urelas | 8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f

General

Target

8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
Size

541KB
MD5

e848cc55bb658894a350d1c853a1567b
SHA1

d6e57e2c4ade50f89ee9a5b48268bfab2e9db001
SHA256

8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f
SHA512

32b495ec4b7674a5750e8c63b2fa5bd4af7ccef8c9d556f82c1ea2555b1c78719495e78064615e37fad9358d07c2ec6f031d2b751abb724deff26e2be6d82af9
SSDEEP

12288:T52PxDgZo3ijnieactYDG7MzZSHJcvEj8dmoSxuz:92SLi70T7Mifju

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	xotuv.exe
2880	najij.exe

Loads dropped DLL 2 IoCs

pid	Process
2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
2808	xotuv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-0-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/files/0x0034000000015d5c-4.dat	upx
behavioral1/memory/2848-16-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2808-19-0x0000000000400000-0x0000000000487000-memory.dmp	upx
behavioral1/memory/2808-26-0x0000000000400000-0x0000000000487000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xotuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	najij.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe
2880	najij.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2808	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	30
PID 2848 wrote to memory of 2808	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	30
PID 2848 wrote to memory of 2808	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	30
PID 2848 wrote to memory of 2808	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	30
PID 2848 wrote to memory of 3004	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	31
PID 2848 wrote to memory of 3004	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	31
PID 2848 wrote to memory of 3004	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	31
PID 2848 wrote to memory of 3004	2848	8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe	31
PID 2808 wrote to memory of 2880	2808	xotuv.exe	34
PID 2808 wrote to memory of 2880	2808	xotuv.exe	34
PID 2808 wrote to memory of 2880	2808	xotuv.exe	34
PID 2808 wrote to memory of 2880	2808	xotuv.exe	34

C:\Users\Admin\AppData\Local\Temp\8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe
"C:\Users\Admin\AppData\Local\Temp\8a72a00503f6165cdb13acd74fca6e49837c99892582b19c420c0777ce32764f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\xotuv.exe
  "C:\Users\Admin\AppData\Local\Temp\xotuv.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\najij.exe
    "C:\Users\Admin\AppData\Local\Temp\najij.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
861670fb312741d9ad76a7cd2b118d15

SHA1
c43025026fc13dce81c028889695c5c06754bc40

SHA256
b15a683b135b842ef5af69a208694749e49eb14ef43cccd9528295e0657d2bbf

SHA512
f12f5a07cc26de42d069a433b4795d47ace58bad8d1ee5b7accac74361fb101e12334258326a0409a80b874ed9ffd0a03603762d8e259ebd0306a52fb410fd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0ffefc8f3395ec6de53f8e867c0563af

SHA1
188cc54e58b82009f7c42734022431fb4bbcd7aa

SHA256
72a4485266704252b54509affdc7b23df7f2f54e7735276e2fecff7aaee86d7d

SHA512
d1d1de163011becf9884851981a4631a7242f806396f98dbe00e547640fd86e8db8210f3f6caec8b1f1ff1596ed3299cecf0f723f2d936d07abffde6f08e056c

Download Submit
\Users\Admin\AppData\Local\Temp\najij.exe

Filesize
230KB

MD5
bd67ff058ff20bc030e43199c527182b

SHA1
fb02d644fb55ed0ce07ba16b4b8c4d1b85776cb8

SHA256
a7e4215e8b1f98fbc07e9a65d64665e2ad9b4e58ebd0d6a19383056b6cd1c466

SHA512
b9c08a161b62d4e948833e5f6b245401d4ef17b2a8e332a6cf7610d417941d1d64332cb80a280d0c05cdd7e3c19757fd0153bd2c72cf65cd4ab4777275815260

Download Submit
\Users\Admin\AppData\Local\Temp\xotuv.exe

Filesize
541KB

MD5
95b52e6eb2f5eb368eac54c272d18083

SHA1
a9db3b5af27641f49038e5bf54895422bd578201

SHA256
679a7e2ab3b305a67f3129bd556243309269461d8c6ef528d6e817aafb6780e2

SHA512
2ba9e18f15a06c3d27acb1baea663b7185e8bd4b6a94171b6b4b99d44cb16b497019947152551a393a81966cb10fda2d85254861a270563f1d91bdbc51974c76

Download Submit
memory/2808-19-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2808-24-0x0000000003270000-0x0000000003323000-memory.dmp

Filesize
716KB

Download
memory/2808-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2848-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2848-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2880-28-0x00000000009E0000-0x0000000000A93000-memory.dmp

Filesize
716KB

Download
memory/2880-30-0x00000000009E0000-0x0000000000A93000-memory.dmp

Filesize
716KB

Download
memory/2880-31-0x00000000009E0000-0x0000000000A93000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing