urelas | cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52

General

Target

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
Size

555KB
MD5

49578e06b681e1ad56ca5fd417aef0fb
SHA1

e6cbb060c5ab504f2ec3f2cc2f621eaed907727d
SHA256

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52
SHA512

75f26a3d205875d322337b5398b8627e77690d8c52f8db73e4391b846d0101f8a1fc4569d3d7ba0b209d7d8af1a2c730dc59f0f4f0115da1ed7460e879907471
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2880 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

kogoc.exevyacl.exe

pid process

2744 kogoc.exe
2388 vyacl.exe
Loads dropped DLL 2 IoCs

Processes:

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exekogoc.exe

pid process

2128 cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
2744 kogoc.exe

pid	process
2880	cmd.exe

pid	process
2744	kogoc.exe
2388	vyacl.exe

pid	process
2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
2744	kogoc.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2128-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2744-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\kogoc.exe	upx
behavioral1/memory/2128-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2744-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/2744-30-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exekogoc.execmd.exevyacl.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kogoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyacl.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

vyacl.exe

pid	process
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe
2388	vyacl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exekogoc.exe

description	pid	process	target process
PID 2128 wrote to memory of 2744	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	kogoc.exe
PID 2128 wrote to memory of 2744	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	kogoc.exe
PID 2128 wrote to memory of 2744	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	kogoc.exe
PID 2128 wrote to memory of 2744	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	kogoc.exe
PID 2128 wrote to memory of 2880	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	cmd.exe
PID 2128 wrote to memory of 2880	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	cmd.exe
PID 2128 wrote to memory of 2880	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	cmd.exe
PID 2128 wrote to memory of 2880	2128	cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe	cmd.exe
PID 2744 wrote to memory of 2388	2744	kogoc.exe	vyacl.exe
PID 2744 wrote to memory of 2388	2744	kogoc.exe	vyacl.exe
PID 2744 wrote to memory of 2388	2744	kogoc.exe	vyacl.exe
PID 2744 wrote to memory of 2388	2744	kogoc.exe	vyacl.exe

C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe
"C:\Users\Admin\AppData\Local\Temp\cf8c49870e8ada3b86dff073d82adcc302f9fafbf74bcf36e152dc087ff57b52.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\kogoc.exe
  "C:\Users\Admin\AppData\Local\Temp\kogoc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\vyacl.exe
    "C:\Users\Admin\AppData\Local\Temp\vyacl.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
16f866800d1bce0d461c4bf1d5cc826c

SHA1
dbdd17e36e972d424cd619b2deca408138b4a533

SHA256
f5422ceeba01071192926f939989bfd89156fcaa4cf7f586897de881ee34b1c8

SHA512
5dd2deb742a6250871301e90321cac04eba0fbc8e009bd506712159646a00e327f97efc2c2c3461ca2d325e151e0af7a4f739f22613705eb889faeb8b5b7acfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
474a84f1ae07a44143ade792b28ef228

SHA1
673e47dd675cecc6dd080db0d6afa7417e4a6b8c

SHA256
9d3b60d5771bcf6c8623d45fbf28cbed0395e2d17521e7d1380eb6e442c7d760

SHA512
aee8005aef6eb70f2bac5cb6da3f98890282cc6d753173445cd458194dabfa8c62ac024b4382ce652313183729acf229a66d594361ff071dcfb791f6755971ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\kogoc.exe

Filesize
555KB

MD5
cfb5b91db7dc959e1d67082b9d0aa88f

SHA1
1956f89858f879bc0ef066f227975da124058009

SHA256
b0cfa7b04e20dc5d19df42585e3eb985e17a234e56eb86faed77b7d6a8df5949

SHA512
21926cb893ebe13050ea6f31fedb4e65bfc48233d1088ca691f3b1e190f5e9989d8b82d2fd72cd54685eea401fc8cef514231eb842579d7f052895a7289fe3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vyacl.exe

Filesize
194KB

MD5
2a9f1256490d22c1f02917dc51881603

SHA1
fdddc864f71598e6b7659bc0869c3698092d45cb

SHA256
26d1af15f12c2b28b91861fa0e8d2686d065ae7e105322dd6a71085a801acc73

SHA512
2d999e6c81d84008383e014422d89016f848618c07d6e4358309a10f6cc4997f78d880baf7cdbb0fa9d143c0d731ee7681169261c25c7e27f82e06926c3c5988

Download Submit
memory/2128-6-0x00000000025E0000-0x0000000002696000-memory.dmp

Filesize
728KB

Download
memory/2128-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2128-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2388-29-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2388-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2388-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2744-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2744-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2744-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2744-28-0x00000000031B0000-0x0000000003244000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads