urelas | a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe
Size

325KB
MD5

d64dc81e848d09e5635bbe5366a841bc
SHA1

3e198978f80153c3f45bdb416a173322f22e6063
SHA256

a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89
SHA512

97f362139822841c34923ac16d2eaf2e40f71d93241e56e2a982d768ed1876cb9a918bea0f945fe02b9271427ca9dc91e102cd87207607ff7818717c7ac1b8c6
SSDEEP

6144:cEo/rmV71+I8ZD/h/vFfhxxQO4B4tqv+Hq/On1NHwBzQ4bed76a3FoSx0NG:cEo/6YnZVB1rkAqcNAzQCed7J1oSKG

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	xeboa.exe

Executes dropped EXE 2 IoCs

pid	Process
4872	xeboa.exe
5036	vuweq.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4260-0-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/files/0x0033000000023b42-6.dat	upx
behavioral2/memory/4872-12-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/4260-15-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/4872-18-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/4872-37-0x0000000000400000-0x0000000000489000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeboa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuweq.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe
5036	vuweq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4872	4260	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe	86
PID 4260 wrote to memory of 4872	4260	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe	86
PID 4260 wrote to memory of 4872	4260	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe	86
PID 4260 wrote to memory of 4928	4260	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe	87
PID 4260 wrote to memory of 4928	4260	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe	87
PID 4260 wrote to memory of 4928	4260	a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe	87
PID 4872 wrote to memory of 5036	4872	xeboa.exe	95
PID 4872 wrote to memory of 5036	4872	xeboa.exe	95
PID 4872 wrote to memory of 5036	4872	xeboa.exe	95

C:\Users\Admin\AppData\Local\Temp\a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe
"C:\Users\Admin\AppData\Local\Temp\a6860e4daa13e3aafa606538cddd7a6b581c40f64dd832bdd45785cd0df79b89.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\xeboa.exe
  "C:\Users\Admin\AppData\Local\Temp\xeboa.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\vuweq.exe
    "C:\Users\Admin\AppData\Local\Temp\vuweq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3fbcd2d1aa5f9371fcb1dcdd505c8437

SHA1
a071dfa4dfc81b9c309d72f5fb7e8d364b260408

SHA256
6e03cdd5f22008afeece714002d09e7bb218254ee63165ca68321c7667e25d01

SHA512
74247380135899ad8975228192f28117a2fa8a884da43bbc7afd3c161e4fb8fd95270885f96016dfcfbd4418275636ca76f3791f431c7124f048f08326262f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
6f91f52516df8409b0539f9831ab8636

SHA1
ad452cce894adef5b199d263cca29c62f136fc6d

SHA256
3918519547f979e9c8c45247e8bbd4ae8136c8a0e2b649034ed0a2ce44118363

SHA512
b3c422e4ba5e87fb04751da16c2ac80454b3e1dc14c86251d772bde0b575db54131f17b2e530e352d0c8b2331eab76ef074112d4538e75f8a007fd589d6ca143

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuweq.exe

Filesize
241KB

MD5
32af5377e54b33ccf2dbe0850c7a4372

SHA1
9b514a12fb7c1746dbf7bd7c11f664cd48a882d3

SHA256
749d72737ca96233dd23d278ee0338e27383fb05fd946fff1d8145935e76e5a4

SHA512
5f94ae27254ad9eb5993af1b67f23dd1fcc7d00aeb6d15ba53807866c92d40a86c465ac1be122a9d71e2d6c3c4a96839932ed0223286f4951d97171849fac62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeboa.exe

Filesize
325KB

MD5
bbd83cee94ab0d5bc0872e1cefe17df6

SHA1
6e22030a5aa61f6382562b23e44e71f170532cc1

SHA256
8128e573dd751fa37a5a158513d9493e0e4a50585416977e578c7e187229f3f9

SHA512
5a6d4fa63655d5aeb45aba868875ce3dbc3140948fe601d6f1850246cba2c8e427095b55c86a49067e7752df8ea4cbee98a06f91871b53ba373a5c81342d612d

Download Submit
memory/4260-15-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4260-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4872-37-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4872-12-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4872-18-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5036-35-0x0000000000B10000-0x0000000000BC6000-memory.dmp

Filesize
728KB

Download
memory/5036-38-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/5036-40-0x0000000000B10000-0x0000000000BC6000-memory.dmp

Filesize
728KB

Download
memory/5036-41-0x0000000000B10000-0x0000000000BC6000-memory.dmp

Filesize
728KB

Download
memory/5036-42-0x0000000000B10000-0x0000000000BC6000-memory.dmp

Filesize
728KB

Download
memory/5036-43-0x0000000000B10000-0x0000000000BC6000-memory.dmp

Filesize
728KB

Download
memory/5036-44-0x0000000000B10000-0x0000000000BC6000-memory.dmp

Filesize
728KB

Download