urelas | 2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0

General

Target

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Size

6.5MB
MD5

b02b00a0296a4ef74579e2c7b9c97de5
SHA1

efb2b78bf3c740b8e959ccb119e69016289c6209
SHA256

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0
SHA512

462343769bf21260b34a27dbb8151c25623dd181f78cd845d7258f2da135d38b1a019ebd34e45842c9449ac003984ca64902d69baf78e8234c7b0f19713115d7
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSi:i0LrA2kHKQHNk3og9unipQyOaOi

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2944	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2808	dosut.exe
2108	kaqecu.exe
3048	vozew.exe

Loads dropped DLL 5 IoCs

pid	Process
2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
2808	dosut.exe
2808	dosut.exe
2108	kaqecu.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016da7-156.dat	upx
behavioral1/memory/2108-158-0x0000000004800000-0x0000000004999000-memory.dmp	upx
behavioral1/memory/3048-162-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/3048-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dosut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaqecu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vozew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
2808	dosut.exe
2108	kaqecu.exe
3048	vozew.exe
3048	vozew.exe
3048	vozew.exe
3048	vozew.exe
3048	vozew.exe
3048	vozew.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2808	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2860 wrote to memory of 2808	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2860 wrote to memory of 2808	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2860 wrote to memory of 2808	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2860 wrote to memory of 2944	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2860 wrote to memory of 2944	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2860 wrote to memory of 2944	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2860 wrote to memory of 2944	2860	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2808 wrote to memory of 2108	2808	dosut.exe	33
PID 2808 wrote to memory of 2108	2808	dosut.exe	33
PID 2808 wrote to memory of 2108	2808	dosut.exe	33
PID 2808 wrote to memory of 2108	2808	dosut.exe	33
PID 2108 wrote to memory of 3048	2108	kaqecu.exe	35
PID 2108 wrote to memory of 3048	2108	kaqecu.exe	35
PID 2108 wrote to memory of 3048	2108	kaqecu.exe	35
PID 2108 wrote to memory of 3048	2108	kaqecu.exe	35
PID 2108 wrote to memory of 1700	2108	kaqecu.exe	36
PID 2108 wrote to memory of 1700	2108	kaqecu.exe	36
PID 2108 wrote to memory of 1700	2108	kaqecu.exe	36
PID 2108 wrote to memory of 1700	2108	kaqecu.exe	36

C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
"C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\dosut.exe
  "C:\Users\Admin\AppData\Local\Temp\dosut.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\kaqecu.exe
    "C:\Users\Admin\AppData\Local\Temp\kaqecu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Local\Temp\vozew.exe
      "C:\Users\Admin\AppData\Local\Temp\vozew.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
1f8bb15b7e8e230fa8462286d3038139

SHA1
417de0d18959888cd88876e8602d489f1aced27a

SHA256
901b449c197c62e52984d29c9ca843255be9c775c9b5acc8831dafa98bea9c6d

SHA512
4a54f1aba15314b6cf962a1ca61365304368c85024477f9a48f2a7b011195c14fadd663724edaa2bed044feccc35c92cc2787a5e3a6a5817e35ae269061b7635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a4c3ec95e0a3ea35f1f5e1606b39f74a

SHA1
8433ce2f9a01ca5065e35d4029e69a04751df69c

SHA256
b43823c0cc0568580d4c88db72a3252872a609446b0d4d2a5c9e48d587de3250

SHA512
523f6e191417f267369f863539cf7bcbbc6d277508cd9fbc47a00891ada3934dbb8ad049b8fffd03b83c9846e60492450648d024f91acbbb30dcfc4174f309db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
812a382a5281df98c70e7f3d1c7b67d1

SHA1
a7ea7e16198692b09c757fce8eab1045e0416927

SHA256
dc80ba5e67f363a19b319e7e88ac2da994b0b5b2c284a43b8b602e7e7643695a

SHA512
39b060b260343ba8c266aa4d8ded7e8a9e689c3fa0c0b65497dd1298a5161f204da84df0b15edc44c1117147348092f3bf52ed9ccd5adc51725b3e3c89d46086

Download Submit
\Users\Admin\AppData\Local\Temp\dosut.exe

Filesize
6.5MB

MD5
f2d6c8d18e2b79e6eda80189f871e888

SHA1
25832ebee8be642fcd953c3c3a5ba3665ef55237

SHA256
63bf095f8b65200794f53d35ef7f3ce9a2c3e12fda1c7c8f576062924411eadf

SHA512
68bc82f418a634d19d38300fb3f019df2ea7943eff2a9adfdf8aa88e9d502d574b2bbc06691e08190d300f214eb99dd134677d4f7a9671111e83f62d624a669a

Download Submit
\Users\Admin\AppData\Local\Temp\vozew.exe

Filesize
459KB

MD5
926681e255e3fffe41233a0fd17bb2e1

SHA1
1a71f872b718fcb148579f276294a2671c374287

SHA256
5e6f3edaccb604e66e4fc8e43c50d2fe5d3f774458ec2c0789be708333b39e1e

SHA512
92602fda57f88a227bc5963b41152bb657979b6a0854a158fcda92940698081ca1d532b0b4e7094021fdf0cd05d7eecff18ab7999578c708c97820b1e3d0d5b7

Download Submit
memory/2108-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2108-158-0x0000000004800000-0x0000000004999000-memory.dmp

Filesize
1.6MB

Download
memory/2108-152-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2808-113-0x0000000004380000-0x0000000004E6C000-memory.dmp

Filesize
10.9MB

Download
memory/2808-110-0x0000000004380000-0x0000000004E6C000-memory.dmp

Filesize
10.9MB

Download
memory/2808-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-20-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2860-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2860-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2860-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2860-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-57-0x0000000003FB0000-0x0000000004A9C000-memory.dmp

Filesize
10.9MB

Download
memory/2860-58-0x0000000003FB0000-0x0000000004A9C000-memory.dmp

Filesize
10.9MB

Download
memory/2860-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2860-62-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2860-18-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2860-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-23-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2860-25-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2860-28-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2860-30-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2860-33-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2860-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2860-35-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2860-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3048-162-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3048-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing