urelas | fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dc

General

Target

fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
Size

555KB
MD5

0062aab4d5c62d1c665ed73279edcc30
SHA1

4480c29ae577f971d7cf37a1d5ea58da8a796d8a
SHA256

fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dc
SHA512

2f351db9b0cc7a2d77abd2a74e3f90dd8092bcb85250fdcb5ee046f662e50158f28d215b27d6b67ed3b8e4a6c0621e28f7d198dc1285636eb3138988518a7a28
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyY:znPfQp9L3olqFY

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1628	ikodr.exe
1444	vijug.exe

Loads dropped DLL 2 IoCs

pid	Process
1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
1628	ikodr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1084-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0009000000016ccc-4.dat	upx
behavioral1/memory/1628-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1084-18-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1628-21-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/1628-29-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikodr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vijug.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe
1444	vijug.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1628	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	30
PID 1084 wrote to memory of 1628	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	30
PID 1084 wrote to memory of 1628	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	30
PID 1084 wrote to memory of 1628	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	30
PID 1084 wrote to memory of 2888	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	31
PID 1084 wrote to memory of 2888	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	31
PID 1084 wrote to memory of 2888	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	31
PID 1084 wrote to memory of 2888	1084	fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe	31
PID 1628 wrote to memory of 1444	1628	ikodr.exe	33
PID 1628 wrote to memory of 1444	1628	ikodr.exe	33
PID 1628 wrote to memory of 1444	1628	ikodr.exe	33
PID 1628 wrote to memory of 1444	1628	ikodr.exe	33

C:\Users\Admin\AppData\Local\Temp\fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe
"C:\Users\Admin\AppData\Local\Temp\fd5f164d0f420a4dd08ea2575b91506bff11acd605d1926835a0b6288ccef1dcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\ikodr.exe
  "C:\Users\Admin\AppData\Local\Temp\ikodr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\vijug.exe
    "C:\Users\Admin\AppData\Local\Temp\vijug.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6a9bb1c6572fb3a8465225f6e381fc82

SHA1
48251f6d77802251902351e516f062f092f3f6c1

SHA256
8110d4c41448cc2eaab3faeccbdf66839fdf9328ca28c93e49d35da90fcc8791

SHA512
1bf6e9e9e16e7fd5ed34d21dec3ef9d44f8cc6ba08057f6aeb3a7aa75780b7c8dd089916e3c52af7e3eba39db242cdcc2c8c81e7743228d236051a8ae0744f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7b9d025b0e9e48528b63a657437297a5

SHA1
0cd259b77e109a561253f42afd1a81b9ae39cee7

SHA256
ffd66357e8cda84a09daf406cc728e8d440a8cc10a2591e2794ec7d2e9b15668

SHA512
ae11149a91fa6258a54abe019c84b711471545392b480bd73126f97225f30a3ba8df92516e2b121e02113bc4d7c7dae3bfbf6029e3681e18c39397298144a1ae

Download Submit
\Users\Admin\AppData\Local\Temp\ikodr.exe

Filesize
555KB

MD5
78238b80c2ec2784aa5a8eac728cccec

SHA1
321c025073e3b5290632b8d8c13b88511f7c1e72

SHA256
d18b58db7fc5ef0f3968124bdf373fbfa44f76180ea0a56b561f157ed4b441c4

SHA512
1fdbe085ca01a6beb2235883de752b4f11a92c13725a998af873c8810e5dda10b5a22d9fb267074d341e4e7535755710f71db541f615ce4fef2f712aba6d8ec1

Download Submit
\Users\Admin\AppData\Local\Temp\vijug.exe

Filesize
194KB

MD5
865648ec6064324aba4f866de8db4b52

SHA1
24fd988406adc53f24373927d3ff2d76a2f5843f

SHA256
8e95d8dc0454888e0fc39c561484931efa84139b4bf9a94740dfd2329e22e60a

SHA512
b443a091c4f9f01c276227d65d0efb2fcd3058847846f880254de49fc66c7d516cd19687982df4b64453a49c643a03e698fec323882a2cfff446d6b1a85ca0a5

Download Submit
memory/1084-18-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1084-9-0x00000000024E0000-0x0000000002596000-memory.dmp

Filesize
728KB

Download
memory/1084-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1444-30-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1444-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1444-33-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1628-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1628-21-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1628-26-0x0000000003740000-0x00000000037D4000-memory.dmp

Filesize
592KB

Download
memory/1628-29-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing