urelas | 13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2

General

Target

13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
Size

6.5MB
MD5

2d79ee62a77a440231513194bf879df1
SHA1

7a59cfc09fe94cd52d514d048b29e133b0c0b48d
SHA256

13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2
SHA512

854ce542f42bb05d638d121afdfb25dce43459b1f189764e8942286e4f88e374845ec1c2ae315d172b03849022244fc8914b5b9b21ef223776d18ad3f9cbcb24
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSW:i0LrA2kHKQHNk3og9unipQyOaOW

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	vaorh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	cijenu.exe

Executes dropped EXE 3 IoCs

pid	Process
344	vaorh.exe
5060	cijenu.exe
3120	riery.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023cbe-64.dat	upx
behavioral2/memory/3120-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/3120-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vaorh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cijenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
344	vaorh.exe
344	vaorh.exe
5060	cijenu.exe
5060	cijenu.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe
3120	riery.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 344	2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	86
PID 2480 wrote to memory of 344	2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	86
PID 2480 wrote to memory of 344	2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	86
PID 2480 wrote to memory of 4508	2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	87
PID 2480 wrote to memory of 4508	2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	87
PID 2480 wrote to memory of 4508	2480	13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe	87
PID 344 wrote to memory of 5060	344	vaorh.exe	90
PID 344 wrote to memory of 5060	344	vaorh.exe	90
PID 344 wrote to memory of 5060	344	vaorh.exe	90
PID 5060 wrote to memory of 3120	5060	cijenu.exe	102
PID 5060 wrote to memory of 3120	5060	cijenu.exe	102
PID 5060 wrote to memory of 3120	5060	cijenu.exe	102
PID 5060 wrote to memory of 3884	5060	cijenu.exe	103
PID 5060 wrote to memory of 3884	5060	cijenu.exe	103
PID 5060 wrote to memory of 3884	5060	cijenu.exe	103

C:\Users\Admin\AppData\Local\Temp\13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe
"C:\Users\Admin\AppData\Local\Temp\13c8f3037f5b844b11225099d04caf929c2beb823ce7b8c019cf7abc56a9f1c2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\vaorh.exe
  "C:\Users\Admin\AppData\Local\Temp\vaorh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Users\Admin\AppData\Local\Temp\cijenu.exe
    "C:\Users\Admin\AppData\Local\Temp\cijenu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\riery.exe
      "C:\Users\Admin\AppData\Local\Temp\riery.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
74e484a662a0babd387f1ae5789551ec

SHA1
2f931a3d3615d900a2c3cadc75e4f5c252b3ff48

SHA256
2e71d7aa4b45ff6ca4f774eac9cc9e8e1974febfb3b172e087974422bb6d7333

SHA512
cbf27c08a7537b865de13f6f3f9de48bc809228d1921b8ce0803bbf86b8b7f172cff06774c5cd9a2e70651c6925f93b3b854c8e67c02a77bf41d1e7e656e6590

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
bb70b202da775f2135411d06ccc00ddf

SHA1
133a03e7e2a2530996e150782b3b3684e92ce30b

SHA256
c19a99462c9c073710b23c5396a381dd7b72de7cd127180f7309ee4048acde59

SHA512
f36afb40f10954d3e5f33dd45e0681b24a3141ed1054dccc5f9c0cbf98133dca6681aa9f6bc15f1d4a1af62de495aa3a2435434637f66b2f98ddbf153d66420a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d2724c5d02ae3bd3db9140bca62ff1f9

SHA1
f75ca8dbc0e659246e9cce7f71921327e38cc34c

SHA256
80bbb8c8c1fe0a3bf491100b22bb394c751f51f0b1321fd360e668bab20d967d

SHA512
2e7228b60f86bdb09d48e0e202d461b1d782308a99c3f53e7104034971d4bebcc8509044bbc7d6aa6b8e93256e6a7a1b1090dbdc4e90209752b5d0d1f6bbd908

Download Submit
C:\Users\Admin\AppData\Local\Temp\riery.exe

Filesize
459KB

MD5
c630a44bda585f3a992d017a2dc64375

SHA1
9c705ff908a3f7ddf2ed29772272ed82fcb19665

SHA256
942b8b66f88d2b7f532c1ad8e5cbd0f9b7bce3ab7cca045a219a7ddb4e1d5888

SHA512
69ff3cde6f0d65b76955a56d5186180ba9076bec238e340297c6d05984b7720aa8996640b652d0148371cbfc84aed2e4d80283fa4af76eaa557a5558ca7506ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaorh.exe

Filesize
6.5MB

MD5
3d84d5891331fb84da5f9f2a12eb6546

SHA1
9b7c0bd5efe18723840b5044cbd1725a69c9a7e9

SHA256
3c3173a0fc5838d9406ae8dc53aaaffe09f768922281c7563cb8ce26432e1762

SHA512
911a3272d97d98831dfcf5eabe2af7306a65831e00a3732b64d376ab113494e95ec03fdba6bad95f80400fbac688c429f133c43c3b4d7c7a5d4fdf0fb709f9de

Download Submit
memory/344-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/344-30-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/344-31-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/344-32-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/344-33-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/344-34-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/344-29-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/344-35-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/344-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/344-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/344-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2480-2-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2480-5-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/2480-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2480-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2480-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2480-3-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/2480-4-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/2480-11-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2480-6-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2480-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2480-7-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/2480-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2480-8-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2480-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3120-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3120-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/5060-54-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/5060-50-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/5060-49-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/5060-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5060-51-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/5060-52-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/5060-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/5060-53-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/5060-55-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/5060-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing