urelas | 7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47

Analysis

max time kernel
146s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Size

6.5MB
MD5

5a0997fb887c620d2815135e9a8f9e00
SHA1

b60b295c2ee512364978eb9d0dad3de46ab91a80
SHA256

7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47
SHA512

99eaa2bd1e12fa9f07458930e59b66fa5e9370983df605189c6b2dc147a2389c0bf668bed010512b432f705635fa071359dbd6ae499ee7653e2649a100b70b68
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSq:i0LrA2kHKQHNk3og9unipQyOaOq

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2728	fofum.exe
680	dovyru.exe
836	bodey.exe

Loads dropped DLL 5 IoCs

pid	Process
2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
2728	fofum.exe
2728	fofum.exe
680	dovyru.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018728-159.dat	upx
behavioral1/memory/680-161-0x00000000049C0000-0x0000000004B59000-memory.dmp	upx
behavioral1/memory/836-165-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/836-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fofum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dovyru.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bodey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
2728	fofum.exe
680	dovyru.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe
836	bodey.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2728	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2440 wrote to memory of 2728	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2440 wrote to memory of 2728	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2440 wrote to memory of 2728	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	30
PID 2440 wrote to memory of 2772	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2440 wrote to memory of 2772	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2440 wrote to memory of 2772	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2440 wrote to memory of 2772	2440	7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe	31
PID 2728 wrote to memory of 680	2728	fofum.exe	33
PID 2728 wrote to memory of 680	2728	fofum.exe	33
PID 2728 wrote to memory of 680	2728	fofum.exe	33
PID 2728 wrote to memory of 680	2728	fofum.exe	33
PID 680 wrote to memory of 836	680	dovyru.exe	35
PID 680 wrote to memory of 836	680	dovyru.exe	35
PID 680 wrote to memory of 836	680	dovyru.exe	35
PID 680 wrote to memory of 836	680	dovyru.exe	35
PID 680 wrote to memory of 276	680	dovyru.exe	36
PID 680 wrote to memory of 276	680	dovyru.exe	36
PID 680 wrote to memory of 276	680	dovyru.exe	36
PID 680 wrote to memory of 276	680	dovyru.exe	36

C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe
"C:\Users\Admin\AppData\Local\Temp\7a58a6437cd79cc23d9a1692c1749a474d2c33398d16744c57b04b3823407d47N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\fofum.exe
  "C:\Users\Admin\AppData\Local\Temp\fofum.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\dovyru.exe
    "C:\Users\Admin\AppData\Local\Temp\dovyru.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Users\Admin\AppData\Local\Temp\bodey.exe
      "C:\Users\Admin\AppData\Local\Temp\bodey.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d9c9e0301922d456b4f21186a80d6e1b

SHA1
9571920e7c56908844fa8a8cbb9e1bc795cdbd31

SHA256
6f143dc1e691f78fea5b2ae7cc9501968e10e41fe60f418c8c8317ed173c4b33

SHA512
2c6af62a81cf68c7afebe1970e9b0838bde5ba6301d6e3f120721bba8c3525aadaed72aab32e1265000e34e87992fb21a21d22d64a3a785b4d2e51ae539da93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
aefef7aa7f0199676941b34c9df61960

SHA1
434c6975ecf2b18e57feb8c0d8b5e77cb744b8ea

SHA256
1da8dec5db869ff91420ce9c81579acbae649d5954905f91fb8987b0ff09eb79

SHA512
811b8508670f8680449aa1d13f1b7db5faeaf67cc228f34afa3f765df9582491b36a5df29518eff1290d616b1daddf41672aa57dd884831cda5a16a092ae2826

Download Submit
C:\Users\Admin\AppData\Local\Temp\fofum.exe

Filesize
6.5MB

MD5
6ff6f9984034db2ee1dc97a73400d20a

SHA1
0c4dea02579d76136196fe4790c535bcf644e876

SHA256
d1db274aa65aa005c38db26d24a92eeb0a21cea290c0d7f842f8ea261247937e

SHA512
249f43138a606faf72a4982be167947ced14e6d4525f224d674785434508522ae3ad072dc701ad56015a25b224178f360b8c39b6ff7ebf63ade7ba0c3a07c654

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9bc88b1ed142ffe43a9ce2ecda224dc7

SHA1
6339cf6c3f38e5fd1423e0cba16c8bf842eb698e

SHA256
1a622d60900e10b1584a3d64a4694e6df33b7f1d4a6d6e3e4e614e0275c2d42e

SHA512
d98328cd76075aad2a14d19517678c7ab608fea975b2bd1fc52a0f9f256746cc5b9584e2520876b92a1fd86868a68ce7d3d45063ce6ffecb2b2939a997a6054c

Download Submit
\Users\Admin\AppData\Local\Temp\bodey.exe

Filesize
459KB

MD5
8466eff0fc13ca2d6d8f5cd475da07e3

SHA1
3130f5f4a139b78e2ecf0d3c670a1d69f29a7d24

SHA256
733ff36cc882e68f7c5fdcf90dd326abbf93c121b07f24d553faff90a39edc23

SHA512
7180cf919c23e1da7bb16ec96c40afce3aa6cfcce4eb76192fde6f0229b3462c59ab94dd94569f00d2728e7bee0a13ae29a06fbdfb45a1713999b53b8552809c

Download Submit
memory/680-155-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/680-174-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/680-161-0x00000000049C0000-0x0000000004B59000-memory.dmp

Filesize
1.6MB

Download
memory/836-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/836-165-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2440-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2440-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2440-20-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2440-18-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2440-15-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2440-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2440-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2440-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2440-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2440-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2440-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2440-28-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2440-25-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2440-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2440-61-0x0000000003E30000-0x000000000491C000-memory.dmp

Filesize
10.9MB

Download
memory/2440-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2440-62-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2440-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2440-23-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2440-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2440-35-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2440-33-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2440-30-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/2728-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2728-79-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2728-77-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2728-69-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2728-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2728-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2728-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2728-113-0x0000000004280000-0x0000000004D6C000-memory.dmp

Filesize
10.9MB

Download
memory/2728-82-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2728-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2728-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2728-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2728-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2728-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2728-117-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2728-115-0x0000000004280000-0x0000000004D6C000-memory.dmp

Filesize
10.9MB

Download