urelas | 8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc

General

Target

8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe
Size

359KB
MD5

dfb3779c551d4ee4e50a4621b6145411
SHA1

6a0cb76aa520332950e67d3f9a99ee425f50626a
SHA256

8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc
SHA512

5940eb5edab888cbee06ef9d34c03f651f62824ac7915f005037e4df47f84da07703be8b88ae9eb8a3ae5cb5a343f871d4fb5a144e077ae5a679a033976bc717
SSDEEP

6144:c1bYec5C8AAYLxhEmPG7qwmioqVsCqbN0hx:MUyI6QmPPPqVspa

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

puubx.exepugoxi.exe8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	puubx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	pugoxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe

Executes dropped EXE 3 IoCs

Processes:

puubx.exepugoxi.exeytduw.exe

pid process

2756 puubx.exe
528 pugoxi.exe
4680 ytduw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2756	puubx.exe
528	pugoxi.exe
4680	ytduw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ytduw.exe

pid	process
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe
4680	ytduw.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exepuubx.exepugoxi.exe

description	pid	process	target process
PID 4076 wrote to memory of 2756	4076	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	puubx.exe
PID 4076 wrote to memory of 2756	4076	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	puubx.exe
PID 4076 wrote to memory of 2756	4076	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	puubx.exe
PID 4076 wrote to memory of 1288	4076	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	cmd.exe
PID 4076 wrote to memory of 1288	4076	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	cmd.exe
PID 4076 wrote to memory of 1288	4076	8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe	cmd.exe
PID 2756 wrote to memory of 528	2756	puubx.exe	pugoxi.exe
PID 2756 wrote to memory of 528	2756	puubx.exe	pugoxi.exe
PID 2756 wrote to memory of 528	2756	puubx.exe	pugoxi.exe
PID 528 wrote to memory of 4680	528	pugoxi.exe	ytduw.exe
PID 528 wrote to memory of 4680	528	pugoxi.exe	ytduw.exe
PID 528 wrote to memory of 4680	528	pugoxi.exe	ytduw.exe
PID 528 wrote to memory of 452	528	pugoxi.exe	cmd.exe
PID 528 wrote to memory of 452	528	pugoxi.exe	cmd.exe
PID 528 wrote to memory of 452	528	pugoxi.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe
"C:\Users\Admin\AppData\Local\Temp\8e8fd100abf60b66cc45b97db2fa438c63b06fc6e7b233e9655605441b897cfc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\puubx.exe
  "C:\Users\Admin\AppData\Local\Temp\puubx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\pugoxi.exe
    "C:\Users\Admin\AppData\Local\Temp\pugoxi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Users\Admin\AppData\Local\Temp\ytduw.exe
      "C:\Users\Admin\AppData\Local\Temp\ytduw.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
d39bff0c204a4b32f12a70e423230646

SHA1
421fc33bad6c5309dec4aebc77cde5a0e4854a69

SHA256
39fad9c63cac7ef7546a6c9ec8df759c9182dfe9bac6a1d359ab413c72c10aa7

SHA512
96ba3464549ee28bf70cd61c167d808fe54d1804d13ed6f053435e3fba6fc1c871c790af84c4f0352ebe447e413e6e30be1b789cdcc289b9f1d5b6da7235e1d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
909822f3de22d3574f8c7ce0aa97272c

SHA1
bd6dc50faba207d27f595f4b2693efe12ae5bb91

SHA256
fbf2824a3b1524b2e4df37846b2dcceb5d2a6cc65b8e5031734791f7dc7ae7f9

SHA512
83c9939a24c6cabe40409b7fc5c82a5a613f12645288b51b49cceb94892efe274bf34024d49dcf01900101d24d2bed2f6376f3e07214f0903d86a87e19372d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
86681f80624c48f69e0219d1eb6c5023

SHA1
76229a5ef10658c61d09377b44ecc81641530d9e

SHA256
3ed8b2f6326fe5c7aaf1f2eb54ef703ee2bc6f9a5af5b85b029406b69dc945aa

SHA512
5fec61f9a254286703f0bb6c86a24b1bd3102c39499f730220aa29bdeabbd93e5162fe86444bcec50e1c2a965c1aa602ea397b37aa8a8740ac7b74eade34e169

Download Submit
C:\Users\Admin\AppData\Local\Temp\puubx.exe

Filesize
359KB

MD5
1066779d886fbdc60111748e39b54c19

SHA1
bc4b1a3381bb403cf0b4afc75601fe692ada4427

SHA256
44f41ab6aa3510782dd7a3392a16993b0c5317771bc05567a87a4796e73c56a6

SHA512
6a3e7409e46c69b6d06b200bea0b6ed4bd5cc2cf6fc33842056df37009ebe5313de4f4ea90f2f107276ad748345342d08a5b9663d43b429051809f022da25fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytduw.exe

Filesize
107KB

MD5
08371b6c9738ef12003f7124bf134441

SHA1
86b0e0d9e00e5f2e3398713fee35cdd1baf90671

SHA256
453ea190cecb4c2a680b331d5df057fd41cd40354eecbc27418c5afb77fb6fb7

SHA512
87c5dc309a2a59d578f522f00c82231a27955324d517a2c74b3534528cbef0cc28dc1c0b11b7a83fc12d2f5220c185e25b456558ff8505770c77327afc272c39

Download Submit
memory/528-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/528-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2756-24-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4076-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4076-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4680-37-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4680-41-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4680-42-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4680-43-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4680-44-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4680-45-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download
memory/4680-46-0x0000000000990000-0x0000000000A15000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads