urelas | 3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127

General

Target

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Size

466KB
MD5

0542083c1a2b3eff0f640709bca31c47
SHA1

58b1f802ece5eab93975a56756c86c8a2ce06b0d
SHA256

3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127
SHA512

db3b7fb869264fcb120cd39e562a563e9e762943def5f07b95443b93dce8adb26ab1496824923a6544a8407e6fbbea5cd25fab638dec20086d957297f7fd0e01
SSDEEP

12288:m6twjLHj/8/GcHUIdPPzEmvTnabAh0ZnAr1Ui:m6tQCG0UUPzEkTn4AC1+D

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2088	xevyq.exe
2136	sogeo.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
2088	xevyq.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000019284-25.dat	upx
behavioral1/memory/2136-31-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2136-33-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2136-34-0x0000000000400000-0x000000000049F000-memory.dmp	upx
behavioral1/memory/2136-35-0x0000000000400000-0x000000000049F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xevyq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe
2136	sogeo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2088	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	30
PID 2388 wrote to memory of 2088	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	30
PID 2388 wrote to memory of 2088	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	30
PID 2388 wrote to memory of 2088	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	30
PID 2388 wrote to memory of 2688	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	31
PID 2388 wrote to memory of 2688	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	31
PID 2388 wrote to memory of 2688	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	31
PID 2388 wrote to memory of 2688	2388	3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe	31
PID 2088 wrote to memory of 2136	2088	xevyq.exe	34
PID 2088 wrote to memory of 2136	2088	xevyq.exe	34
PID 2088 wrote to memory of 2136	2088	xevyq.exe	34
PID 2088 wrote to memory of 2136	2088	xevyq.exe	34

C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe
"C:\Users\Admin\AppData\Local\Temp\3dc683089ba0a8c6626b3207768f820d39ac1bf7f038fd77fa8756e332531127.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\xevyq.exe
  "C:\Users\Admin\AppData\Local\Temp\xevyq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\sogeo.exe
    "C:\Users\Admin\AppData\Local\Temp\sogeo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

Filesize
340B

MD5
c001961ada7c141204643153156c6c16

SHA1
4276c08e03f962170b20c55a5dc3a21ccedb2efe

SHA256
2c72b51622aedea6c683214d41dd4ab978e8f81c7c8ff6aae0bbeaeb6e128045

SHA512
aa5d9c1292855875486abd83a8ced07d0592bcd68b1501510222e9136717c9606bea0fef86df095105149abe31e1c8a989d78ef8e92d1a1680da4cd5d0d0f61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f88c7c5523de1e2bd4a16542290b11d3

SHA1
3e9da4527c174be76c8b2116744bb55e5273afbb

SHA256
e5eb8223b2e23e8163056a790f479a3d3bc242673a92328ae04ecb22b0093dc3

SHA512
799b6fc8fe912bbe3d23f7a3aba559b76cc8b0b72b5579246a9ea245c76551c48fe47a563ad51c763c64242a52cb7b64ae562844945d7a378bb7dd46a3370cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xevyq.exe

Filesize
467KB

MD5
cd5694d2b52c96c2513c6ba597b4fc5b

SHA1
43de5326f879045812aa7e2e599565f68b10bed9

SHA256
45f57a8fa7cf300ceb6684e1bdc4a5bd39e5646332b112a53efea9d82528567f

SHA512
53d63d7293cb7102db4e135fb0097633b07e03067651f322030353e9883ae7c39dcdbbee40c2d7e0dbbd24a11f85ff3e75ad3e506a9cf4b2de89d44a48bd4017

Download Submit
\Users\Admin\AppData\Local\Temp\sogeo.exe

Filesize
198KB

MD5
d9ab7f9c6a232294999df1f236b75971

SHA1
2562c7e35cc711ae99ea757833a86c19838cc466

SHA256
a06b0c7289302eb178a1916347ad155c2ac2c2b72e783a5f95e562e77f089723

SHA512
b14b1820420c55d0c0baa976a3e196d60753126808ed44d2320edb75f351af85f5df6dab890ececce76310f3f83a69475da89d66887daefb55ac91e95f4a82cd

Download Submit
memory/2088-22-0x0000000000040000-0x00000000000BC000-memory.dmp

Filesize
496KB

Download
memory/2088-18-0x0000000000040000-0x00000000000BC000-memory.dmp

Filesize
496KB

Download
memory/2088-30-0x0000000000040000-0x00000000000BC000-memory.dmp

Filesize
496KB

Download
memory/2088-28-0x0000000003040000-0x00000000030DF000-memory.dmp

Filesize
636KB

Download
memory/2136-31-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2136-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2136-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2136-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2388-16-0x0000000000B70000-0x0000000000BEC000-memory.dmp

Filesize
496KB

Download
memory/2388-21-0x0000000000A60000-0x0000000000ADC000-memory.dmp

Filesize
496KB

Download
memory/2388-0-0x0000000000B70000-0x0000000000BEC000-memory.dmp

Filesize
496KB

Download
memory/2388-17-0x0000000000A60000-0x0000000000ADC000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing