urelas | 37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8a

General

Target

37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
Size

6.5MB
MD5

8f8a6a76809094b654f65f6107740d70
SHA1

60de680dcd7d55316c6c76eb683c1525f3eccfc0
SHA256

37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8a
SHA512

795479d31e006b162e1716623f13259e9ac1922fe48c5eeaa0f37b8b9665c85f3b2250014c8bb68561c7890a7742a18832420f14d95fb0012ea25313ce812c2b
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSM:i0LrA2kHKQHNk3og9unipQyOaOM

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	lirexo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	kequm.exe

Executes dropped EXE 3 IoCs

pid	Process
4684	kequm.exe
3856	lirexo.exe
2360	hogay.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00020000000220f6-64.dat	upx
behavioral2/memory/2360-71-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2360-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hogay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kequm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lirexo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
4684	kequm.exe
4684	kequm.exe
3856	lirexo.exe
3856	lirexo.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe
2360	hogay.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4684	816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	82
PID 816 wrote to memory of 4684	816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	82
PID 816 wrote to memory of 4684	816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	82
PID 816 wrote to memory of 3632	816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	83
PID 816 wrote to memory of 3632	816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	83
PID 816 wrote to memory of 3632	816	37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe	83
PID 4684 wrote to memory of 3856	4684	kequm.exe	85
PID 4684 wrote to memory of 3856	4684	kequm.exe	85
PID 4684 wrote to memory of 3856	4684	kequm.exe	85
PID 3856 wrote to memory of 2360	3856	lirexo.exe	95
PID 3856 wrote to memory of 2360	3856	lirexo.exe	95
PID 3856 wrote to memory of 2360	3856	lirexo.exe	95
PID 3856 wrote to memory of 1576	3856	lirexo.exe	96
PID 3856 wrote to memory of 1576	3856	lirexo.exe	96
PID 3856 wrote to memory of 1576	3856	lirexo.exe	96

C:\Users\Admin\AppData\Local\Temp\37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe
"C:\Users\Admin\AppData\Local\Temp\37ef62d5ffa78549aca9345730ecb37c6d6f74100fa889a92da092eff055bd8aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\kequm.exe
  "C:\Users\Admin\AppData\Local\Temp\kequm.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Users\Admin\AppData\Local\Temp\lirexo.exe
    "C:\Users\Admin\AppData\Local\Temp\lirexo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Users\Admin\AppData\Local\Temp\hogay.exe
      "C:\Users\Admin\AppData\Local\Temp\hogay.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b95b1f91601546cef22812aad0088e92

SHA1
49d8634affa3dbacec20ad468f49555cb329e9c5

SHA256
96911a6fbf0a43a102a213ea4d23c19e038700a2cc4257a3acd3107774096ea4

SHA512
c30042d67a0fe2e2160ef0a929b0156124df2092c87c8063160547b3e91cd17fcb44e061e37d6c7f2f7e1f55106b542e328563414d68d3488c267f792335f04b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
880995948981fccb71ad9e72c575160f

SHA1
cd1717578b57cdc3463df65a17990ca825928d67

SHA256
93fe67385671fac431b0ce410180317085f97e82d84b3255d0739892f817016c

SHA512
415d418abf9ecb86ce1b3a3d0439260c16a1bc211206bee7ec254c7962a019b639aec14f9b2e710903aac1f363acff8525463932b5b793009c2b892bb2f9b894

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5a7f41ad5788181d6d12066e1c1283f3

SHA1
2a4369704f02e2f31622fcdf6dcc96f8b4a91f27

SHA256
0ef2943ee40fa296d41d98ae1daa3abdf448436b4e12459e690d182a02a62e94

SHA512
e9a043a36c651ea6fbb5ffcfc8ddbcd1d37cfb40dd52869767eb80dcd95f052728059e81df2b5aed57943b302370d42771aa204957495072b60c04e1d39cc414

Download Submit
C:\Users\Admin\AppData\Local\Temp\hogay.exe

Filesize
459KB

MD5
4100ad74f0a5ff70857af62e3bf52bf4

SHA1
b7217c1d60c4d00031135ad7c312e016aac0a658

SHA256
18e0a9c8dd484c72793a02c7023cda7fb16599a8258a88278fc4181e397f25e4

SHA512
72d4c39c158125d16e156b39970a023b03ef9aba484b26a8a028a39ec2b5e101dd9275504d9b92c229dc9115ba46098f75bced8588fa66b6c654151bff15ee66

Download Submit
C:\Users\Admin\AppData\Local\Temp\kequm.exe

Filesize
6.5MB

MD5
a959c21eeab331992e461d2686d52b8f

SHA1
e42d47214272e5b77fc15a1731adc50bc1f0a53b

SHA256
19486e9de3622d7277ee9332119d416baea31be0d1fadc750618214a706f0852

SHA512
843003d6fc38d9c1269eded8e4b0cf39b7e672333dd048dfb709310cee2c20b791ac953b3b597ad896358c7797746e57f546be715aa6827f8de3803752a7e9bf

Download Submit
memory/816-6-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/816-8-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/816-3-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/816-2-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/816-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/816-5-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/816-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/816-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/816-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/816-7-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/816-4-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/816-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/816-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2360-71-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2360-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3856-52-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3856-50-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/3856-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3856-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3856-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3856-49-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/3856-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3856-54-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3856-53-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3856-51-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4684-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4684-34-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4684-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4684-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4684-32-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/4684-31-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/4684-28-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4684-33-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/4684-29-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4684-30-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/4684-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing