urelas | 24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299

General

Target

24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe
Size

80KB
MD5

e3a68a705b6add2f1367e3088cdab0db
SHA1

93dfb16e3f7f9fabf861d46fb1bdb87a562b7594
SHA256

24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299
SHA512

b73288bd5f8e92c5dcfde72ffa92ab57e4e08a0818d2b81cd5e3164ac8568d661fbc1e4cd05f39a31b87c565439ebff653652a7c6c7170bb7b03ae5f36a65783
SSDEEP

1536:9HxkDvWdB7O9dKymMyCMGni2Lz1LaRQLDEaB:9RkjWjK9ABpGzlaRQL5B

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

218.54.47.77

218.54.47.74

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2028	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x0000000000310000-0x0000000000341000-memory.dmp	upx
behavioral1/files/0x002d00000001956c-4.dat	upx
behavioral1/memory/2028-17-0x00000000003A0000-0x00000000003D1000-memory.dmp	upx
behavioral1/memory/2308-19-0x0000000000310000-0x0000000000341000-memory.dmp	upx
behavioral1/memory/2028-23-0x00000000003A0000-0x00000000003D1000-memory.dmp	upx
behavioral1/memory/2028-25-0x00000000003A0000-0x00000000003D1000-memory.dmp	upx
behavioral1/memory/2028-28-0x00000000003A0000-0x00000000003D1000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2028	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	30
PID 2308 wrote to memory of 2028	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	30
PID 2308 wrote to memory of 2028	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	30
PID 2308 wrote to memory of 2028	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	30
PID 2308 wrote to memory of 2028	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	30
PID 2308 wrote to memory of 2028	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	30
PID 2308 wrote to memory of 2028	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	30
PID 2308 wrote to memory of 2780	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	31
PID 2308 wrote to memory of 2780	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	31
PID 2308 wrote to memory of 2780	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	31
PID 2308 wrote to memory of 2780	2308	24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe	31

C:\Users\Admin\AppData\Local\Temp\24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe
"C:\Users\Admin\AppData\Local\Temp\24ac1a6084fe86b3441c9eb8ffe4f569646b99ce4b8761bd5babcab5b266d299.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
55d2fdd1432483e3ba86ebeccfe130b6

SHA1
7280b14d708800fd15303b2caa8628a0fbd7aa08

SHA256
5cfd1668ec0e5f3b5f8d04e54091d6f173bede6e6f9bb418819fd550095139fb

SHA512
36fd81128552356672b52936699c5e6362268c8131857e778e02a6862600c4feb20d13063d5f838e0887cb5083c648d39fe07faffba18c26387760752f9dd1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
338B

MD5
ca3fe7040ba5e60460878cdecfac077e

SHA1
2c892a18061f55540c86b031d0fdc63d6a8663d8

SHA256
ec6f51b7949b69da904ae8845155c01e3146d94f9e9a69a886040645bbd87c7e

SHA512
05bd5ba44d2e39a9d2e1249824ef66576befb7940ed7e9095b8691d9740be3bb7bd359a8ad2d17eca2590f41d4ae4cdc5fbef0fe8bc453b6efe969f970c512f5

Download Submit
\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
80KB

MD5
d9a1d495585447fb1f8cc0497b512eb1

SHA1
bf63a1b12b965d71f8d252a23185688f0770b3e7

SHA256
66db8516965413c3ca4a193bcb777346367b8a62d16b7d141b7a8de7a3611eb0

SHA512
dcd461f4d4014594cd66d17f1d53d4d4597718ec82f92047b8b123a9f0bafe726b4db5ef64c4f2f6a5687a85d165f5e75f9a5cd5fe2724d725c37a251905f106

Download Submit
memory/2028-17-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/2028-23-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/2028-25-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/2028-28-0x00000000003A0000-0x00000000003D1000-memory.dmp

Filesize
196KB

Download
memory/2308-0-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/2308-8-0x0000000002000000-0x0000000002031000-memory.dmp

Filesize
196KB

Download
memory/2308-19-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing