urelas | 87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a

General

Target

87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
Size

6.5MB
MD5

660c8c0eb2c2cfc06b8b41617b852b31
SHA1

709affacdea23355175f72bd66e3e00c59d01460
SHA256

87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a
SHA512

fe45a97d8043a59cd008643f3377425317ead3deda5a2f55dbf5577300ca94369f1c2792a1ac83d98ad55163f679531806e686161dcda4e5cd6b3dc78dafe059
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSM:i0LrA2kHKQHNk3og9unipQyOaOM

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	nyefa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ihgyec.exe

Executes dropped EXE 3 IoCs

pid	Process
2996	nyefa.exe
3788	ihgyec.exe
396	qoyms.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000000070b-64.dat	upx
behavioral2/memory/396-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/396-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoyms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyefa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihgyec.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
2996	nyefa.exe
2996	nyefa.exe
3788	ihgyec.exe
3788	ihgyec.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe
396	qoyms.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2996	1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	83
PID 1876 wrote to memory of 2996	1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	83
PID 1876 wrote to memory of 2996	1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	83
PID 1876 wrote to memory of 4316	1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	84
PID 1876 wrote to memory of 4316	1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	84
PID 1876 wrote to memory of 4316	1876	87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe	84
PID 2996 wrote to memory of 3788	2996	nyefa.exe	86
PID 2996 wrote to memory of 3788	2996	nyefa.exe	86
PID 2996 wrote to memory of 3788	2996	nyefa.exe	86
PID 3788 wrote to memory of 396	3788	ihgyec.exe	103
PID 3788 wrote to memory of 396	3788	ihgyec.exe	103
PID 3788 wrote to memory of 396	3788	ihgyec.exe	103
PID 3788 wrote to memory of 3604	3788	ihgyec.exe	104
PID 3788 wrote to memory of 3604	3788	ihgyec.exe	104
PID 3788 wrote to memory of 3604	3788	ihgyec.exe	104

C:\Users\Admin\AppData\Local\Temp\87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe
"C:\Users\Admin\AppData\Local\Temp\87a44b811c66ec0204d7c9a75d4b172a8fb054a24d24f918ea98fdd10913cc6a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Users\Admin\AppData\Local\Temp\nyefa.exe
  "C:\Users\Admin\AppData\Local\Temp\nyefa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\ihgyec.exe
    "C:\Users\Admin\AppData\Local\Temp\ihgyec.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\qoyms.exe
      "C:\Users\Admin\AppData\Local\Temp\qoyms.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b5b4650dbaf46fb0d8ed56a9e0811bd2

SHA1
4f4f54bf0821d74879a5f821bb6671ea639a339d

SHA256
56a83659b3efe0a86db6a5e99aeedd0276860d6e2f0aa6069da3e9f830a57e4e

SHA512
73771670a65aaaf4cc73990356c72ce63778677246eaa05f88fe5bcc9776c0ee97b80a83dbaef6bfdf6034683991af277c0609a139b9d12d706dd9f8a58a422e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
304e83fe365b915f3e79e175d1cc6096

SHA1
e783303a09ab860594f6448e654ed1ad7f5fa877

SHA256
6e22f2d8b034cdd0d7362237d232a00cc9994c34c7a279bc8ab70b22946743b3

SHA512
b04b2ea6e23d6de84d676d6abbdb128098f4f2fde2fda8b3f528131f57b644c52c596f343a201c3bad77262b9ab623a2c1878339e340e0a259562759e28f5f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
095861b0fd519f5bffef00c2740f0e39

SHA1
b66e8ea45cd763a9edb63d67317aa8c3cc73dbe2

SHA256
cba2958e98b193fc5bf3ed26846a3f7fb02c935fc3a53d9a81de34acf0037662

SHA512
095bdcbe6848182a6f200bd5cd849205e5d47a77b23d4ff2cf1f3dbc165a948e3b43a48cd2b5b8c9a2a81f7976f27fe88871735883f7c36104f93d193f161ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nyefa.exe

Filesize
6.5MB

MD5
4f07c0348a09ea8b1f32668802229e55

SHA1
370c02fce9d1bf1561542e14bc2bf4b8a0008af5

SHA256
c2272f8c0e10ee0a2cf44510b859606d4be4f54a0545fa18dc3fecc266022b89

SHA512
c8be8928b47d2d0c17bd798746c5a6080fcba605035e4a396fd6bb8d7f9200ae671424359c7a775982f93180d54da7e071d8ad7c4d83de7ea825f2250062f9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoyms.exe

Filesize
459KB

MD5
9188df7f3dd1c7cface12e4a837fa197

SHA1
a2d0cbb9b020b450050245a19e4d151d92eb9797

SHA256
f050758bb162e3ea0bdb8a47932e31450863624f499112fcfd8e6769ff92a429

SHA512
391e8b24f8e4f7eaa89942c55deaab0f11d1903c53056b018f4e42a47a99216fb2c649bc7cc7f85596bcd352eec8323f01713f8ca36a6293a4ef60fe2b79733d

Download Submit
memory/396-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/396-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1876-6-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1876-2-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1876-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1876-3-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1876-4-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1876-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1876-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1876-5-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1876-7-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/1876-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/1876-8-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1876-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/1876-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2996-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2996-33-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/2996-31-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2996-30-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/2996-29-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/2996-28-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2996-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2996-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2996-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2996-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2996-34-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/2996-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/3788-52-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3788-49-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3788-50-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3788-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3788-53-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/3788-54-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/3788-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3788-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/3788-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3788-51-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing