urelas | e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43

General

Target

e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
Size

1.1MB
MD5

3ea5026ec897195801d5004d320e74d5
SHA1

0f7fb2862e10be5c378767e944dd9bd834ef8930
SHA256

e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43
SHA512

fa747cae0042f143989ef85f6fa9cf5aff1987d0358e01db456d65b69d977028bc174a692fd4576a285e55ac513c9dbe23052ad205f46ab78bc51451e8fb847b
SSDEEP

12288:tEr6bkpYN2jF7vQZmSohg+k7j6aDG4FuA6lpgTIJcqBZ5YR:tcykpY5852j6aJGl5cqB2

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	jobyfi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	atpoq.exe

Executes dropped EXE 3 IoCs

pid	Process
768	atpoq.exe
1432	jobyfi.exe
4472	cyano.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000021eaa-31.dat	upx
behavioral2/memory/4472-37-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4472-42-0x0000000000400000-0x0000000000599000-memory.dmp	upx
behavioral2/memory/4472-44-0x0000000000400000-0x0000000000599000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	atpoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jobyfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyano.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe
4472	cyano.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 768	2936	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	85
PID 2936 wrote to memory of 768	2936	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	85
PID 2936 wrote to memory of 768	2936	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	85
PID 2936 wrote to memory of 2084	2936	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	86
PID 2936 wrote to memory of 2084	2936	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	86
PID 2936 wrote to memory of 2084	2936	e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe	86
PID 768 wrote to memory of 1432	768	atpoq.exe	88
PID 768 wrote to memory of 1432	768	atpoq.exe	88
PID 768 wrote to memory of 1432	768	atpoq.exe	88
PID 1432 wrote to memory of 4472	1432	jobyfi.exe	107
PID 1432 wrote to memory of 4472	1432	jobyfi.exe	107
PID 1432 wrote to memory of 4472	1432	jobyfi.exe	107
PID 1432 wrote to memory of 4332	1432	jobyfi.exe	108
PID 1432 wrote to memory of 4332	1432	jobyfi.exe	108
PID 1432 wrote to memory of 4332	1432	jobyfi.exe	108

C:\Users\Admin\AppData\Local\Temp\e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe
"C:\Users\Admin\AppData\Local\Temp\e4bdf670b100836d64e62a38ed70178d2c80413d92ef8b55c43ef5bf3ba49d43.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\atpoq.exe
  "C:\Users\Admin\AppData\Local\Temp\atpoq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\jobyfi.exe
    "C:\Users\Admin\AppData\Local\Temp\jobyfi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\cyano.exe
      "C:\Users\Admin\AppData\Local\Temp\cyano.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
06138e7e845b4245c26b74205e3cd286

SHA1
55e2ba4d7a6f0adbdda50ace1cd6db1c1594cc8b

SHA256
5b2a7943a724350b30fd779567673725ee37eebb423ec3af9502126ed0bcc2d0

SHA512
856ea1a122f83b2699f49c5274503af601912f6e3d45d0fd3672a64595fff2e8b280fb2a9c7cd7cb77c0a9f07dca5dbaa32d3104ff12f921bdc0423c1ee4bb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
797ad590479bcdf0afa31a9cb3b80328

SHA1
9ece1288f148d1760996194b917d87860491f2f9

SHA256
7d52b72ea59395448de6c05ca6d9e381b0d8d8e790a21069d68ec61ca91d2f17

SHA512
e50d127cae679ed76ff6ff6825b72bd405d491daeaa0444f7a7c4cfba1d9b5c7d138e506e10d83fbcb265ed607a84c00322197c878b0a124341fedc2c1e06b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\atpoq.exe

Filesize
1.1MB

MD5
358676e93308d542c33f4f1526bf3fdd

SHA1
6e5349d817df1f69e2b1961deaeb6bcfb5e3e76c

SHA256
41c5dc6c4d9e8172fbcd03f78469937e2b401895b2f8a6750dedd64109648695

SHA512
886c74ff6cea36479908f5148f12411cb99ae74e820ab9c9aaaf200b899720681c223532f4a0154213ca341c5fdc6221e9daf0d04b3a50f44a82d56729cac43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cyano.exe

Filesize
459KB

MD5
bab52a1043c82b90e0989962a28b3e6b

SHA1
79d1822a72198a9acb1dcb7f1181df480b64c72b

SHA256
4f415dd8e5ef0077f5777730d596eaa953b96643e7c7f673d471b52fabb60e72

SHA512
4b63896224390cf37bbcd549fc5d5b6cf7d82783bf94d938597d05427ba779d51a4170a3bbf408de54006cecfb55ceb271924507ae1109ea96c77a7889c15e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
af19b2b941be60c54d9c0872f6c85bba

SHA1
45266742bdba90df4b9654218e6cb7de1b58a6c8

SHA256
d4df613e4bdbf421657f2ca0bda6a650861b9f3f318088a33894a55afae19ab5

SHA512
38164232f93c5e05fd36454d5de1287686cda2748e4ba934cf82a13293fa5d5035aa0782d48214539cc726cd68f87245876ebb3c344710e7215c9ee7bde8a107

Download Submit
memory/768-24-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1432-39-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/1432-25-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2936-0-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/2936-15-0x0000000000400000-0x0000000000524000-memory.dmp

Filesize
1.1MB

Download
memory/4472-37-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4472-42-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4472-44-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing