urelas | 4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820

General

Target

4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe
Size

87KB
MD5

edd08fecaf26b0623778a7da2b6985e0
SHA1

5e2ac0dcd824e3b5d6af7e79245793583be4483f
SHA256

4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820
SHA512

181ce67f9080302fd6d8b47d66c7358ad086315ba37548dd78a8aae03a6c2bfe594c4d7ebe1f8d5a2b051dbf557f3e38781601ac60b25b178585b7e91e58e4a9
SSDEEP

1536:Jz+jIHNv+vsFbwW6dk0QeLb4NMHriBRxiDkURFH0tHEa:JznH976dUCnuniDd0REa

Score

10^/10

urelas discovery trojan upx

Malware Config

Extracted

Family

urelas

C2

112.175.88.207

112.175.88.208

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2860	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2100	huter.exe

Loads dropped DLL 1 IoCs

pid	Process
2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2612-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2100-17-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/files/0x0009000000015d2a-8.dat	upx
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2100-22-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2100-25-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2100-32-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huter.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2100	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	30
PID 2612 wrote to memory of 2100	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	30
PID 2612 wrote to memory of 2100	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	30
PID 2612 wrote to memory of 2100	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	30
PID 2612 wrote to memory of 2860	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	31
PID 2612 wrote to memory of 2860	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	31
PID 2612 wrote to memory of 2860	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	31
PID 2612 wrote to memory of 2860	2612	4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe	31

C:\Users\Admin\AppData\Local\Temp\4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe
"C:\Users\Admin\AppData\Local\Temp\4fbf31cd824004e379ff04637fb3d02823a174ca412ae9add18afb3aa87d9820N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Users\Admin\AppData\Local\Temp\huter.exe
  "C:\Users\Admin\AppData\Local\Temp\huter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a01dba4c45102fc15292fd5591166536

SHA1
d96191c30e0f09439d8547f4ededbf6726ccd54b

SHA256
cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904

SHA512
277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\huter.exe

Filesize
87KB

MD5
d4cae28654d3610e1768677e4de7640c

SHA1
5f49f7a13fbfc44439fcc3e6c9f81dc302d07a2a

SHA256
102ac9a18f3c1d8f8577996c38a4096d55c89e786fd04b6b9a377c5e7b69411c

SHA512
4d70721afb2e488657bb68f501ffed5d1cc0647157b5261cafa07a9d1fc92037185968d191f66d56b400c7cbfb74764ac9b78ff52ce8cc599457ffe7cd9c7ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

Filesize
340B

MD5
e64045d5cca76c158bda170f3c41764f

SHA1
df7f16d4f87db93666148bf964d659c63c24c7ca

SHA256
0f2e486aeb2299160a31daba0c792ad55625610937f321517d90603756cd7991

SHA512
f641e6d35e5d46b58abc7cd6f35d873a8fdd4507e76e908ea2d6ae7d36ed63dce1530af129b7371e5ba3b83ad0cab5037ebff1c33c2ee959512f404b631c33ee

Download Submit
memory/2100-17-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2100-22-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2100-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2100-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2612-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2612-16-0x00000000029B0000-0x00000000029E1000-memory.dmp

Filesize
196KB

Download
memory/2612-19-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing