urelas | a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4

General

Target

a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
Size

557KB
MD5

4622a1c2bba867048cb806ad43f8e3d0
SHA1

11f7083f9d3d1c03539175920d43c9d3dd23a72b
SHA256

a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4
SHA512

ff3c7aec51ff2d35faec5b7ca430183339c5158fe208be708c1518c123a7a231c2de0e811efc23051450b0126951e8b6234faa52a36a835f388b70c677a96777
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyP:znPfQp9L3olqFP

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2196	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2144	eltun.exe
1772	ylkos.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
2144	eltun.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2144-16-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0009000000015cdd-8.dat	upx
behavioral1/memory/2136-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2144-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2144-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eltun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylkos.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe
1772	ylkos.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2144	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	30
PID 2136 wrote to memory of 2144	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	30
PID 2136 wrote to memory of 2144	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	30
PID 2136 wrote to memory of 2144	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	30
PID 2136 wrote to memory of 2196	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	31
PID 2136 wrote to memory of 2196	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	31
PID 2136 wrote to memory of 2196	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	31
PID 2136 wrote to memory of 2196	2136	a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe	31
PID 2144 wrote to memory of 1772	2144	eltun.exe	34
PID 2144 wrote to memory of 1772	2144	eltun.exe	34
PID 2144 wrote to memory of 1772	2144	eltun.exe	34
PID 2144 wrote to memory of 1772	2144	eltun.exe	34

C:\Users\Admin\AppData\Local\Temp\a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe
"C:\Users\Admin\AppData\Local\Temp\a2d9f8c6c5e1e053e517debda840f2bc378caa1d2e2cadbfaa91d949406e7cd4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\eltun.exe
  "C:\Users\Admin\AppData\Local\Temp\eltun.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\ylkos.exe
    "C:\Users\Admin\AppData\Local\Temp\ylkos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9cf7ac7e50996aefcbc907ca75b9698e

SHA1
7ca3b2d2b64ff07e7cde2129370bbc0b53500e79

SHA256
11611bcf4151395df19ef76e3d857ebae1d34127ade1e7368143618244dcbaea

SHA512
facff2c52ad39ded9df69712db4be8965f5ee7ef736f42578bd081fbfed9ffba1202de4f1ff99764d60db9154e5a6032b3041730da547e4659297a48666cda17

Download Submit
C:\Users\Admin\AppData\Local\Temp\eltun.exe

Filesize
557KB

MD5
0b2e1626887ed05daaecadcf6f51c8b0

SHA1
4fd14828b87cca7fccb271e7bf3967a91a6bebab

SHA256
e2655d04080d8342c0f24a0bfb6a22ed948327c9b086aa9dd03e535ea76d78f4

SHA512
c9c459248cc63f9e8529852969225382adafcdbfe2e25d25e45df469d48a1a057dc7e100039133f54e074b400d1b2965f336cd9750a1d7142a53818dceec52fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5f54e592b2a7317f27f8f6781efbd3dc

SHA1
3000523889948746fdefb77db34b6f6cf8c34f66

SHA256
66d84d4b7a43028a3679a1eb5b8fb2ca1c984877c61139c6ebba8c5e1061957c

SHA512
f1aa4ecedbd5002c3669fcd2e952b814f9fa2e931c51b21ea17c57647151f42bd0a776d17bdc2a9ebfae8d9f8045788f9c82601c7fd2a550c03734c58add7d0e

Download Submit
\Users\Admin\AppData\Local\Temp\ylkos.exe

Filesize
194KB

MD5
b32b65cd3338dc8810ac2f9c3afc550c

SHA1
08b0774dfbe643cf2169d209482164612858c762

SHA256
e0d4189e90e70bf56653fe0625b358dd160582da4b635fd0b05fcf1e6993ea72

SHA512
266671eb36b6f5fe3052874ea81b29f3fd19c79fcbf764252b5f8f44fe610ead5f5c944403fcf3865b1165397e2141f5b648fb2e5b5920ace3ad34bc968d93e0

Download Submit
memory/1772-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1772-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1772-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2136-15-0x0000000002680000-0x0000000002736000-memory.dmp

Filesize
728KB

Download
memory/2136-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2136-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2144-16-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2144-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2144-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2144-27-0x00000000031E0000-0x0000000003274000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing