urelas | db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25

General

Target

db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe
Size

6.5MB
MD5

d657389a8b15c067fe486d3bf3aab900
SHA1

38b732ea7c6c556cf90b1a03fb17bb9ec9a5cc0f
SHA256

db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25
SHA512

69c4464ea692b44008cb0f0c0480ae4183c9bc4d5926ab4969b4a653cbe48191e59b4c5010d7470ed00a364797767836219577effe9c47c8a37d68f5de36865d
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSG:i0LrA2kHKQHNk3og9unipQyOaOG

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
284	luzor.exe
1564	cufuog.exe
684	dyyrm.exe

Loads dropped DLL 5 IoCs

pid	Process
2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe
2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe
284	luzor.exe
284	luzor.exe
1564	cufuog.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016d25-156.dat	upx
behavioral1/memory/1564-158-0x0000000004990000-0x0000000004B29000-memory.dmp	upx
behavioral1/memory/684-169-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/684-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	luzor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cufuog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyyrm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe
284	luzor.exe
1564	cufuog.exe
684	dyyrm.exe
684	dyyrm.exe
684	dyyrm.exe
684	dyyrm.exe
684	dyyrm.exe
684	dyyrm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 284	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	28
PID 2868 wrote to memory of 284	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	28
PID 2868 wrote to memory of 284	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	28
PID 2868 wrote to memory of 284	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	28
PID 2868 wrote to memory of 2340	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	29
PID 2868 wrote to memory of 2340	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	29
PID 2868 wrote to memory of 2340	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	29
PID 2868 wrote to memory of 2340	2868	db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe	29
PID 284 wrote to memory of 1564	284	luzor.exe	31
PID 284 wrote to memory of 1564	284	luzor.exe	31
PID 284 wrote to memory of 1564	284	luzor.exe	31
PID 284 wrote to memory of 1564	284	luzor.exe	31
PID 1564 wrote to memory of 684	1564	cufuog.exe	34
PID 1564 wrote to memory of 684	1564	cufuog.exe	34
PID 1564 wrote to memory of 684	1564	cufuog.exe	34
PID 1564 wrote to memory of 684	1564	cufuog.exe	34
PID 1564 wrote to memory of 2164	1564	cufuog.exe	35
PID 1564 wrote to memory of 2164	1564	cufuog.exe	35
PID 1564 wrote to memory of 2164	1564	cufuog.exe	35
PID 1564 wrote to memory of 2164	1564	cufuog.exe	35

C:\Users\Admin\AppData\Local\Temp\db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe
"C:\Users\Admin\AppData\Local\Temp\db1482a7ee52214653ca6d7753987d30c65fdfd0b4f895e0fb0380885b391c25N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\luzor.exe
  "C:\Users\Admin\AppData\Local\Temp\luzor.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Users\Admin\AppData\Local\Temp\cufuog.exe
    "C:\Users\Admin\AppData\Local\Temp\cufuog.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\dyyrm.exe
      "C:\Users\Admin\AppData\Local\Temp\dyyrm.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:684
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0cc2d294c7060a09824a651d26d4ac2f

SHA1
a134bbcca70e5dbadc54a534a4907557b6b2df49

SHA256
d20488a3ae19a2135deffdec81632a6b74e1461f9281c54896544268611a2bad

SHA512
06be170fea14aee725aafb4b38de8a86cc2de269f81ab5e7c58f6038c6c059bf7a329be7ffb5573f21f7312d59ead408222593c40aaec941e3a17ac67d60dc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
ec1884a5e82e23dfc99a105c2680b261

SHA1
719e84a61a18b52ab5f9369d5ba12d22188aed50

SHA256
040351081a200f005823266a4e258da17d957d1a3df4251817aef0dc8769269d

SHA512
c629ce8b34f9a62715e10e7051cfa1206da313d0891e5954765399a11450abc30f7d81d3f91d3f402aeeb93743f848002400e2c443021494d63f6e3ee783dc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
114c9d0657ccef5a79c899db65f88722

SHA1
7325d2f12dec22fcbc4eb91f6303aea16b8d5d5e

SHA256
fcd952da87c65eeb96a336a04cc1ea6565be33ed899e2152ca34a93770d6362b

SHA512
d83183ecb9969bcc3daaf5461ade48b60dc93346d0646a2f41c929ec8432a416ab9c1abd7e82fb32e38b0d0546f27827b7ce1c154a661af3976c8bae3455e998

Download Submit
\Users\Admin\AppData\Local\Temp\dyyrm.exe

Filesize
459KB

MD5
8ccfbb7da99103b7ec3dea57074320a0

SHA1
1046a90c4b070664e203bed0ae7fee47791a8580

SHA256
0a33525b3f49db82dd9a56f067f706f360ba102e32e2176b49765c1eae2d9d35

SHA512
8388e9732b19c57204f886bcb5b74978b698346abd5c25693657b3ae819f0540050f7e05deacba51a3fc23e9f12acb89a5f5ee29b22dc002b1df23033bad9f04

Download Submit
\Users\Admin\AppData\Local\Temp\luzor.exe

Filesize
6.5MB

MD5
01b7c0a49ff4a7a5d5f5a585dab01b9e

SHA1
da747f759d5197c84dae7dab10837c58a2b99332

SHA256
22fb116b108fa1873dde4ec60ffa4ec6cc7699c1bf14d72fda941b79bb6520c8

SHA512
b76d615972cfee3a93612508e93e68238f13e51ab07b4d2e06ada0968fda92c74bd5935a879b1fc5c1a5dbe1f1841cf7351988bbf76996e6970ec0db1c1874e8

Download Submit
memory/284-89-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/284-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/284-111-0x00000000043A0000-0x0000000004E8C000-memory.dmp

Filesize
10.9MB

Download
memory/284-87-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/684-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/684-169-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1564-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1564-152-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1564-158-0x0000000004990000-0x0000000004B29000-memory.dmp

Filesize
1.6MB

Download
memory/2868-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2868-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2868-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2868-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2868-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2868-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2868-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2868-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2868-60-0x0000000003E90000-0x000000000497C000-memory.dmp

Filesize
10.9MB

Download
memory/2868-61-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2868-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2868-51-0x0000000003E90000-0x000000000497C000-memory.dmp

Filesize
10.9MB

Download
memory/2868-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2868-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2868-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2868-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2868-23-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2868-25-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2868-28-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2868-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2868-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2868-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2868-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2868-38-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing