85
PID 4804 wrote to memory of 4448	4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	85
PID 4804 wrote to memory of 4448	4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	85
PID 4804 wrote to memory of 4088	4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	86
PID 4804 wrote to memory of 4088	4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	86
PID 4804 wrote to memory of 4088	4804	a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe	86
PID 4448 wrote to memory of 5068	4448	fofao.exe	89
PID 4448 wrote to memory of 5068	4448	fofao.exe	89
PID 4448 wrote to memory of 5068	4448	fofao.exe	89
PID 5068 wrote to memory of 1968	5068	nuhugo.exe	109
PID 5068 wrote to memory of 1968	5068	nuhugo.exe	109
PID 5068 wrote to memory of 1968	5068	nuhugo.exe	109
PID 5068 wrote to memory of 3848	5068	nuhugo.exe	110
PID 5068 wrote to memory of 3848	5068	nuhugo.exe	110
PID 5068 wrote to memory of 3848	5068	nuhugo.exe	110

C:\Users\Admin\AppData\Local\Temp\a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe
"C:\Users\Admin\AppData\Local\Temp\a52e0765ff3c2e76c172e781a86ea4ff46f0bd1e25afd69333d2475a2c56757eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\fofao.exe
  "C:\Users\Admin\AppData\Local\Temp\fofao.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Local\Temp\nuhugo.exe
    "C:\Users\Admin\AppData\Local\Temp\nuhugo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\nigoc.exe
      "C:\Users\Admin\AppData\Local\Temp\nigoc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
4013db77c4cd6307941364a9b7f8cbd8

SHA1
8a8ca494052ca6bf35eddcbd6689c3c2533776de

SHA256
23bec8f78ca92fee8d180e6583f1e7ab04c52fd19ee32e09fe0fa2e3d808fcbb

SHA512
08651253e50a01097a44041b00cb82a03dc3a9756f8bd6b227127b00c910eff8834eb1802bbcbc7e53aea57fc264c307609be1c5e8692525fabc27950736a554

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4c33ba54d18e61d02d88e9843e3a309a

SHA1
31dbe56a51f0e805e20d52d09cd2e4bc42cc112d

SHA256
6d61f907225f93378ea8a8f1df0f6a96e7907997cbc39becb8d4259367d218a2

SHA512
b8bbaaf98821882a00b10e6c67b8ce742816c13aa4a7f301522a6e67c876a8c740d1fb950b5bcebc48765ef84572a9ed4d88066d96e360f6683cb8e8b16df50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fofao.exe

Filesize
6.5MB

MD5
2180eb1e8cdff51a8a8959b2759d47ec

SHA1
2fa7d31664e7f908e399c2e7fbfec293b1638b89

SHA256
4f0632242469dbc162d438b4aa7c3360d62c66a6f7d868dcb195b0b56ac19a5e

SHA512
11d1d1d77c2d67ff46f1947091437d165b444196611a6ed7f798def69cd93ffcf28b63566b09bbb6ee04293880b9a06aa5a8718f7476885226e03b9c9c8b0558

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
86a7f8b54a8a2c6dade76516d9023441

SHA1
29f4d2bb0afbea30be1b317e7c65577e52310e69

SHA256
74af7e057de999bacad60b66f63d568bf63f7662c469f67239381c9fe21a79a1

SHA512
7e4a9e54c6954e2569292e90e3f2a32afefacff80bb59c96ac18d3a5f471bc0ef6363dd2bdb6e41bf19a705851404e8f49406cccf659a6fe4a2783029dd945a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nigoc.exe

Filesize
459KB

MD5
897775aa9fce5efbc2daf1461fe46c2b

SHA1
0a3dcc436f05663cb8b4d69679df6d77b157d226

SHA256
cb75ee9e6117ef2ab98cfac1d298a4885606748b5bc6768b6605bc10deb6a232

SHA512
031fe902df35c38fb99cb8413dbd96c514020297e924006c6bf71d5f583de772d2641b6294907be29f02dd944567c7f7da66ea571a2f8ca08fdfe9b6cc771f61

Download Submit
memory/1968-74-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1968-69-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4448-29-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/4448-30-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4448-31-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/4448-34-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/4448-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4448-32-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/4448-33-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/4448-28-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/4448-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4448-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4448-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4804-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4804-8-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/4804-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4804-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4804-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4804-2-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/4804-3-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4804-5-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/4804-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4804-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4804-4-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/4804-6-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/4804-7-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/5068-55-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5068-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5068-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5068-54-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing