urelas | f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
Size

6.5MB
MD5

897f9c7d871aa6cfee73a8a226b2ce00
SHA1

71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
SHA256

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
SHA512

d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2140	fepex.exe
1744	xahiqu.exe
1052	omqoi.exe

Loads dropped DLL 5 IoCs

pid	Process
2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
2140	fepex.exe
2140	fepex.exe
1744	xahiqu.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015d5b-159.dat	upx
behavioral1/memory/1052-165-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1744-163-0x0000000004760000-0x00000000048F9000-memory.dmp	upx
behavioral1/memory/1052-177-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fepex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xahiqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omqoi.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
2140	fepex.exe
1744	xahiqu.exe
1052	omqoi.exe
1052	omqoi.exe
1052	omqoi.exe
1052	omqoi.exe
1052	omqoi.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2140	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	30
PID 2384 wrote to memory of 2140	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	30
PID 2384 wrote to memory of 2140	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	30
PID 2384 wrote to memory of 2140	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	30
PID 2384 wrote to memory of 2656	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	31
PID 2384 wrote to memory of 2656	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	31
PID 2384 wrote to memory of 2656	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	31
PID 2384 wrote to memory of 2656	2384	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	31
PID 2140 wrote to memory of 1744	2140	fepex.exe	33
PID 2140 wrote to memory of 1744	2140	fepex.exe	33
PID 2140 wrote to memory of 1744	2140	fepex.exe	33
PID 2140 wrote to memory of 1744	2140	fepex.exe	33
PID 1744 wrote to memory of 1052	1744	xahiqu.exe	35
PID 1744 wrote to memory of 1052	1744	xahiqu.exe	35
PID 1744 wrote to memory of 1052	1744	xahiqu.exe	35
PID 1744 wrote to memory of 1052	1744	xahiqu.exe	35
PID 1744 wrote to memory of 1028	1744	xahiqu.exe	36
PID 1744 wrote to memory of 1028	1744	xahiqu.exe	36
PID 1744 wrote to memory of 1028	1744	xahiqu.exe	36
PID 1744 wrote to memory of 1028	1744	xahiqu.exe	36

C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\fepex.exe
  "C:\Users\Admin\AppData\Local\Temp\fepex.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\xahiqu.exe
    "C:\Users\Admin\AppData\Local\Temp\xahiqu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Users\Admin\AppData\Local\Temp\omqoi.exe
      "C:\Users\Admin\AppData\Local\Temp\omqoi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1052
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c8f9bdf732fed33b5bf3d8048d84b847

SHA1
91e692e32e365baacd4413e4b5e710579b5257cc

SHA256
bd89e7e76592b19f6c58c3c746dd0b24cd34981a189a79061408b3c3ba8953fe

SHA512
b0406b07b95a297f1fe83f8b90cd5221b0f32b591f79be7ea5d1426454eadc2e2080a02108c17dd1fb6175a8b205da4e70322987a631e7e8587c1ddc763ba82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
937f07b8af929674610e5739a06fdc64

SHA1
400c9e7f43604e1707aa4d19b6e9e925d8e55b71

SHA256
d39c5753c2a4dcc0319baef659a93993446a9edbe88fded4ba72aaa5a2f01027

SHA512
f2e8058a9e2d89676b8ed455ce559456141b48d8b6f64e6e5fe164f7fd016583afd82130371ff1611342e6b61f538de420069b016b56d990531c6edfc1f20f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f879be8b697fd769caddcd2d91cf83d9

SHA1
3e9e3430325e706fc4a56bdc5e3883516391899e

SHA256
e95c91553fd54e5e65d66d066a2811ae2bfd9b1e80bee6b22f5b5ed2157538fa

SHA512
ff2019588892b3e6a8da0a5b94a66cafd9b1d507839a528ec08869ab4c1bf4ea8ce67926ea0268a178ef57cf55c40fdff5a22cd6da3ec1009ee7dab439ec4ce2

Download Submit
\Users\Admin\AppData\Local\Temp\fepex.exe

Filesize
6.5MB

MD5
36d0657b7b494c5afde84df4a8f8d323

SHA1
29efa899d84b526ececa55807c5c2286f316be67

SHA256
d434d43e71f209cc47c7dc0ea804eddcd4460617f403b3ca6b2b3c61992cd02b

SHA512
9f65ed0d1c11c88aa99b208999a65fc45e8eead476e8aacec9816e43b40721f7d61f5e4ea0706ea71da84e9c41e3d99e5303546a34ca31ea64c7e83fa67528e4

Download Submit
\Users\Admin\AppData\Local\Temp\omqoi.exe

Filesize
459KB

MD5
1616d4341f458500ebdf6b7e29c932b1

SHA1
1b445705476e679c7cf7fb17f43cf6bdb0e53940

SHA256
ab3fcdbd0689f09ef7727705d9dd47f40b85f15dcd71a24b171322343dc6b682

SHA512
f8830d28ab91afda59dcaf7b2fea9672be902d944812e1473685c461d4577a8d4a946cfeb8551c9e02fe4838bbe1306625794141ae590faf2e9ce43ee3dc4ac5

Download Submit
memory/1052-165-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1052-177-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1744-163-0x0000000004760000-0x00000000048F9000-memory.dmp

Filesize
1.6MB

Download
memory/1744-155-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1744-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1744-173-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2140-87-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2140-84-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2140-89-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2140-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2140-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2140-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2140-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2140-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2384-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2384-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2384-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2384-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2384-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2384-62-0x00000000041A0000-0x0000000004C8C000-memory.dmp

Filesize
10.9MB

Download
memory/2384-61-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2384-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2384-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2384-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2384-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2384-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2384-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2384-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2384-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2384-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2384-154-0x00000000041A0000-0x0000000004C8C000-memory.dmp

Filesize
10.9MB

Download
memory/2384-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2384-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2384-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2384-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2384-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2384-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2384-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2384-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download