urelas | e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43

General

Target

e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
Size

1.1MB
MD5

3ea5026ec897195801d5004d320e74d5
SHA1

0f7fb2862e10be5c378767e944dd9bd834ef8930
SHA256

e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43
SHA512

fa747cae0042f143989ef85f6fa9cf5aff1987d0358e01db456d65b69d977028bc174a692fd4576a285e55ac513c9dbe23052ad205f46ab78bc51451e8fb847b
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YR:tcykpY5852j6aJGl5cqB2

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2624	avyja.exe
1476	kineqa.exe
2908	kociy.exe

Loads dropped DLL 5 IoCs

pid	Process
2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
2624	avyja.exe
2624	avyja.exe
1476	kineqa.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2908-47-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral1/memory/1476-46-0x0000000003AE0000-0x0000000003C79000-memory.dmp	upx
behavioral1/files/0x00090000000165c7-45.dat	upx
behavioral1/memory/2908-59-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avyja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kineqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kociy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe
2908	kociy.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2624	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	30
PID 2412 wrote to memory of 2624	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	30
PID 2412 wrote to memory of 2624	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	30
PID 2412 wrote to memory of 2624	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	30
PID 2412 wrote to memory of 1740	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	31
PID 2412 wrote to memory of 1740	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	31
PID 2412 wrote to memory of 1740	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	31
PID 2412 wrote to memory of 1740	2412	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	31
PID 2624 wrote to memory of 1476	2624	avyja.exe	33
PID 2624 wrote to memory of 1476	2624	avyja.exe	33
PID 2624 wrote to memory of 1476	2624	avyja.exe	33
PID 2624 wrote to memory of 1476	2624	avyja.exe	33
PID 1476 wrote to memory of 2908	1476	kineqa.exe	35
PID 1476 wrote to memory of 2908	1476	kineqa.exe	35
PID 1476 wrote to memory of 2908	1476	kineqa.exe	35
PID 1476 wrote to memory of 2908	1476	kineqa.exe	35
PID 1476 wrote to memory of 2028	1476	kineqa.exe	36
PID 1476 wrote to memory of 2028	1476	kineqa.exe	36
PID 1476 wrote to memory of 2028	1476	kineqa.exe	36
PID 1476 wrote to memory of 2028	1476	kineqa.exe	36

C:\Users\Admin\AppData\Local\Temp\e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
"C:\Users\Admin\AppData\Local\Temp\e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\avyja.exe
  "C:\Users\Admin\AppData\Local\Temp\avyja.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Local\Temp\kineqa.exe
    "C:\Users\Admin\AppData\Local\Temp\kineqa.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\kociy.exe
      "C:\Users\Admin\AppData\Local\Temp\kociy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
797ad590479bcdf0afa31a9cb3b80328

SHA1
9ece1288f148d1760996194b917d87860491f2f9

SHA256
7d52b72ea59395448de6c05ca6d9e381b0d8d8e790a21069d68ec61ca91d2f17

SHA512
e50d127cae679ed76ff6ff6825b72bd405d491daeaa0444f7a7c4cfba1d9b5c7d138e506e10d83fbcb265ed607a84c00322197c878b0a124341fedc2c1e06b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ba7ee37db95932e92ae4ca23b3eea35b

SHA1
008692f6f84817eee187bf4356abc05d4da510d9

SHA256
f1755bc82e9d27a382cf8865f84b7b848b0a75ffa115b2eaaea6c266721937e5

SHA512
8397404bebe41bec6d42f9d485a2688e623c44faac8bb38354d066825008b1ff4915ad2060ed88a680b62f15e7fba45a84be1ee9bd165db5493fa820726b3af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
aab1ea2db633b42d55997adb25ab02d9

SHA1
3953866b85b1fe602a1175c9fe44473e7120496f

SHA256
23efccaed433784d881233a3c72a8b9e0c0f19f818069aeea3e7ac7d0e54fd73

SHA512
24447373c5e388257979b91c45b0bbd116eb2775cf01fce220c5c08755ac3b37fd6b42f1aeeb039612c0c78b57e906db372c69f1d4345c718deeb84521641818

Download Submit
C:\Users\Admin\AppData\Local\Temp\kineqa.exe

Filesize
1.1MB

MD5
a2d2e9404854616321f660e4f30bf42f

SHA1
43caef76c57712fbb3747d547825bb2cc32cd55f

SHA256
ae21e3006adaa9a9c7e3ef8b0f51874bfbf4b20c1ef8bb5e380dd5398056bb31

SHA512
b0a1712154c3152b4a4169a67e586086a25d9c9382cb7e549171399a6dd449b52983d1c3e86275a637adb6cd67aa69b18520b56af68a8f4b00bd40431daa4397

Download Submit
C:\Users\Admin\AppData\Local\Temp\kociy.exe

Filesize
459KB

MD5
c926534f4025e7be0dcd6d1424b2f351

SHA1
010e8c8e0f1df7e32c0855d49ca413cf0c1125d2

SHA256
88a4142cadc2a556f003b8347917dc1db24cf6a9b724b6db0225040d3859a4ca

SHA512
94de1c5d668485516582c70c7722dfe038e713251687c47377e9ea4637e9637725db6b9be63490402e2369b0e493b08a8f8034bce6c8b952dc35d889cf4fbc9e

Download Submit
memory/1476-55-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1476-46-0x0000000003AE0000-0x0000000003C79000-memory.dmp

Filesize
1.6MB

Download
memory/1476-37-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2412-23-0x0000000002E20000-0x0000000002F44000-memory.dmp

Filesize
1.1MB

Download
memory/2412-22-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2412-2-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2624-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2624-33-0x00000000038B0000-0x00000000039D4000-memory.dmp

Filesize
1.1MB

Download
memory/2624-34-0x00000000038B0000-0x00000000039D4000-memory.dmp

Filesize
1.1MB

Download
memory/2624-35-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2908-47-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2908-59-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing