urelas | 47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e

General

Target

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
Size

1.1MB
MD5

899b623b32dbe4c5c0bac890de4575c1
SHA1

6ab746824ee8d9a7cebffeeb9c758b5e61decedd
SHA256

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e
SHA512

81b28bbd10c9db8f966d63f4858fd1585d4e273b87272782dbb5f633646c6e148bf83bcb3e15c70a380b36878be6c4a4e621ea66f214b885f509dcab02c1fc84
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5Ym:tcykpY5852j6aJGl5cqBr

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3012 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ucybs.exeovxieb.exemosub.exe

pid process

2084 ucybs.exe
2756 ovxieb.exe
2096 mosub.exe

pid	process
3012	cmd.exe

pid	process
2084	ucybs.exe
2756	ovxieb.exe
2096	mosub.exe

Loads dropped DLL 5 IoCs

Processes:

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exeucybs.exeovxieb.exe

pid	process
1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
2084	ucybs.exe
2084	ucybs.exe
2756	ovxieb.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mosub.exe	upx
behavioral1/memory/2096-53-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2096-57-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exemosub.execmd.exe47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exeucybs.exeovxieb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mosub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucybs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovxieb.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

mosub.exe

pid process

2096 mosub.exe
2096 mosub.exe
2096 mosub.exe
2096 mosub.exe
2096 mosub.exe
2096 mosub.exe
2096 mosub.exe

pid	process
2096	mosub.exe
2096	mosub.exe
2096	mosub.exe
2096	mosub.exe
2096	mosub.exe
2096	mosub.exe
2096	mosub.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exeucybs.exeovxieb.exe

description	pid	process	target process
PID 1868 wrote to memory of 2084	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	ucybs.exe
PID 1868 wrote to memory of 2084	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	ucybs.exe
PID 1868 wrote to memory of 2084	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	ucybs.exe
PID 1868 wrote to memory of 2084	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	ucybs.exe
PID 1868 wrote to memory of 3012	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	cmd.exe
PID 1868 wrote to memory of 3012	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	cmd.exe
PID 1868 wrote to memory of 3012	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	cmd.exe
PID 1868 wrote to memory of 3012	1868	47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe	cmd.exe
PID 2084 wrote to memory of 2756	2084	ucybs.exe	ovxieb.exe
PID 2084 wrote to memory of 2756	2084	ucybs.exe	ovxieb.exe
PID 2084 wrote to memory of 2756	2084	ucybs.exe	ovxieb.exe
PID 2084 wrote to memory of 2756	2084	ucybs.exe	ovxieb.exe
PID 2756 wrote to memory of 2096	2756	ovxieb.exe	mosub.exe
PID 2756 wrote to memory of 2096	2756	ovxieb.exe	mosub.exe
PID 2756 wrote to memory of 2096	2756	ovxieb.exe	mosub.exe
PID 2756 wrote to memory of 2096	2756	ovxieb.exe	mosub.exe
PID 2756 wrote to memory of 2724	2756	ovxieb.exe	cmd.exe
PID 2756 wrote to memory of 2724	2756	ovxieb.exe	cmd.exe
PID 2756 wrote to memory of 2724	2756	ovxieb.exe	cmd.exe
PID 2756 wrote to memory of 2724	2756	ovxieb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe
"C:\Users\Admin\AppData\Local\Temp\47d811dd2f09ee6792d406b3d1f63928558aafb763efc3abd9e8aa023ce43e3e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\ucybs.exe
  "C:\Users\Admin\AppData\Local\Temp\ucybs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\ovxieb.exe
    "C:\Users\Admin\AppData\Local\Temp\ovxieb.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\mosub.exe
      "C:\Users\Admin\AppData\Local\Temp\mosub.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
2a9a08802356c11ee49819ba67f95aed

SHA1
0d0935d68670df96ee56c580b92d793fca5c65d2

SHA256
522a3e73d0056b4799c8f16f95909be4886ba2e5abc0bed6e4c70d521874cd71

SHA512
ba4fb33bdaa1adcac347208188a9e855e8ebd23a8c23a4378f72bfbcbf266229bcea4422b1ce13bf13bc9213ffa882430ebaaca7ea6e0ba91aa9f91abcbbf1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
cffa1707065f6935107415baa4ce6d7b

SHA1
361075672e109c3fb569990a5052584d7fb78daa

SHA256
e3b2fc5bcd711ba202c143a92e1049c7deae350c1c053d6ef57bb9a8e31f7131

SHA512
2017322600fde0a3a1ad85505785e6613715193a129dd5c094388f0e809e8cdfc33ded203113e70758facbd765e21259c287684be6d486d67967c9216f6ee122

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1d03ddcfad69ba46834e635add1e58aa

SHA1
4cfb1654574e2c706ffba98e73f727096f981a09

SHA256
900189477efae8fd97f8dcdec0c20f33726826493598081325fabf9c85b14d98

SHA512
2cf7f84aeff924cfe6666dca9e462a246a3ad52433fe4c4b2f072d51a2c06b46a08d2c3d1752373a591d1fb1f5d1b4fa30e7bfbd9b528085627c25ee124e1548

Download Submit
C:\Users\Admin\AppData\Local\Temp\mosub.exe

Filesize
459KB

MD5
05cab9deae7c42c9674b595ff3e73de4

SHA1
6c2325f1cc74e09b6351fb24b4ab29a8ec89a0bb

SHA256
b0196c1b5cfaa1e1f7e9eea1694ce7988d658dac4684c92a8eb42f4cb1e9c858

SHA512
f89d62dae2a36bb67b30693aa66df0783edf6cc002a40a720df3d26cbd53b667de094ad25ff29a055955c8dceb7736fc123bf2daa5f57b7fe3960c55b3df1363

Download Submit
\Users\Admin\AppData\Local\Temp\ucybs.exe

Filesize
1.1MB

MD5
df1abdfc6e0cebce66c98d0ab6915a59

SHA1
c503931a7b384cc52c112a584758e8dfa5273add

SHA256
a487790edf8696bc84e00453d05ce51b8c124f52f2589e4d69692d53b9a90b7a

SHA512
20bd3301ebaf270e21a1eee86640d308c5d462f61eb1b2aa9958da6ada4fa8141853b801b056d4411563d0e4a90ebcf0620d101fb78e91052cf06dd6ab39bc2c

Download Submit
memory/1868-20-0x0000000002550000-0x0000000002674000-memory.dmp

Filesize
1.1MB

Download
memory/1868-19-0x0000000002550000-0x0000000002674000-memory.dmp

Filesize
1.1MB

Download
memory/1868-21-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1868-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2084-33-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2096-53-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2096-57-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2756-36-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2756-51-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2756-34-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads