urelas | 7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074f

General

Target

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
Size

660KB
MD5

fa22a94cf15e0f978ab5f354af7b28c0
SHA1

75997c17a503e2a2f48f5d81a7f561a7d90fe7c9
SHA256

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074f
SHA512

0a8f9f498babb7ac26455b8e8c0d9e286b7977c35e436de6ebbf0bdc9318f576f432ab404a59e11dd6b1629baaed0fcd46811da27706ab51d73016f8afb907cd
SSDEEP

6144:O1xBWeMRygxDLbHxlSBxzJn1REBB6q1gBFJV6AvRqsf6YU+FM+3Yn/fCXjQGDqLO:Ol3MQIDKJzTq+Xxvo0U+d3s/fCX0Y

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2604 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

vuvup.exeytazt.exe

pid process

2564 vuvup.exe
1416 ytazt.exe
Loads dropped DLL 2 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exevuvup.exe

pid process

2792 7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
2564 vuvup.exe

pid	process
2604	cmd.exe

pid	process
2564	vuvup.exe
1416	ytazt.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2792-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\vuvup.exe	upx
behavioral1/memory/2564-12-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2792-18-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/2564-21-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1416-30-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/2564-28-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\ytazt.exe	upx
behavioral1/memory/1416-32-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-33-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-34-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-35-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-36-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-37-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-38-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-39-0x00000000011B0000-0x000000000126A000-memory.dmp	upx
behavioral1/memory/1416-40-0x00000000011B0000-0x000000000126A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ytazt.exe7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.execmd.exevuvup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ytazt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuvup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exevuvup.exeytazt.exe

pid	process
2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
2564	vuvup.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe
1416	ytazt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exevuvup.exe

description	pid	process	target process
PID 2792 wrote to memory of 2564	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	vuvup.exe
PID 2792 wrote to memory of 2564	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	vuvup.exe
PID 2792 wrote to memory of 2564	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	vuvup.exe
PID 2792 wrote to memory of 2564	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	vuvup.exe
PID 2792 wrote to memory of 2604	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2792 wrote to memory of 2604	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2792 wrote to memory of 2604	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2792 wrote to memory of 2604	2792	7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe	cmd.exe
PID 2564 wrote to memory of 1416	2564	vuvup.exe	ytazt.exe
PID 2564 wrote to memory of 1416	2564	vuvup.exe	ytazt.exe
PID 2564 wrote to memory of 1416	2564	vuvup.exe	ytazt.exe
PID 2564 wrote to memory of 1416	2564	vuvup.exe	ytazt.exe

C:\Users\Admin\AppData\Local\Temp\7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe
"C:\Users\Admin\AppData\Local\Temp\7526cf640a772dd13e6252a3fb94cf1975fd347f4f67246075e8012ef67f074fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\vuvup.exe
  "C:\Users\Admin\AppData\Local\Temp\vuvup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\ytazt.exe
    "C:\Users\Admin\AppData\Local\Temp\ytazt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
343B

MD5
f46847abee1e922e6e3891fed2523c49

SHA1
92e963e39c22d1e9025dd4e083605fe7656a9a05

SHA256
a5e75557e8eb4c098e7100d141c75186dc3be071245f2eaed23b17e7b8c72d30

SHA512
c4acd3e822197402611464b7a4cdece51716c1805e2f291701a0028553c472b2f30400b11b998497253ebc13ada4c9991d40e50f69f6674c8d2f30d0f207313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d644eab43114a98005202d3dc93f0b17

SHA1
3f5f7d497e5e5202991eda8edc149e6fc1baf71d

SHA256
c628417a8144a441f387231815b09b0d93dfe59eb9607450fede578bee83c814

SHA512
b233b60ccf24514e4809d13f0ccd44c02b6f05af16d51444ef5227e0d6356c27c0c76952e171dbbbc2677bba678c7069ba387ce5d0669dc570e97ab4db343120

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytazt.exe

Filesize
243KB

MD5
e84b580d4addec6662b9d0c0de2de70e

SHA1
47dc175d20ec8f5eeb521b88e6a6c9a78bb0ebfa

SHA256
effb88959af5180c695a67ce6c43ffd03dc57a0ae6590666944145db50f4713f

SHA512
deb935a4d62d39d256df7ef656a2bbea13a286c1adbef6671fdea0552e6f67e3e9b4bc8cd30155b2d2d0b33a3aad102f829623896c6dfccc87e82e99fb73d57d

Download Submit
\Users\Admin\AppData\Local\Temp\vuvup.exe

Filesize
660KB

MD5
b7592fbe5a550c733adc4b04844a043c

SHA1
2cb2d83e162e25866ab2a6fdbc8e0ec137fa491d

SHA256
9631c6fe3193d8f4948e03a425d1ba1e4bb00f20fd7a9791e281fc11ba6f874b

SHA512
158e4d25d3a69705dd9b7c08ec54e824bef260913c690e9dc0718acfe67dc719babefd090a7e0d7feb12e78d90580d1a68d08904a9e408a1e4bacb814468a7b8

Download Submit
memory/1416-40-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-38-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-39-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-37-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-30-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-36-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-35-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-33-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-34-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/1416-32-0x00000000011B0000-0x000000000126A000-memory.dmp

Filesize
744KB

Download
memory/2564-28-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2564-31-0x0000000002F10000-0x0000000002FCA000-memory.dmp

Filesize
744KB

Download
memory/2564-29-0x0000000002F10000-0x0000000002FCA000-memory.dmp

Filesize
744KB

Download
memory/2564-21-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2564-12-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2792-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2792-18-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2792-8-0x0000000002820000-0x00000000028C5000-memory.dmp

Filesize
660KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads