urelas | f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5

General

Target

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
Size

324KB
MD5

7c4be427fb9c0b704fc7836a0262b34c
SHA1

6d0aa5c39503a36d9f9e601c2614ace4aa6b169c
SHA256

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5
SHA512

8b6b78e1c78ac404ce18564d8c7c4b76b16915bce699567e002153201e649772baf8a3cd5e4ba5bf39a920ca778b3cd528ec91dd1c24db049e762664f0bb43d1
SSDEEP

6144:bNEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSxP:bNEo/6YnZVB1rkAqcNAzQCed7J1oSx

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2296 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

aqcui.exezuvob.exe

pid process

2932 aqcui.exe
636 zuvob.exe
Loads dropped DLL 2 IoCs

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exeaqcui.exe

pid process

2012 f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
2932 aqcui.exe

pid	process
2296	cmd.exe

pid	process
2932	aqcui.exe
636	zuvob.exe

pid	process
2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
2932	aqcui.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2012-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\aqcui.exe	upx
behavioral1/memory/2932-19-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2012-17-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2932-23-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral1/memory/2932-41-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\aqcui.exe	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exeaqcui.execmd.exezuvob.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqcui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuvob.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

zuvob.exe

pid	process
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe
636	zuvob.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exeaqcui.exe

description	pid	process	target process
PID 2012 wrote to memory of 2932	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	aqcui.exe
PID 2012 wrote to memory of 2932	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	aqcui.exe
PID 2012 wrote to memory of 2932	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	aqcui.exe
PID 2012 wrote to memory of 2932	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	aqcui.exe
PID 2012 wrote to memory of 2296	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 2012 wrote to memory of 2296	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 2012 wrote to memory of 2296	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 2012 wrote to memory of 2296	2012	f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe	cmd.exe
PID 2932 wrote to memory of 636	2932	aqcui.exe	zuvob.exe
PID 2932 wrote to memory of 636	2932	aqcui.exe	zuvob.exe
PID 2932 wrote to memory of 636	2932	aqcui.exe	zuvob.exe
PID 2932 wrote to memory of 636	2932	aqcui.exe	zuvob.exe

C:\Users\Admin\AppData\Local\Temp\f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe
"C:\Users\Admin\AppData\Local\Temp\f5da0f18b7517c6daae158d22eef9b377f026eb5b0e141cc943b331cea47def5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\aqcui.exe
  "C:\Users\Admin\AppData\Local\Temp\aqcui.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\zuvob.exe
    "C:\Users\Admin\AppData\Local\Temp\zuvob.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
5c7b95813b0009e4849f172569ed117e

SHA1
10980ae3b2453ee58a5191caf8fb6ff1dac86c68

SHA256
1fc3e49feaca9eb385ee025f60a87d712726ea29956fff47be3c30ce255e8fb6

SHA512
b5be4e6c57234b812c3903ebb551c8aea65c709c23e8e254c7bdb0144b1e54ef525e45d5a361b087cf0621b64654f5ead75d07d60ba4d0b0f2730318a588cb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqcui.exe

Filesize
324KB

MD5
d02256ccc1a4660562aff3c81b58b6de

SHA1
71979c79761114a573fa18b5f82af09b92cb3461

SHA256
e7deb984dcc5da90d428e774a13c2e01436175a6da62a60194125a66414c457f

SHA512
9afbb8d85c6186d356f34d2024ba459229fb249950c93f0597a30c61dddfa59f874d343610729bfa1c7b08f517c1ddb64fc17b31089ecc87d9ecc4f0106b7b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e59719f132efbc3091ce9213bd42d53c

SHA1
0e875d93bca08ca9c1fa305055745357d6fff9ca

SHA256
ca1766dab39c6b4d3bd64bdd8be9d5390e2d8ba4398a61362ec2cd49ff9cfd33

SHA512
872cc2dc8e82f3b60bca33bddd255c744ab230dedfa3cfed130a414df9cb0d7d6caaa9888183c00b5c253a87814d9353123cd52f8027f34ab77287d0fef86d28

Download Submit
\Users\Admin\AppData\Local\Temp\aqcui.exe

Filesize
324KB

MD5
1abe36c795208cd80653a23d32544bb1

SHA1
f10a235aa198f45905679e88d539be336e01c115

SHA256
cd21648efa0f66100432c3870234cc54f6c060c544d750d65039eeec31fa2c75

SHA512
cf18d5edaf69e885eab7b20ab244ae71f1fa9b2e8dd52fe2f8c8c1f2adfd5de0de0b0ef5977b437046f8e9b473c6b060cbbca310fd87502294d43e44108f12f7

Download Submit
\Users\Admin\AppData\Local\Temp\zuvob.exe

Filesize
241KB

MD5
0802cae28184e4156124a0fd5e9061d7

SHA1
3185ab85f735bb006d8d696c17b25f57ad862ebf

SHA256
338cdcf3b7b10a03cc49418d79d634331d9f7630c1c0f451b923fc077e3be7d2

SHA512
050617966cdcf6f1a2d389601beef5ce4120706bdce2d87460bad28d7578a7078e41fe548daa7ecc59bee94729faeba20201903369be62e2e154da64449dc7b6

Download Submit
memory/636-46-0x0000000000850000-0x0000000000906000-memory.dmp

Filesize
728KB

Download
memory/636-48-0x0000000000850000-0x0000000000906000-memory.dmp

Filesize
728KB

Download
memory/636-42-0x0000000000850000-0x0000000000906000-memory.dmp

Filesize
728KB

Download
memory/636-47-0x0000000000850000-0x0000000000906000-memory.dmp

Filesize
728KB

Download
memory/636-49-0x0000000000850000-0x0000000000906000-memory.dmp

Filesize
728KB

Download
memory/636-45-0x0000000000850000-0x0000000000906000-memory.dmp

Filesize
728KB

Download
memory/2012-17-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2012-18-0x0000000002250000-0x00000000022D9000-memory.dmp

Filesize
548KB

Download
memory/2012-22-0x0000000002250000-0x00000000022D9000-memory.dmp

Filesize
548KB

Download
memory/2012-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2932-23-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2932-41-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2932-37-0x0000000003C20000-0x0000000003CD6000-memory.dmp

Filesize
728KB

Download
memory/2932-19-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads