urelas | d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270b

General

Target

d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe
Size

555KB
MD5

54002530f17a3dc3197385ae3d462ef0
SHA1

508027e0775aed07382caa8f66d7c686b604b6c7
SHA256

d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270b
SHA512

df9cc425f2ced137a61f8df50db50bca43fc651edbb2b34c8e4e568ec319396bceefe32043ca83e051e4697eb323ff61aee622813198f82e9cde795120c52aad
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEy7:znPfQp9L3olqF7

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2684	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2672	reapa.exe
1004	ojqog.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe
2672	reapa.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1868-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1868-16-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2672-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0036000000016d24-8.dat	upx
behavioral1/memory/2672-20-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2672-28-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reapa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojqog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe
1004	ojqog.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 2672	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	30
PID 1868 wrote to memory of 2672	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	30
PID 1868 wrote to memory of 2672	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	30
PID 1868 wrote to memory of 2672	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	30
PID 1868 wrote to memory of 2684	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	31
PID 1868 wrote to memory of 2684	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	31
PID 1868 wrote to memory of 2684	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	31
PID 1868 wrote to memory of 2684	1868	d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe	31
PID 2672 wrote to memory of 1004	2672	reapa.exe	33
PID 2672 wrote to memory of 1004	2672	reapa.exe	33
PID 2672 wrote to memory of 1004	2672	reapa.exe	33
PID 2672 wrote to memory of 1004	2672	reapa.exe	33

C:\Users\Admin\AppData\Local\Temp\d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe
"C:\Users\Admin\AppData\Local\Temp\d35e9030076dc2a04bc378e5bd3dc5ebdf779d40a44a535488452e5b8ca1270bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\reapa.exe
  "C:\Users\Admin\AppData\Local\Temp\reapa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\ojqog.exe
    "C:\Users\Admin\AppData\Local\Temp\ojqog.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
5d846c9b3db0a4fb0cdbefc4fcb28f7e

SHA1
45676ba1f08ffc56b323ad6129aed2793880f7fb

SHA256
8ac145a334281111307407ad8dfb0fb5c2cf5a2c0428da77cf3ab7e5083adcbb

SHA512
11dd11d4e4f496d1693fa11b82c9197e6f20fc8d8dd73f8c333b6df182a844080209a9df5a3e8a43aa864abc95874561a5ed9e1a291f858586745c5b52c7ac64

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a9c88db66e641f4c046007380645d008

SHA1
aa8eb3ef18ad7fb34711339ec4261329331234ad

SHA256
2fc18c6ea780300d7abb14f1d463ee62eb38641c6fd7936cfc65bfc89d49d4b3

SHA512
f61ea0751fca36a2fc769d922dfc475a1d737d5b8e98688012c04b8fb8482f093ee497cec5cf545ebaeda6f68d232c5b9ad38b29c7cce00f114493c10edfe052

Download Submit
C:\Users\Admin\AppData\Local\Temp\reapa.exe

Filesize
555KB

MD5
eaa9d455173056f47bbcda311d71dcd7

SHA1
c26a6316f1fe76cff9d455d8bf295d401464d1f4

SHA256
5b89f17ff06c5c3464c0275547a6114683b451bc0907af1bc8b99117df0f200a

SHA512
10376d7d26e397beaf0265f4c32b67676a686232aeeb31fdc6952b3f118cd9d7c943224a80b55aba775601becc292d2ba64fb1029eeab116e6bc55d6b294fc8c

Download Submit
\Users\Admin\AppData\Local\Temp\ojqog.exe

Filesize
194KB

MD5
2f9501fcbfb6e7f519802196d788d90d

SHA1
4ae918dd71c5f0b96dd06ae4ed0d2627d271694d

SHA256
fedfc12b351208d889d860e2d93bdb4f47b79a47315b0d4b1109ca852d8a03ca

SHA512
5af6f9712e264dc4a351271bf39550636f503eeac29bc2098e44ed3a0b69aa68e282f9f6e1c29de47b40de7d3ef59c5d3876207df9f9ecee196f29d82656b92e

Download Submit
memory/1004-29-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1004-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1004-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1868-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1868-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2672-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2672-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2672-25-0x00000000030C0000-0x0000000003154000-memory.dmp

Filesize
592KB

Download
memory/2672-28-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing