urelas | 7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074f

General

Target

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
Size

660KB
MD5

fa22a94cf15e0f978ab5f354af7b28c0
SHA1

75997c17a503e2a2f48f5d81a7f561a7d90fe7c9
SHA256

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074f
SHA512

0a8f9f498babb7ac26455b8e8c0d9e286b7977c35e436de6ebbf0bdc9318f576f432ab404a59e11dd6b1629baaed0fcd46811da27706ab51d73016f8afb907cd
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqLO:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0Y

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Executes dropped EXE 2 IoCs

Processes:

fynux.exebutil.exe

pid process

2156 fynux.exe
2980 butil.exe
Loads dropped DLL 2 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exefynux.exe

pid process

2524 7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
2156 fynux.exe

pid	process
2156	fynux.exe
2980	butil.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2524-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\fynux.exe	upx
behavioral1/memory/2524-17-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2156-20-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\butil.exe	upx
behavioral1/memory/2156-29-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2980-28-0x0000000000CE0000-0x0000000000D9A000-memory.dmp	upx
behavioral1/memory/2980-30-0x0000000000CE0000-0x0000000000D9A000-memory.dmp	upx
behavioral1/memory/2980-31-0x0000000000CE0000-0x0000000000D9A000-memory.dmp	upx
behavioral1/memory/2980-32-0x0000000000CE0000-0x0000000000D9A000-memory.dmp	upx
behavioral1/memory/2980-33-0x0000000000CE0000-0x0000000000D9A000-memory.dmp	upx
behavioral1/memory/2980-34-0x0000000000CE0000-0x0000000000D9A000-memory.dmp	upx
behavioral1/memory/2980-35-0x0000000000CE0000-0x0000000000D9A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fynux.exebutil.exe7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fynux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exefynux.exebutil.exe

pid	process
2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
2156	fynux.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe
2980	butil.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exefynux.exe

description	pid	process	target process
PID 2524 wrote to memory of 2156	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	fynux.exe
PID 2524 wrote to memory of 2156	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	fynux.exe
PID 2524 wrote to memory of 2156	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	fynux.exe
PID 2524 wrote to memory of 2156	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	fynux.exe
PID 2524 wrote to memory of 2588	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2524 wrote to memory of 2588	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2524 wrote to memory of 2588	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2524 wrote to memory of 2588	2524	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2156 wrote to memory of 2980	2156	fynux.exe	butil.exe
PID 2156 wrote to memory of 2980	2156	fynux.exe	butil.exe
PID 2156 wrote to memory of 2980	2156	fynux.exe	butil.exe
PID 2156 wrote to memory of 2980	2156	fynux.exe	butil.exe

C:\Users\Admin\AppData\Local\Temp\7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
"C:\Users\Admin\AppData\Local\Temp\7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\fynux.exe
  "C:\Users\Admin\AppData\Local\Temp\fynux.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\butil.exe
    "C:\Users\Admin\AppData\Local\Temp\butil.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
343B

MD5
f46847abee1e922e6e3891fed2523c49

SHA1
92e963e39c22d1e9025dd4e083605fe7656a9a05

SHA256
a5e75557e8eb4c098e7100d141c75186dc3be071245f2eaed23b17e7b8c72d30

SHA512
c4acd3e822197402611464b7a4cdece51716c1805e2f291701a0028553c472b2f30400b11b998497253ebc13ada4c9991d40e50f69f6674c8d2f30d0f207313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3d4e34e2b1e2a62f5c56d2c5c69b84ca

SHA1
4fb81917f5274c2065d74ce2eaa728d8a45f179e

SHA256
1fb0f2a0ba20fc94c1cba870d05836f4e6f8d8b68f1d755d88a3a6f6ffff0d5b

SHA512
7726bd26e20420d4fef721caa1387781265691a83f53790c4441196e989aee78fe5da7ed1b0969f022547429cef7cd544b90fa88de78f3bf9539cc1f0c3697df

Download Submit
\Users\Admin\AppData\Local\Temp\butil.exe

Filesize
243KB

MD5
9d280b578f6b1831411a27684d3b9008

SHA1
13d10b911bc6997000e4e9dc7e9deafc9d777afa

SHA256
bc3a1fa76b25b827cd80629589fa8840f97f2075504353f857ac93321089484c

SHA512
c3de9f047f840de7898311063c298839a1285de2bc90ce6b8d6646645fa61009c0af262d184ddff560f546a302f4628e56981339effaf4be353452ab8c8c03e6

Download Submit
\Users\Admin\AppData\Local\Temp\fynux.exe

Filesize
660KB

MD5
ee1c76a759308c67fa89349f94a1394b

SHA1
e4b86bc0df3011685fd0f0abaf6bf7bb18f7585a

SHA256
8805061dc2eef389d8708cbb40676bc809bc5f8f2528cb700d407cb65dd17ca2

SHA512
7a688057164de0ba8a0d1b7febf3ab65ebcdf649cdbfcbf38bb62698edd6acbfa3565dd33d22305f93a03b614c7ac7f0af6512b834c9d584527d0e1b8db3900f

Download Submit
memory/2156-26-0x0000000003B10000-0x0000000003BCA000-memory.dmp

Filesize
744KB

Download
memory/2156-29-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2156-20-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2524-17-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2524-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2524-8-0x0000000002860000-0x0000000002905000-memory.dmp

Filesize
660KB

Download
memory/2980-28-0x0000000000CE0000-0x0000000000D9A000-memory.dmp

Filesize
744KB

Download
memory/2980-30-0x0000000000CE0000-0x0000000000D9A000-memory.dmp

Filesize
744KB

Download
memory/2980-31-0x0000000000CE0000-0x0000000000D9A000-memory.dmp

Filesize
744KB

Download
memory/2980-32-0x0000000000CE0000-0x0000000000D9A000-memory.dmp

Filesize
744KB

Download
memory/2980-33-0x0000000000CE0000-0x0000000000D9A000-memory.dmp

Filesize
744KB

Download
memory/2980-34-0x0000000000CE0000-0x0000000000D9A000-memory.dmp

Filesize
744KB

Download
memory/2980-35-0x0000000000CE0000-0x0000000000D9A000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads