urelas | a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280

General

Target

a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
Size

557KB
MD5

7fe3c05a108db999797fe06051691586
SHA1

2b44f9d07a02e336dc6c9742b064a21340cedc88
SHA256

a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280
SHA512

e95fb30851baba7b2076ddc18fcca1d63dbbb9c602082bab3c010073cdfeebe10a71c88c55601cbb84f175ac3a2f8d9ddbe7141c1b6ba208b8606ac33a24c471
SSDEEP

12288:zccNvdRExZGe+Q1nSoS++43x+l7QLiaEyT:znPfQp9L3olqFT

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2584	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3000	fuurr.exe
1032	nebyn.exe

Loads dropped DLL 2 IoCs

pid	Process
2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
3000	fuurr.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/files/0x0009000000016650-4.dat	upx
behavioral1/memory/2092-17-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3000-20-0x0000000000400000-0x00000000004B6000-memory.dmp	upx
behavioral1/memory/3000-26-0x0000000000400000-0x00000000004B6000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nebyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuurr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe
1032	nebyn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3000	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	30
PID 2092 wrote to memory of 3000	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	30
PID 2092 wrote to memory of 3000	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	30
PID 2092 wrote to memory of 3000	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	30
PID 2092 wrote to memory of 2584	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	31
PID 2092 wrote to memory of 2584	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	31
PID 2092 wrote to memory of 2584	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	31
PID 2092 wrote to memory of 2584	2092	a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe	31
PID 3000 wrote to memory of 1032	3000	fuurr.exe	34
PID 3000 wrote to memory of 1032	3000	fuurr.exe	34
PID 3000 wrote to memory of 1032	3000	fuurr.exe	34
PID 3000 wrote to memory of 1032	3000	fuurr.exe	34

C:\Users\Admin\AppData\Local\Temp\a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe
"C:\Users\Admin\AppData\Local\Temp\a5ca924b9f7adb89ca3ee2a87b65ef17f94ee3c47071157f3c421c87556a8280.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\fuurr.exe
  "C:\Users\Admin\AppData\Local\Temp\fuurr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\nebyn.exe
    "C:\Users\Admin\AppData\Local\Temp\nebyn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b3ce5c1b79472fa7760a9cc0061075e5

SHA1
821a121ce2e23654efa7771d65fbe33bbf096eea

SHA256
cd5eb434e04e6db59d9d7be262689599ae0217ee48a45483f347106eb6a9f005

SHA512
184dc97c249581b992a5d81d819e8aeacd93b30f355afb2b32bbd2e4cbece549ecfab409261ecd2575659f2fa85340e7abf940e275a7c1b16bb2b8343345d009

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fb591212fbb645b52b20c060c317ac5d

SHA1
0112d70819f7b48d614055f80562153fe2d8646a

SHA256
2d70886cf3dac6f6f7a71044f95cf11bf5395ab1c16abeb5aebde0eec9e6d022

SHA512
bf5c3d30fdec563943275340d6ae7028d3e073bec5b9cd5330842fcd887ba4770724b06413ddf94a61e7404be252edd2d305a773b39346243bbbc30708d5cd9a

Download Submit
\Users\Admin\AppData\Local\Temp\fuurr.exe

Filesize
558KB

MD5
1e96dc724e43055efd6b40808c64b1c4

SHA1
b94b91b60e6760f009b18492682d98b491edd8fd

SHA256
13e1dd03ca72135b1f64e45201928fa588e5283c7e3cd34072221a146f4947b3

SHA512
3f4b04d400de983156663f967505999176a9692984dc60a4e3d940aaa392257f05f8a9c8f83d13f6fe76279870bb2bee9438e2b73b45be126ba3b893f6d8882b

Download Submit
\Users\Admin\AppData\Local\Temp\nebyn.exe

Filesize
194KB

MD5
0fc6f5b411f74260332aed07764dab87

SHA1
63038e85bde6cba8967ff1fb55968f54296cf7e1

SHA256
560e317fd12395230fe0e87c587f29aad4ac93756d583555b4765e09a375dd89

SHA512
685e24227fce0c740cf041c847971074e9158e3001884fe03447a01aa172f6419f498c955926387f39c48566c50ed956bfdfc937de9d27ba4011793284ccc90e

Download Submit
memory/1032-29-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1032-31-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/1032-32-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2092-17-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2092-6-0x0000000002A30000-0x0000000002AE6000-memory.dmp

Filesize
728KB

Download
memory/2092-0-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3000-20-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3000-26-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3000-27-0x0000000003C90000-0x0000000003D24000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing