urelas | 2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Size

6.5MB
MD5

b02b00a0296a4ef74579e2c7b9c97de5
SHA1

efb2b78bf3c740b8e959ccb119e69016289c6209
SHA256

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0
SHA512

462343769bf21260b34a27dbb8151c25623dd181f78cd845d7258f2da135d38b1a019ebd34e45842c9449ac003984ca64902d69baf78e8234c7b0f19713115d7
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSi:i0LrA2kHKQHNk3og9unipQyOaOi

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2708	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2988	dijus.exe
2084	ruqave.exe
1740	zotef.exe

Loads dropped DLL 5 IoCs

pid	Process
2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
2988	dijus.exe
2988	dijus.exe
2084	ruqave.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001949d-156.dat	upx
behavioral1/memory/1740-162-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/2084-160-0x00000000045E0000-0x0000000004779000-memory.dmp	upx
behavioral1/memory/1740-174-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dijus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruqave.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zotef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
2988	dijus.exe
2084	ruqave.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe
1740	zotef.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2988	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2164 wrote to memory of 2988	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2164 wrote to memory of 2988	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2164 wrote to memory of 2988	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	30
PID 2164 wrote to memory of 2708	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2164 wrote to memory of 2708	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2164 wrote to memory of 2708	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2164 wrote to memory of 2708	2164	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	31
PID 2988 wrote to memory of 2084	2988	dijus.exe	33
PID 2988 wrote to memory of 2084	2988	dijus.exe	33
PID 2988 wrote to memory of 2084	2988	dijus.exe	33
PID 2988 wrote to memory of 2084	2988	dijus.exe	33
PID 2084 wrote to memory of 1740	2084	ruqave.exe	35
PID 2084 wrote to memory of 1740	2084	ruqave.exe	35
PID 2084 wrote to memory of 1740	2084	ruqave.exe	35
PID 2084 wrote to memory of 1740	2084	ruqave.exe	35
PID 2084 wrote to memory of 2412	2084	ruqave.exe	36
PID 2084 wrote to memory of 2412	2084	ruqave.exe	36
PID 2084 wrote to memory of 2412	2084	ruqave.exe	36
PID 2084 wrote to memory of 2412	2084	ruqave.exe	36

C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
"C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\dijus.exe
  "C:\Users\Admin\AppData\Local\Temp\dijus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\ruqave.exe
    "C:\Users\Admin\AppData\Local\Temp\ruqave.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Local\Temp\zotef.exe
      "C:\Users\Admin\AppData\Local\Temp\zotef.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
7482bee7e513b11e91b8e7b21cd30031

SHA1
76296376d2436736587ccc6d6272c7d706445d87

SHA256
56ab7bc97db9cf7d20c79c8b11271bb34f61df5b9e0ca1a91f729fe79cffdf92

SHA512
68a40e13e267b3944b0dc15f4c88681fdda4e9bd1a9f140c8377ee45dd7f73a39ef6e029c955c46314f5eeed678f3b5f3873193849fd8843c6c3edd97bbef086

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a4c3ec95e0a3ea35f1f5e1606b39f74a

SHA1
8433ce2f9a01ca5065e35d4029e69a04751df69c

SHA256
b43823c0cc0568580d4c88db72a3252872a609446b0d4d2a5c9e48d587de3250

SHA512
523f6e191417f267369f863539cf7bcbbc6d277508cd9fbc47a00891ada3934dbb8ad049b8fffd03b83c9846e60492450648d024f91acbbb30dcfc4174f309db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
91e89ca8884698302836effc6caee500

SHA1
fcdb87f1baa55c85bbb64bd0ac3d419af3b6f2fd

SHA256
cf3f8d60748c266d7697882a2e49f3982f7f821f948626369c8c6c5d9859206a

SHA512
d686c9cff92ad266c2f1177f4a83b6f50436401b70e19bb06106f195d4c68d65aec5d5ffd2696c394dc9e03760703a1e6ae25868200d4fc09f659c64a8062adb

Download Submit
\Users\Admin\AppData\Local\Temp\dijus.exe

Filesize
6.5MB

MD5
ba5bb805a4777bdb505caafdb9c8aa96

SHA1
0e41dda9707247255a7d1904c764e4360c9f383b

SHA256
e7b94b24855f45c7da2b7c0ca4c23cb0ecf67663ca7282d6d71fc68af3bfd4eb

SHA512
4a185915fe55a4621d9c302601c21aea2d4020f5189c6fbc109a028264477bf684b5c1c29af32d7bae5e1d1dde8e88d9e489c689a31e6f7553ad3f631eb4a843

Download Submit
\Users\Admin\AppData\Local\Temp\zotef.exe

Filesize
459KB

MD5
5649b20dba83fa4e94ce7027e3c4acd3

SHA1
2e77a0ea9bd0ae5c388baf1197fa21083e03962f

SHA256
2dcbb998694f666a543404c23fb11ba9706e53f31ba8bf0050ac191807213e54

SHA512
453c30ecb0d6cfbff39d19aa7b700fde052f134afbc2254c8fb7f019115b6712904edbece0cb90353832d0548de7cf48d703916e1c4f231575357c7fc7a60c14

Download Submit
memory/1740-174-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1740-162-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2084-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2084-160-0x00000000045E0000-0x0000000004779000-memory.dmp

Filesize
1.6MB

Download
memory/2084-152-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2164-15-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2164-20-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2164-13-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2164-11-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2164-10-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2164-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2164-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2164-5-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2164-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2164-18-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2164-59-0x0000000004150000-0x0000000004C3C000-memory.dmp

Filesize
10.9MB

Download
memory/2164-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2164-25-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2164-57-0x0000000004150000-0x0000000004C3C000-memory.dmp

Filesize
10.9MB

Download
memory/2164-63-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2164-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2164-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2164-37-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2164-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2164-23-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2164-35-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2164-33-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2164-30-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2164-28-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2988-89-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2988-69-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2988-67-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2988-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2988-111-0x00000000042A0000-0x0000000004D8C000-memory.dmp

Filesize
10.9MB

Download
memory/2988-72-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2988-74-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2988-77-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2988-79-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2988-87-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2988-82-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2988-84-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2988-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download