urelas | f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e

Analysis

max time kernel
152s
max time network
93s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
Size

6.5MB
MD5

897f9c7d871aa6cfee73a8a226b2ce00
SHA1

71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
SHA256

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
SHA512

d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2848 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

luteo.exebovero.exeyhjub.exe

pid process

2428 luteo.exe
1692 bovero.exe
1704 yhjub.exe

pid	process
2848	cmd.exe

pid	process
2428	luteo.exe
1692	bovero.exe
1704	yhjub.exe

Loads dropped DLL 5 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exeluteo.exebovero.exe

pid	process
1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
2428	luteo.exe
2428	luteo.exe
1692	bovero.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\yhjub.exe	upx
behavioral1/memory/1704-162-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1692-160-0x0000000004320000-0x00000000044B9000-memory.dmp	upx
behavioral1/memory/1704-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeluteo.exebovero.exeyhjub.execmd.exef5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luteo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bovero.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yhjub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exeluteo.exebovero.exeyhjub.exe

pid	process
1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
2428	luteo.exe
1692	bovero.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe
1704	yhjub.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exeluteo.exebovero.exe

description	pid	process	target process
PID 1268 wrote to memory of 2428	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	luteo.exe
PID 1268 wrote to memory of 2428	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	luteo.exe
PID 1268 wrote to memory of 2428	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	luteo.exe
PID 1268 wrote to memory of 2428	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	luteo.exe
PID 1268 wrote to memory of 2848	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	cmd.exe
PID 1268 wrote to memory of 2848	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	cmd.exe
PID 1268 wrote to memory of 2848	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	cmd.exe
PID 1268 wrote to memory of 2848	1268	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe	cmd.exe
PID 2428 wrote to memory of 1692	2428	luteo.exe	bovero.exe
PID 2428 wrote to memory of 1692	2428	luteo.exe	bovero.exe
PID 2428 wrote to memory of 1692	2428	luteo.exe	bovero.exe
PID 2428 wrote to memory of 1692	2428	luteo.exe	bovero.exe
PID 1692 wrote to memory of 1704	1692	bovero.exe	yhjub.exe
PID 1692 wrote to memory of 1704	1692	bovero.exe	yhjub.exe
PID 1692 wrote to memory of 1704	1692	bovero.exe	yhjub.exe
PID 1692 wrote to memory of 1704	1692	bovero.exe	yhjub.exe
PID 1692 wrote to memory of 1720	1692	bovero.exe	cmd.exe
PID 1692 wrote to memory of 1720	1692	bovero.exe	cmd.exe
PID 1692 wrote to memory of 1720	1692	bovero.exe	cmd.exe
PID 1692 wrote to memory of 1720	1692	bovero.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe
"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\luteo.exe
  "C:\Users\Admin\AppData\Local\Temp\luteo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\bovero.exe
    "C:\Users\Admin\AppData\Local\Temp\bovero.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\yhjub.exe
      "C:\Users\Admin\AppData\Local\Temp\yhjub.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9254c976ccde302c429d767f55f7f19f

SHA1
c71a23efe159e5ea85fea5a2cf6afd8e1517cba8

SHA256
6f0798d6844c1c3cb90c8f0c42a9144e0e16554c3b9c9ccc1ffcdf1532fa5266

SHA512
6f35f00e01a39281fe93cb1d9231a430c80a656ef28e336632f1f831dfc45464b1c2a4392872e5d0c7804920ad3787b74ff76fb22c6de986896907945b08d66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
99c774238dde8dcabbcbd9218b3186a0

SHA1
db3cc894f3457dd2a28d2bf15c63159c4c8b634e

SHA256
cbe3415c7e081687de8473980ee98e6271e9b9fc9a07c91d1ea3858ba29b270e

SHA512
6863c40cd29af1e5074269dbd77e493ebc527a4e065166a55abeee892cbf121cf22cbda37f5cf3f92e4bcf1a86b82db95f0312f51f1e69482570b9b212bd6430

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
dc39f354c009258f49e888603b2b8c35

SHA1
61512da47ca3fd4aa87cec50b26619f31a1b70c5

SHA256
35c422bd6d2286e4b71153f7c84e3e3cf280079145e274a571b9ab4dfa090504

SHA512
5b06942a1d6a0c85e15e94c02e244045043eb128bf48ee1e0b550e727cae1b9cb5f3fd5828b4147ce133b1f2d9de0052f1642a38ecdc34ffb73e3d76527ac97d

Download Submit
\Users\Admin\AppData\Local\Temp\luteo.exe

Filesize
6.5MB

MD5
66403b50b0c6500c1b7f4586ee9b1a2a

SHA1
a67130fa66ec77b7f8b3d58427eca9e138ab2a9c

SHA256
18e10a98ef453760568ea1ed2b8226ce4432b7d5ede5a6218c7889ef38562cfa

SHA512
b315ddf7fb53fc88fafee85aa6aeb17ebb30aae7bad1fa0410b9cd09cd5820ceae6bd496afcf10b12a34efce5fef12d64931b95dea7ea4d01ba2ec3d65dd8a5f

Download Submit
\Users\Admin\AppData\Local\Temp\yhjub.exe

Filesize
459KB

MD5
4d3134b18331829c0158fd8802534e0c

SHA1
2bcac2a928bb77e4170abe414eda846a82c4c1e4

SHA256
1fd6bf6467563b1b44f0e5d389da98fe57ac560e76fb1fadf4b6545fd3ca2f9f

SHA512
57b27f1cc7638173698c209f15ef8e9da4e43971c53f3529bbf35f922d3590d467863bd475c0c94ea9141c265874b4e5b10ee0051676aeb504aee15c5fcee159

Download Submit
memory/1268-12-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1268-24-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1268-19-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1268-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1268-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1268-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1268-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1268-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1268-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1268-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1268-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1268-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1268-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1268-3-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1268-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1268-31-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1268-51-0x0000000003C20000-0x000000000470C000-memory.dmp

Filesize
10.9MB

Download
memory/1268-53-0x0000000003C20000-0x000000000470C000-memory.dmp

Filesize
10.9MB

Download
memory/1268-26-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1268-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1268-74-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1268-21-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1268-29-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1268-36-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1268-34-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1692-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1692-160-0x0000000004320000-0x00000000044B9000-memory.dmp

Filesize
1.6MB

Download
memory/1692-152-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1704-162-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1704-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2428-73-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2428-77-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2428-112-0x0000000003DA0000-0x000000000488C000-memory.dmp

Filesize
10.9MB

Download
memory/2428-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2428-79-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2428-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2428-84-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2428-87-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2428-89-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2428-66-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2428-68-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2428-71-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download