urelas | 2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0

General

Target

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Size

6.5MB
MD5

b02b00a0296a4ef74579e2c7b9c97de5
SHA1

efb2b78bf3c740b8e959ccb119e69016289c6209
SHA256

2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0
SHA512

462343769bf21260b34a27dbb8151c25623dd181f78cd845d7258f2da135d38b1a019ebd34e45842c9449ac003984ca64902d69baf78e8234c7b0f19713115d7
SSDEEP

98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSi:i0LrA2kHKQHNk3og9unipQyOaOi

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ifzabi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	xitaq.exe

Executes dropped EXE 3 IoCs

pid	Process
4796	xitaq.exe
2664	ifzabi.exe
1604	vajop.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000000709-64.dat	upx
behavioral2/memory/1604-70-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/1604-75-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vajop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xitaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ifzabi.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
4796	xitaq.exe
4796	xitaq.exe
2664	ifzabi.exe
2664	ifzabi.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe
1604	vajop.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 4796	2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	83
PID 2288 wrote to memory of 4796	2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	83
PID 2288 wrote to memory of 4796	2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	83
PID 2288 wrote to memory of 2224	2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	84
PID 2288 wrote to memory of 2224	2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	84
PID 2288 wrote to memory of 2224	2288	2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe	84
PID 4796 wrote to memory of 2664	4796	xitaq.exe	86
PID 4796 wrote to memory of 2664	4796	xitaq.exe	86
PID 4796 wrote to memory of 2664	4796	xitaq.exe	86
PID 2664 wrote to memory of 1604	2664	ifzabi.exe	101
PID 2664 wrote to memory of 1604	2664	ifzabi.exe	101
PID 2664 wrote to memory of 1604	2664	ifzabi.exe	101
PID 2664 wrote to memory of 3160	2664	ifzabi.exe	102
PID 2664 wrote to memory of 3160	2664	ifzabi.exe	102
PID 2664 wrote to memory of 3160	2664	ifzabi.exe	102

C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe
"C:\Users\Admin\AppData\Local\Temp\2bdcba71006b2955fece1f73cf42078446825deabc1a7758109ac724401728c0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\xitaq.exe
  "C:\Users\Admin\AppData\Local\Temp\xitaq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\ifzabi.exe
    "C:\Users\Admin\AppData\Local\Temp\ifzabi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\vajop.exe
      "C:\Users\Admin\AppData\Local\Temp\vajop.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9d1ce865ac5a4ee8818bdf90db1e4331

SHA1
9f2cf508b22b4ff9a9a6a4b4f56c40e82be17d80

SHA256
938aa119df4f7ad6bfc262d3b4465b46c2b33f9e70175ea90ebc344be982eadc

SHA512
1d8c1a05385613efd665535f6901a1c0c390117f65577b2e0227853e09e63d3a699905331de97da3172da27c1e357f9cf3404e7ab49aa4b74f9f9c5d87b68f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a4c3ec95e0a3ea35f1f5e1606b39f74a

SHA1
8433ce2f9a01ca5065e35d4029e69a04751df69c

SHA256
b43823c0cc0568580d4c88db72a3252872a609446b0d4d2a5c9e48d587de3250

SHA512
523f6e191417f267369f863539cf7bcbbc6d277508cd9fbc47a00891ada3934dbb8ad049b8fffd03b83c9846e60492450648d024f91acbbb30dcfc4174f309db

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ad41a021bfbbfdcc4853cbc60465abae

SHA1
053e68891ae06f04787863511f0a60fabe2925e4

SHA256
46ca682c946b3f048f5e6c6e4817fcebf372a21caf53272bc2eca02d600de1fe

SHA512
af63c1744215a88e808384f4d972ed00555790b6d8735e63854c56b90eebcbd1cc45e487680d6072748cdcf22794b5eb010641485ec3427f51d9995a3e7805a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vajop.exe

Filesize
459KB

MD5
dbeff7621eb4c185811b60436037fa52

SHA1
dd1f5f9f601d0a2fcae1aa68d4b0f12b25e4ebd7

SHA256
c6b27e4f0ec8e8d652f929c874ce5b6fe22efc773268c26a9f6708cbd1b1d17e

SHA512
39d11f6995a8adb7de152aa538c07b3907d1ab5780ac2a08bfd24ca2547b6f4127876eab7eadc0dee92316ba1e6255fc339cbb34f310bcde402edf675fd13ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\xitaq.exe

Filesize
6.5MB

MD5
246c4359e16a29f22b3a2ed0b9cd6ba2

SHA1
24c8788d257f852cc379e2a4cca5118c0613e7c8

SHA256
0e60a24702abd39892acc555285bc5b067f19cd7b99a9177506a1972b363b747

SHA512
42bd86e166fac3d62204a5959c54f292fec726e95608a6b9c0c3714f072c02db03939edf57784c5e163c9da5d174ecb202d9ebef83972387f0ab2bea20f35d8a

Download Submit
memory/1604-70-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/1604-75-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2288-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2288-6-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/2288-5-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/2288-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2288-7-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2288-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2288-26-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2288-8-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/2288-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2288-4-0x0000000000526000-0x000000000087A000-memory.dmp

Filesize
3.3MB

Download
memory/2288-1-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2288-2-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/2288-3-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2664-54-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2664-53-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/2664-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2664-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2664-49-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2664-50-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/2664-51-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2664-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/2664-55-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2664-52-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4796-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4796-32-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/4796-30-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4796-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4796-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4796-28-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4796-33-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/4796-34-0x0000000002B90000-0x0000000002B91000-memory.dmp

Filesize
4KB

Download
memory/4796-29-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4796-31-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4796-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download
memory/4796-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

Filesize
10.9MB

Download

Analysis

Sharing