urelas | ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd

General

Target

ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe
Size

543KB
MD5

cdf2e902b453c3dccc1658655f7caad3
SHA1

441bb83238e980f4d3f41f7c69d61de319be3923
SHA256

ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd
SHA512

60af098d0bb5f263889b99bbf2a1efedaec793c63a8a5794f2df96a36dcee8e337b556e63c13c24076e6f086aa3129e2bfc8cd37e4d8d890119cce7180764638
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuX:92SLi70T7Mifjg

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2392	iwcuu.exe
1692	kyluk.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe
2392	iwcuu.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x002c000000015d0e-4.dat	upx
behavioral1/memory/2932-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2392-19-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2392-26-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iwcuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyluk.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe
1692	kyluk.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2392	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	30
PID 2932 wrote to memory of 2392	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	30
PID 2932 wrote to memory of 2392	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	30
PID 2932 wrote to memory of 2392	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	30
PID 2932 wrote to memory of 2944	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	31
PID 2932 wrote to memory of 2944	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	31
PID 2932 wrote to memory of 2944	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	31
PID 2932 wrote to memory of 2944	2932	ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe	31
PID 2392 wrote to memory of 1692	2392	iwcuu.exe	34
PID 2392 wrote to memory of 1692	2392	iwcuu.exe	34
PID 2392 wrote to memory of 1692	2392	iwcuu.exe	34
PID 2392 wrote to memory of 1692	2392	iwcuu.exe	34

C:\Users\Admin\AppData\Local\Temp\ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe
"C:\Users\Admin\AppData\Local\Temp\ebb3346fdc9188a6d772b7bc5152b599a775b86d257a99c249d1146a22755afd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Users\Admin\AppData\Local\Temp\iwcuu.exe
  "C:\Users\Admin\AppData\Local\Temp\iwcuu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\kyluk.exe
    "C:\Users\Admin\AppData\Local\Temp\kyluk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f31aece61160d8cabfae378b8c7c2d11

SHA1
6daa126c4fa424c275543531892d53aeee999d7c

SHA256
e1043843a439432f794ed187edd8889ff876e752969719dfaa7f98c1a83524df

SHA512
082ade7faddca5fda620bcf92c10ad514f9aec865fd8df329dc98326fc2cdad1522d93c646ca65a58bb3b385fca4613cf1eeea11d672f811e77935d1133bf664

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cf171302d0a131cfaeb961331583890e

SHA1
e1d929b7f96cf3f59775485241eded6ab1b9ef54

SHA256
d1eef99492d587f6e10aa96c90c9bfaa41106b2b07bd02bd760c46826b29b42c

SHA512
45b3c2c114968dbee527b798254dfad73ef747fd1060d7b03a7eca7941c03d8bc962dee08d614feab48ecbbd7c4d4f492583fd130dffb82038ff26045e6861e8

Download Submit
\Users\Admin\AppData\Local\Temp\iwcuu.exe

Filesize
543KB

MD5
2c0c3cad7c011e9141dc3771739e516c

SHA1
51013cc2b4784c2e9365093b896922f47825667f

SHA256
fdffe6e076f8aec30a5c59b0a6982149bbe40603510b9405dc45eb7c88342943

SHA512
a99db60672ae38366ba1bee754c1efb3511a4daa119761b4b021650a6b80e236b27838b29f36f474eeeb17145f28d159c5557975ef383aa33832d09bdbc63913

Download Submit
\Users\Admin\AppData\Local\Temp\kyluk.exe

Filesize
230KB

MD5
98017645a67696fa65860ac824bb005e

SHA1
8b1f2cc40205dce42d75c417e24434842fdc9c29

SHA256
3affeeda1c6e130659db4e6bb2b2c7e1c39caeffb9b6a454e048dec5535f808b

SHA512
05ac16337bb45f1d650f7706106b86dd7b2da4026d600424c9439536f71e446792165ef4299d1624a56a844674695499832ee03a56d79fa08b42045bb364d0fd

Download Submit
memory/1692-27-0x0000000000E00000-0x0000000000EB3000-memory.dmp

Filesize
716KB

Download
memory/1692-29-0x0000000000E00000-0x0000000000EB3000-memory.dmp

Filesize
716KB

Download
memory/1692-30-0x0000000000E00000-0x0000000000EB3000-memory.dmp

Filesize
716KB

Download
memory/2392-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2392-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2932-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2932-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing