urelas | f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e

General

Target

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
Size

6.5MB
MD5

897f9c7d871aa6cfee73a8a226b2ce00
SHA1

71a7b5a797d80cc76fb7dbc0d209eacb290ccc0b
SHA256

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2e
SHA512

d668d0a14399ff53680d138ba041e6fff2cf36241588d42aedeecab3095f575d6579b6878224975f9b0c0f68508bb466a2efdf2ff5bd4924db9982e610f7d070
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSo:i0LrA2kHKQHNk3og9unipQyOaOo

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exehuufm.exebelite.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	huufm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	belite.exe

Executes dropped EXE 3 IoCs

Processes:

huufm.exebelite.exeapozy.exe

pid	Process
2684	huufm.exe
1488	belite.exe
4260	apozy.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x000f000000023b8f-65.dat	upx
behavioral2/memory/4260-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4260-76-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

huufm.execmd.exebelite.exeapozy.execmd.exef5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huufm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	belite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apozy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exehuufm.exebelite.exeapozy.exe

pid	Process
4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
2684	huufm.exe
2684	huufm.exe
1488	belite.exe
1488	belite.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe
4260	apozy.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exehuufm.exebelite.exe

description	pid	Process	procid_target
PID 4312 wrote to memory of 2684	4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	87
PID 4312 wrote to memory of 2684	4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	87
PID 4312 wrote to memory of 2684	4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	87
PID 4312 wrote to memory of 1440	4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	88
PID 4312 wrote to memory of 1440	4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	88
PID 4312 wrote to memory of 1440	4312	f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe	88
PID 2684 wrote to memory of 1488	2684	huufm.exe	90
PID 2684 wrote to memory of 1488	2684	huufm.exe	90
PID 2684 wrote to memory of 1488	2684	huufm.exe	90
PID 1488 wrote to memory of 4260	1488	belite.exe	102
PID 1488 wrote to memory of 4260	1488	belite.exe	102
PID 1488 wrote to memory of 4260	1488	belite.exe	102
PID 1488 wrote to memory of 5028	1488	belite.exe	103
PID 1488 wrote to memory of 5028	1488	belite.exe	103
PID 1488 wrote to memory of 5028	1488	belite.exe	103

C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe
"C:\Users\Admin\AppData\Local\Temp\f5dc624fc92e2e1e175943520df30ed2ea5cdd1061f143e49625a54066462e2eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\huufm.exe
  "C:\Users\Admin\AppData\Local\Temp\huufm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\belite.exe
    "C:\Users\Admin\AppData\Local\Temp\belite.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\apozy.exe
      "C:\Users\Admin\AppData\Local\Temp\apozy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2cc5d1faf991d402592b291aab506197

SHA1
22998fcf712c287c92dcf8d7f2a1f81e307a1827

SHA256
233efdf184908cbe354197cc62830a9f74975dfb971c1474852f8e33a5481ef6

SHA512
df671a7097f3597b4f09f4f79b04204c9bcb36059a85cc09b5338864c5c8bdecb82e92b96621878835735187a6c4b995850d44a32d0397e49b727929e9353fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
937f07b8af929674610e5739a06fdc64

SHA1
400c9e7f43604e1707aa4d19b6e9e925d8e55b71

SHA256
d39c5753c2a4dcc0319baef659a93993446a9edbe88fded4ba72aaa5a2f01027

SHA512
f2e8058a9e2d89676b8ed455ce559456141b48d8b6f64e6e5fe164f7fd016583afd82130371ff1611342e6b61f538de420069b016b56d990531c6edfc1f20f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\apozy.exe

Filesize
459KB

MD5
cda863fd9ca443ab5d983767f80f20ee

SHA1
40f9b1cdab96d5731b3d86ae06deb7fee365a88f

SHA256
54b6cb42cdc5a0de2b2f6899d98d7125d09b3eccbb96ff35f37413018328e9e9

SHA512
48bed75b5bcbb405e2112dd9294afe1e62ca6a4d0821859bf3b7f9a6ee80496b104890c7f2c981c500a0151999c3f08f7d6dabfcc805b2a06b4e9583744e064a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fdeda169b65439de1abd936fd106ca2d

SHA1
d82f7e5138c349df235c0ab1cda870d6fac14d6f

SHA256
31a19b708d14772753edd3abf8f5c13c923d2e4e56a0aa0776347568faed3ca0

SHA512
e5f2c0aa9cccac7b42b50767a7d5daf99975f907b2a419b693ff7ae0b8535d1c6725dfd0e08fc7f401f793990e6ed39d16452a2943fcedce10dd9a67e98e6a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\huufm.exe

Filesize
6.5MB

MD5
a2b0833a22c8a0f90a411f907888a818

SHA1
7d01ad03e0fcb8dec606c9ae491ff13e707832b2

SHA256
fde0a985e3168b9900d02db0444cecf9eedbf18e0cf712a059506f82e7b87934

SHA512
4cd22b6f7a5ef7c47c279b16292d5700eaf65cace1d457e50cf2efb945f32204f2c7796156e6781f768a364db564a67e93d95d8edcb23c45d7eebffd30dfb398

Download Submit
memory/1488-52-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1488-51-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/1488-50-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1488-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1488-53-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1488-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1488-54-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1488-55-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1488-56-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/1488-73-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2684-33-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2684-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2684-35-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2684-34-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2684-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2684-32-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/2684-31-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/2684-29-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2684-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2684-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2684-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4260-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4260-76-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4312-6-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

Filesize
4KB

Download
memory/4312-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4312-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4312-4-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/4312-27-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4312-7-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4312-8-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

Filesize
4KB

Download
memory/4312-5-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/4312-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4312-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4312-2-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4312-3-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4312-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads