urelas | 47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1

General

Target

47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
Size

6.5MB
MD5

79f12fa6314518f39a168d7283283580
SHA1

80b5395e66950b3d89be7ab10e178893918f5062
SHA256

47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1
SHA512

77e16c30ca3e172536fb22f99da3f1f39d119aaf4596be883c6af181b703fa360343bd55e97af9817301862b9dcd4e5bad1eff18addaae899e259332cb7eab4e
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSX:i0LrA2kHKQHNk3og9unipQyOaOX

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2576	qecum.exe
1616	lofapy.exe
900	quzue.exe

Loads dropped DLL 5 IoCs

pid	Process
3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
2576	qecum.exe
2576	qecum.exe
1616	lofapy.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0039000000018654-157.dat	upx
behavioral1/memory/900-163-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/900-175-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qecum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lofapy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quzue.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
2576	qecum.exe
1616	lofapy.exe
900	quzue.exe
900	quzue.exe
900	quzue.exe
900	quzue.exe
900	quzue.exe
900	quzue.exe
900	quzue.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2576	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	31
PID 3056 wrote to memory of 2576	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	31
PID 3056 wrote to memory of 2576	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	31
PID 3056 wrote to memory of 2576	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	31
PID 3056 wrote to memory of 2624	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	32
PID 3056 wrote to memory of 2624	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	32
PID 3056 wrote to memory of 2624	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	32
PID 3056 wrote to memory of 2624	3056	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	32
PID 2576 wrote to memory of 1616	2576	qecum.exe	34
PID 2576 wrote to memory of 1616	2576	qecum.exe	34
PID 2576 wrote to memory of 1616	2576	qecum.exe	34
PID 2576 wrote to memory of 1616	2576	qecum.exe	34
PID 1616 wrote to memory of 900	1616	lofapy.exe	36
PID 1616 wrote to memory of 900	1616	lofapy.exe	36
PID 1616 wrote to memory of 900	1616	lofapy.exe	36
PID 1616 wrote to memory of 900	1616	lofapy.exe	36
PID 1616 wrote to memory of 1208	1616	lofapy.exe	37
PID 1616 wrote to memory of 1208	1616	lofapy.exe	37
PID 1616 wrote to memory of 1208	1616	lofapy.exe	37
PID 1616 wrote to memory of 1208	1616	lofapy.exe	37

C:\Users\Admin\AppData\Local\Temp\47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
"C:\Users\Admin\AppData\Local\Temp\47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\qecum.exe
  "C:\Users\Admin\AppData\Local\Temp\qecum.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\lofapy.exe
    "C:\Users\Admin\AppData\Local\Temp\lofapy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\quzue.exe
      "C:\Users\Admin\AppData\Local\Temp\quzue.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
0e2a0079c51cf92fb86e8cda09e6ed54

SHA1
46c319a2fcf1b1d1f3b68c0b80691fd81bfa4dbe

SHA256
f15d8577eb0d582ce2f5b0817bad753dae89428e80c571b6f834ed75d944d54e

SHA512
f5518209dc6aea1424d4258d69375cee33e0e728df00c23eba1356fed25ea623aa06ad4ba155fc7755b9c0f769440ef2658d41d21d0063d536f842906e873a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
25b5b4e074e19f66704de678f11a8616

SHA1
df65dd0f598c3f5470df9c6c7fb972e496213915

SHA256
5cd8f89e56d1608a47d29b21fbf04df3f7a6cfbc05b3587ef93b7da6a255c930

SHA512
6bd09166af6928b13581e36286541d28956bf0f98da4ad0f4193d9bd64e44d4c98eed223c3ba4f065dc566ea1b0b589d8694e06046ae26cbb740ba5ccc796617

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8a508e38baf549f460bc03a7a809443c

SHA1
2fc5caf68f8fc5de0606e74ab0bbde3b47385ee4

SHA256
af883bd4f63c30e45f6131c97869aa4217d6ac260d8a2170797869199cee958d

SHA512
16a51b919b1fc2b0e597b0fddcd1322c008cf70bd632a54c27d51f564a6fed5155c40fb71a357f37c1cf9b534966d76659cfc4e7e43dbbf0adf2acf7edab8d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\qecum.exe

Filesize
6.5MB

MD5
ff8b8ee0b66a39fee1706e285b8ce729

SHA1
35273b2d0e7477c5b008ad152ceed0385c287e75

SHA256
eb115d4d8fa3faad7f84059f4bc51ed5919da33a5b28cefd8b6c920c4232cd0f

SHA512
448b2864106dd47dd9e34e47bf929f509deb3fed204c4b2d6963a05c09531e2d825c5ece986c5ed3c17ca284b3a5ed3269455273798b1dd0a5a001c0a38e2f42

Download Submit
\Users\Admin\AppData\Local\Temp\quzue.exe

Filesize
459KB

MD5
154ea4dbb949c2db621e9c5d431488ee

SHA1
01811b6d1df0317af59f86777f24c2d475b4c745

SHA256
f44ce1ab9fadffbfd39ae59de0fb31f6bc73359b33393568f14c5a9d2ba0d6d5

SHA512
25f3c3f851c1172da0215fb2dba92961358477572b514dd1d730b5b5bbb61c158db957e51fb0982ac290e42c1f858a5692536cb4872eb7507929f8ebfbd6ec42

Download Submit
memory/900-175-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/900-163-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1616-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1616-161-0x0000000004750000-0x00000000048E9000-memory.dmp

Filesize
1.6MB

Download
memory/1616-153-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2576-113-0x00000000042F0000-0x0000000004DDC000-memory.dmp

Filesize
10.9MB

Download
memory/2576-52-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2576-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2576-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3056-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3056-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3056-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3056-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3056-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3056-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3056-51-0x0000000003E00000-0x00000000048EC000-memory.dmp

Filesize
10.9MB

Download
memory/3056-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3056-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3056-53-0x0000000003E00000-0x00000000048EC000-memory.dmp

Filesize
10.9MB

Download
memory/3056-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3056-99-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3056-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3056-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3056-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3056-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3056-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3056-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3056-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/3056-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3056-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3056-32-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3056-34-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/3056-36-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing