urelas | 13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/10/2024, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
Size

6.5MB
MD5

2d79ee62a77a440231513194bf879df1
SHA1

7a59cfc09fe94cd52d514d048b29e133b0c0b48d
SHA256

13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2
SHA512

854ce542f42bb05d638d121afdfb25dce43459b1f189764e8942286e4f88e374845ec1c2ae315d172b03849022244fc8914b5b9b21ef223776d18ad3f9cbcb24
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSW:i0LrA2kHKQHNk3og9unipQyOaOW

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2748	sunoe.exe
2176	ohmori.exe
2436	zatue.exe

Loads dropped DLL 5 IoCs

pid	Process
2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
2748	sunoe.exe
2748	sunoe.exe
2176	ohmori.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001653a-157.dat	upx
behavioral1/memory/2436-170-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2176-161-0x0000000004980000-0x0000000004B19000-memory.dmp	upx
behavioral1/memory/2436-175-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohmori.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zatue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sunoe.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
2748	sunoe.exe
2176	ohmori.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe
2436	zatue.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2748	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	30
PID 2312 wrote to memory of 2748	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	30
PID 2312 wrote to memory of 2748	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	30
PID 2312 wrote to memory of 2748	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	30
PID 2312 wrote to memory of 2640	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	31
PID 2312 wrote to memory of 2640	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	31
PID 2312 wrote to memory of 2640	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	31
PID 2312 wrote to memory of 2640	2312	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	31
PID 2748 wrote to memory of 2176	2748	sunoe.exe	33
PID 2748 wrote to memory of 2176	2748	sunoe.exe	33
PID 2748 wrote to memory of 2176	2748	sunoe.exe	33
PID 2748 wrote to memory of 2176	2748	sunoe.exe	33
PID 2176 wrote to memory of 2436	2176	ohmori.exe	35
PID 2176 wrote to memory of 2436	2176	ohmori.exe	35
PID 2176 wrote to memory of 2436	2176	ohmori.exe	35
PID 2176 wrote to memory of 2436	2176	ohmori.exe	35
PID 2176 wrote to memory of 1752	2176	ohmori.exe	36
PID 2176 wrote to memory of 1752	2176	ohmori.exe	36
PID 2176 wrote to memory of 1752	2176	ohmori.exe	36
PID 2176 wrote to memory of 1752	2176	ohmori.exe	36

C:\Users\Admin\AppData\Local\Temp\13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
"C:\Users\Admin\AppData\Local\Temp\13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\sunoe.exe
  "C:\Users\Admin\AppData\Local\Temp\sunoe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\ohmori.exe
    "C:\Users\Admin\AppData\Local\Temp\ohmori.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\zatue.exe
      "C:\Users\Admin\AppData\Local\Temp\zatue.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
57a93caee9ce94fb158feb1bc6933b88

SHA1
6c9b916e13e30b3cf3df151f1b38890ce73134b3

SHA256
127cd8a8db56f85d29b1cdc2e41416f41037485a3ae0ee6036469fc7980c5e76

SHA512
a78fa30ac514a9fe1febdeaec2d1757b79e486822bf199241ea95fa22f01178615e5df184418d31d112c0448828ccb9c47c5eaaa6bdf788e447137a81f31de17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
74e484a662a0babd387f1ae5789551ec

SHA1
2f931a3d3615d900a2c3cadc75e4f5c252b3ff48

SHA256
2e71d7aa4b45ff6ca4f774eac9cc9e8e1974febfb3b172e087974422bb6d7333

SHA512
cbf27c08a7537b865de13f6f3f9de48bc809228d1921b8ce0803bbf86b8b7f172cff06774c5cd9a2e70651c6925f93b3b854c8e67c02a77bf41d1e7e656e6590

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
67e6e1618cd7e27c8bcf256c56c6f8b8

SHA1
120210bc2ed819503109369709acf6ba78b780f3

SHA256
9f695c722e61f7e1676946fed24cf7e2e92af3a2f5af42eb31efafba278b8533

SHA512
d78548fc3411e56c4945be3b90a36057c509f5b12192a6beaae7afa0aa06bf4cd4cb8b2d869c31213053273e1651d7d348f446407686c4921720d45c19fb8382

Download Submit
C:\Users\Admin\AppData\Local\Temp\sunoe.exe

Filesize
6.5MB

MD5
2befa346038a3fbdef21b64aa387eadc

SHA1
e88957113747adbf77542de0ada6ec45355d188f

SHA256
ae6e5e09b98d6924cab6f59fe1f50259e711c8c4aba9b683386865fdfa1d377a

SHA512
4f9de4997f3e6b17e8b89f2b797f3da93c1894dd29f3a86075f532b4a9b04e364c9bc1cc714e38fd8e742e1e56187a86a9b0be1f8da4e73bcf4124fd78f6e48f

Download Submit
\Users\Admin\AppData\Local\Temp\zatue.exe

Filesize
459KB

MD5
57304859caf5ddd52bf156b0e93d4c85

SHA1
b8aa82e313d27918d0925756fdb920895baf0ac2

SHA256
7dfead075bb74bc03e48bdca3d35e74b53eb56db9e425a6fbb4be4dd595f6ae2

SHA512
f1f25a0b9a11db1895af80ad58862050161203106260cdbbed371cca085d148f113b40b221ad78681b88427d295001998ce2d367e56b7e5bfa1e767d7dc5d08b

Download Submit
memory/2176-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2176-161-0x0000000004980000-0x0000000004B19000-memory.dmp

Filesize
1.6MB

Download
memory/2176-153-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-59-0x0000000003D00000-0x00000000047EC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-20-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2312-15-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2312-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2312-11-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2312-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2312-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2312-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2312-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2312-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2312-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2312-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-43-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-28-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2312-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2312-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2312-62-0x0000000003D00000-0x00000000047EC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-64-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2312-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2312-18-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2312-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2312-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2312-35-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2312-33-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2436-170-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2436-175-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2748-70-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2748-78-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2748-75-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2748-112-0x0000000004320000-0x0000000004E0C000-memory.dmp

Filesize
10.9MB

Download
memory/2748-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2748-80-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2748-83-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2748-85-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2748-88-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2748-90-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2748-68-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2748-73-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2748-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download