urelas | 2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0

General

Target

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Size

6.5MB
MD5

b02b00a0296a4ef74579e2c7b9c97de5
SHA1

efb2b78bf3c740b8e959ccb119e69016289c6209
SHA256

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0
SHA512

462343769bf21260b34a27dbb8151c25623dd181f78cd845d7258f2da135d38b1a019ebd34e45842c9449ac003984ca64902d69baf78e8234c7b0f19713115d7
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSi:i0LrA2kHKQHNk3og9unipQyOaOi

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	hiunto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	hutai.exe

Executes dropped EXE 3 IoCs

pid	Process
4412	hutai.exe
368	hiunto.exe
2056	niipg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000709-66.dat	upx
behavioral2/memory/2056-72-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/2056-77-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hutai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hiunto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niipg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
4412	hutai.exe
4412	hutai.exe
368	hiunto.exe
368	hiunto.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe
2056	niipg.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 4412	3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	83
PID 3492 wrote to memory of 4412	3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	83
PID 3492 wrote to memory of 4412	3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	83
PID 3492 wrote to memory of 3808	3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	84
PID 3492 wrote to memory of 3808	3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	84
PID 3492 wrote to memory of 3808	3492	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	84
PID 4412 wrote to memory of 368	4412	hutai.exe	86
PID 4412 wrote to memory of 368	4412	hutai.exe	86
PID 4412 wrote to memory of 368	4412	hutai.exe	86
PID 368 wrote to memory of 2056	368	hiunto.exe	103
PID 368 wrote to memory of 2056	368	hiunto.exe	103
PID 368 wrote to memory of 2056	368	hiunto.exe	103
PID 368 wrote to memory of 3260	368	hiunto.exe	104
PID 368 wrote to memory of 3260	368	hiunto.exe	104
PID 368 wrote to memory of 3260	368	hiunto.exe	104

C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
"C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\hutai.exe
  "C:\Users\Admin\AppData\Local\Temp\hutai.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\hiunto.exe
    "C:\Users\Admin\AppData\Local\Temp\hiunto.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Users\Admin\AppData\Local\Temp\niipg.exe
      "C:\Users\Admin\AppData\Local\Temp\niipg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
282098bdc9beb730e3c63dedee02896d

SHA1
fedc685b7b6ef60a285a1c4efa8f38594201fd67

SHA256
30aada39f0b857d5fa3430f4f386771948d3016e179bd8dabfd6cff76b8d3b75

SHA512
3c8269a979dfcdcbee307c8a9191ff7c8a086079e88c3bd3b4954ee3198ae076d97fe52e96525a25926eabf22453d46fa2aba9ab9b744cc67d3d5e27b3485e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a4c3ec95e0a3ea35f1f5e1606b39f74a

SHA1
8433ce2f9a01ca5065e35d4029e69a04751df69c

SHA256
b43823c0cc0568580d4c88db72a3252872a609446b0d4d2a5c9e48d587de3250

SHA512
523f6e191417f267369f863539cf7bcbbc6d277508cd9fbc47a00891ada3934dbb8ad049b8fffd03b83c9846e60492450648d024f91acbbb30dcfc4174f309db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4b1c3191ee3cacc534b8c6c53da13623

SHA1
8593527d9739a2c7478ba3aa3e9385bdca548463

SHA256
15cff8d5b8e5ffde0db150044c74d9d39105c3920e7beffd21af970f0a107d86

SHA512
3849debd3c211bb0f05d206f3cc8e9c9e1e274c162ff776152df1f4a3956224ca56c0071c504ecbfb0ef2921d1b7c27228434f91bed0f09976ffa08964a12b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hutai.exe

Filesize
6.5MB

MD5
2f444163cbcb387e409b680224e37a09

SHA1
4d2649e40f40a5f89f942bf2d0bf1ecc5b50cd19

SHA256
bc7f042e861ce7d1aac2fd0ae745ff767adf3ac2503ebc09b10d0f79ec78dc60

SHA512
f9978e4b4ca14e0bf36cac92b2ffb3f0cff47136fa6838bbf4776a3c40a50c24eed7cbd49483ca2cabe8481c0e94b5d8a3bd58d1ff01a34e3f12c6a98f116588

Download Submit
C:\Users\Admin\AppData\Local\Temp\niipg.exe

Filesize
459KB

MD5
5064ac6cf3dcb9da002251125e07dceb

SHA1
7e17b45bb1d1914ac6020e1c1b1675e15bfa4726

SHA256
4172bda462ee98e17a158048ba1b88797b45004275ef887aedcac303db659bc2

SHA512
f6f8d1ab95895530b11d76fa6131f381acc8e8ab80223086b4df0a9ed1a8faaa4b170f557ad92acb9626f8e0e4fbda77bacb520bbfe695516b889033c1e2ce18

Download Submit
memory/368-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/368-74-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/368-57-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/368-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/368-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2056-72-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2056-77-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3492-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-5-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3492-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-2-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/3492-3-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3492-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-4-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3492-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/3492-6-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3492-7-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/3492-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-8-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/3492-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/3492-1-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/4412-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4412-50-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4412-29-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4412-30-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4412-31-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/4412-33-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/4412-34-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/4412-35-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/4412-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4412-27-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing