urelas | 47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1

Analysis

max time kernel
117s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
Size

6.5MB
MD5

79f12fa6314518f39a168d7283283580
SHA1

80b5395e66950b3d89be7ab10e178893918f5062
SHA256

47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1
SHA512

77e16c30ca3e172536fb22f99da3f1f39d119aaf4596be883c6af181b703fa360343bd55e97af9817301862b9dcd4e5bad1eff18addaae899e259332cb7eab4e
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSX:i0LrA2kHKQHNk3og9unipQyOaOX

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exeaghyu.exehuhida.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	aghyu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	huhida.exe

Executes dropped EXE 3 IoCs

Processes:

aghyu.exehuhida.exeryqob.exe

pid	Process
2232	aghyu.exe
1436	huhida.exe
116	ryqob.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000a000000023cc2-66.dat	upx
behavioral2/memory/116-71-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/116-77-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exehuhida.exeryqob.execmd.exe47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exeaghyu.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huhida.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryqob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aghyu.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exeaghyu.exehuhida.exeryqob.exe

pid	Process
1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
2232	aghyu.exe
2232	aghyu.exe
1436	huhida.exe
1436	huhida.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe
116	ryqob.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exeaghyu.exehuhida.exe

description	pid	Process	procid_target
PID 1076 wrote to memory of 2232	1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	89
PID 1076 wrote to memory of 2232	1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	89
PID 1076 wrote to memory of 2232	1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	89
PID 1076 wrote to memory of 1836	1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	90
PID 1076 wrote to memory of 1836	1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	90
PID 1076 wrote to memory of 1836	1076	47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe	90
PID 2232 wrote to memory of 1436	2232	aghyu.exe	92
PID 2232 wrote to memory of 1436	2232	aghyu.exe	92
PID 2232 wrote to memory of 1436	2232	aghyu.exe	92
PID 1436 wrote to memory of 116	1436	huhida.exe	104
PID 1436 wrote to memory of 116	1436	huhida.exe	104
PID 1436 wrote to memory of 116	1436	huhida.exe	104
PID 1436 wrote to memory of 3172	1436	huhida.exe	105
PID 1436 wrote to memory of 3172	1436	huhida.exe	105
PID 1436 wrote to memory of 3172	1436	huhida.exe	105

C:\Users\Admin\AppData\Local\Temp\47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe
"C:\Users\Admin\AppData\Local\Temp\47eb4a0540ac6eb96615cd6a4c692b7d9f74053dc1e86eaf7579b3d1d7c1c4b1N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\aghyu.exe
  "C:\Users\Admin\AppData\Local\Temp\aghyu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\huhida.exe
    "C:\Users\Admin\AppData\Local\Temp\huhida.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\ryqob.exe
      "C:\Users\Admin\AppData\Local\Temp\ryqob.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0acb0f4f4bbfcc19acab9b18ecdf7c0b

SHA1
c3edab516b4f10b2fe71eb1f8ec006f3a3e2ba6d

SHA256
aeb1247e9c7b78e92e7656e384fec2987245541bb9cb4c58445f4f6b46a94c09

SHA512
f5a22e0e0ff463c102745703f64ecfa1af6bfbd216dc8c6d498b326fe1c13f80bf2eee3d4a6a77f1e41644bf4807e754a90511f12d597935d549a979d74b7dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
0e2a0079c51cf92fb86e8cda09e6ed54

SHA1
46c319a2fcf1b1d1f3b68c0b80691fd81bfa4dbe

SHA256
f15d8577eb0d582ce2f5b0817bad753dae89428e80c571b6f834ed75d944d54e

SHA512
f5518209dc6aea1424d4258d69375cee33e0e728df00c23eba1356fed25ea623aa06ad4ba155fc7755b9c0f769440ef2658d41d21d0063d536f842906e873a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\aghyu.exe

Filesize
6.5MB

MD5
9a7a95ba5e2f4f450e9c10e0566a589c

SHA1
fd618cb20b29139573f9235f7450bd862ce59149

SHA256
671ec7687f3bf2c1a8c4702c4643635456ca5ff45b0f540c78bc711b8f11934e

SHA512
cf580102dc8cde553a369e12f68640bbbacdb7be59dc212dcebd048eb0430cd02fd8e37b3dc53ef0670edda9e6b428f52d9de1922de14ab683e63ef0a3cd7394

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3423fec0f69fc6d1ff91884f7bdd1ce6

SHA1
75ce5afdfbece6c28581a0e788a25a4731d7e1a9

SHA256
e0abbb96a908076045f558454a3fb85fc9ebdcc2548c6f885dc6ddaf18d994d3

SHA512
dc3cf2783e18ff0e5049f829245a0f9df10b527ee0f8f15ba1a4610b4dea6a82e9c335c22ec6bed8625a9a250846544aed0dd1ad8c4b4c3fd3f542d204c0a2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryqob.exe

Filesize
459KB

MD5
3f7d0c8bd2ba0eb3a2f1c1de702bb716

SHA1
7ac15bed150e7e1ac20e844f32c043fd75b02d6a

SHA256
7a1df6bdc84a31e30911b37619bc6fc9e8820ece1cccc0ac7c73eef857ce7e29

SHA512
1dadeb7ef5f3e76ca6a66e462f5dc2eff1778e918c470de8fffcfbfbc0ec799bf755ecade4c625cacbd7b7c23256244dde35a39614b9679285f582f0c0f9c451

Download Submit
memory/116-71-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/116-77-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1076-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1076-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1076-2-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1076-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1076-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/1076-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1076-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/1076-1-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1076-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/1076-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/1076-11-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1076-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1076-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1076-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1436-54-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1436-55-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1436-74-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1436-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1436-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1436-51-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1436-53-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1436-50-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1436-57-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1436-56-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2232-34-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/2232-32-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/2232-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-33-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2232-29-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2232-30-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2232-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-31-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2232-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2232-35-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2232-27-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download