urelas | a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62

Analysis

max time kernel
2s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe
Size

467KB
MD5

0f5e4bbfcfd0acca9f07f391dcf1e589
SHA1

ac4160ff4b83c36db425c6b68845c34ed6935557
SHA256

a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62
SHA512

a7aa485826d8fa53ad0511962e6c89e490fd43492317e7d987f18239b22b14c5b648e860342fe98095f7e5c45d98255cb0371d969f1e139d5cf57fc8692a3c8c
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Uv2:m6tQCG0UUPzEkTn4AC1+1

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3160-26-0x0000000000400000-0x000000000049F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\irmia.exe	upx
behavioral2/memory/3160-30-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3160-29-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral2/memory/3160-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe

C:\Users\Admin\AppData\Local\Temp\a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe
"C:\Users\Admin\AppData\Local\Temp\a86f81147abd5f480509100ae389b789eb600a404f173eebdec3b653a6daed62.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2100
- C:\Users\Admin\AppData\Local\Temp\goyqd.exe
  "C:\Users\Admin\AppData\Local\Temp\goyqd.exe"
  2⤵
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\irmia.exe
    "C:\Users\Admin\AppData\Local\Temp\irmia.exe"
    3⤵
    PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
6c4708585b360860ef816d0d6d3b3655

SHA1
a1f0a223f31a9fbc8e4fbe1baadc1861081ace1a

SHA256
faafab5754a0cc58182156aef5d7dd79731fa10f990a12c534bc5849887a7cff

SHA512
2c2db0f7dd2e805c99a0fb0f627dc0230d2ce508c9dfb16a203392439b87993380f8c3a107f8ccdd78ceb5266c811375970db90c11e2e366deb2b5ad7447793c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e481570ddc9f337fd7f2eeb85a119658

SHA1
b72234a85823c228f5668d1aefd59fae7e475dac

SHA256
ab2af664b5ac795e8420a400646f7fe3725166ff09d75e88ae48f7f0ca28eb08

SHA512
d8d6d860a2e5568b237f95b611f5f9e0622248386ae601f4938615cdc16481a423abd2bdebd420e7af2054ee7af40fb290410f70c988975499d7f39457b39178

Download Submit
C:\Users\Admin\AppData\Local\Temp\goyqd.exe

Filesize
467KB

MD5
ca63839bb0c954e68ddbdfb1423e74dd

SHA1
9bc16ccd7e367692ceae399ee03ea1e5eaed885a

SHA256
af337e0cd63cd513ebaec1f9a132581d90ba040a32d52c358a88eba7a91743ec

SHA512
05731355d58b9400f678973a4158c10c3934d332fcc0af39fda847c0f45607ef8ab337c90323358af1ed03516c4cf38b0200c973addc887a5e87ccac1323f406

Download Submit
C:\Users\Admin\AppData\Local\Temp\irmia.exe

Filesize
198KB

MD5
a6a728176f21cc133ca2bb4ea80bf141

SHA1
705cd19abe0bcebd9f33ad1eda060a8481023b81

SHA256
de4cad7bafac2c20e091df967a6c84090bcace05abe24d970d1aa18754c196cb

SHA512
38dc9009e04e8bf8770866f91cac593adc8c3b5543b4e322b2e11283114a41c801f038bc7c724af63f0854e63d7a85aafa98dba30a6e67a73be5297de1948e23

Download Submit
memory/2100-14-0x00000000007B0000-0x000000000082C000-memory.dmp

Filesize
496KB

Download
memory/2100-0-0x00000000007B0000-0x000000000082C000-memory.dmp

Filesize
496KB

Download
memory/3160-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3160-30-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3160-29-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3160-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3508-10-0x0000000000970000-0x00000000009EC000-memory.dmp

Filesize
496KB

Download
memory/3508-17-0x0000000000970000-0x00000000009EC000-memory.dmp

Filesize
496KB

Download
memory/3508-27-0x0000000000970000-0x00000000009EC000-memory.dmp

Filesize
496KB

Download