urelas | c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139

General

Target

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
Size

332KB
MD5

aece7a093e6b27c5f1474cd8422c9e66
SHA1

eeb0ba66278e98a2241a3cd19d317007575c6578
SHA256

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139
SHA512

3e94f42fb41f5cb3384f8e23b75d1539c9cd2bd5aa2aff2d9a5c1cd5496b8cd2493f22c76da08b516aed689b62d025028d29c4f98c2487f80017e3c4b9b612aa
SSDEEP

6144:yty5fbpxDuMcHYwt1gxloqtaE5iWbUMqfn8EijRUNafrHBw/iq:ytCLD7+51gxeq3gOU9EEQrhMJ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2028 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

opcia.exereykha.exejebuy.exe

pid process

2408 opcia.exe
2812 reykha.exe
1376 jebuy.exe

pid	process
2028	cmd.exe

pid	process
2408	opcia.exe
2812	reykha.exe
1376	jebuy.exe

Loads dropped DLL 5 IoCs

Processes:

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exeopcia.exereykha.exe

pid	process
2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
2408	opcia.exe
2408	opcia.exe
2812	reykha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exejebuy.exec1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exeopcia.exereykha.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jebuy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opcia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reykha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

jebuy.exe

pid	process
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe
1376	jebuy.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exeopcia.exereykha.exe

description	pid	process	target process
PID 2908 wrote to memory of 2408	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	opcia.exe
PID 2908 wrote to memory of 2408	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	opcia.exe
PID 2908 wrote to memory of 2408	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	opcia.exe
PID 2908 wrote to memory of 2408	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	opcia.exe
PID 2908 wrote to memory of 2028	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	cmd.exe
PID 2908 wrote to memory of 2028	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	cmd.exe
PID 2908 wrote to memory of 2028	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	cmd.exe
PID 2908 wrote to memory of 2028	2908	c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe	cmd.exe
PID 2408 wrote to memory of 2812	2408	opcia.exe	reykha.exe
PID 2408 wrote to memory of 2812	2408	opcia.exe	reykha.exe
PID 2408 wrote to memory of 2812	2408	opcia.exe	reykha.exe
PID 2408 wrote to memory of 2812	2408	opcia.exe	reykha.exe
PID 2812 wrote to memory of 1376	2812	reykha.exe	jebuy.exe
PID 2812 wrote to memory of 1376	2812	reykha.exe	jebuy.exe
PID 2812 wrote to memory of 1376	2812	reykha.exe	jebuy.exe
PID 2812 wrote to memory of 1376	2812	reykha.exe	jebuy.exe
PID 2812 wrote to memory of 540	2812	reykha.exe	cmd.exe
PID 2812 wrote to memory of 540	2812	reykha.exe	cmd.exe
PID 2812 wrote to memory of 540	2812	reykha.exe	cmd.exe
PID 2812 wrote to memory of 540	2812	reykha.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe
"C:\Users\Admin\AppData\Local\Temp\c1d64b05f775a3311b57c5b5e74405cdf8010f3c7fdabc193553369e7fd15139.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\opcia.exe
  "C:\Users\Admin\AppData\Local\Temp\opcia.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\reykha.exe
    "C:\Users\Admin\AppData\Local\Temp\reykha.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\jebuy.exe
      "C:\Users\Admin\AppData\Local\Temp\jebuy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
e3c07938cd77830b2a184a14c8d88008

SHA1
66de4e4665ae56fa8015c73f5be3703c763dae71

SHA256
9e9d2ed9ea8bb286a1d10c62270c70181c5dcd452b432700dceed777c8b8ad02

SHA512
8a001ab8b6d75e58bd80c0d1e357794f4c77e4959a47ed69d22273d17e6f7b100677cfb76d327cf10314016fe3784c529afcb57e54e205d455354ea8098539a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
59634d3cd855bc1252a647bd2217bcc2

SHA1
dde545ef9ec7525430a01a2b2c5d81b7339cfb9c

SHA256
e8969a313b5cea1db86140ac4fcdbeb88ecb4d406dd8207a6842b757ceb189ed

SHA512
e4ca394d5a36007f0398d1fc6a110a93937fc50c59ce66b7d7ce3c126391c8a22f8e692a22abefedc2d2b65652547203adb2ecc9f47eec6dc61cf35f5ad7059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fd51923ff03982fea59c0b92c5b2b8a0

SHA1
707ea30afb7e286a063ea56d11e646586cbaec4f

SHA256
16f41a3b4158405e30645727910fa70a9ccff8a41c650b34251840713e89043e

SHA512
c7d1cd85b348391a42907cf02d424417c05e7bf78dcc78206d077cdbd1a0db96a2a58fca31e1355064304f1bf693640057b8531f70c1bc92ac10fe3f1f93d0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jebuy.exe

Filesize
223KB

MD5
2ba483e56a39258f4f4716aa366a6284

SHA1
cd6680ca3072d634bf82d384b53c2cb560e19f4d

SHA256
0b0c298f571019d483663d346d666b5edb98c3f7c95dda441e0fa376b956cf26

SHA512
ef11edde6e3cd42e20a6ae4487c2f0d16f2092f9c9826e90a3376ee49f1eda74e37ff5b1f534b8b2f3d66de011c0fe843c7965f43074f4331921320ddd7e31c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\reykha.exe

Filesize
332KB

MD5
591fe8982359c9f3e1ad74c7227c9485

SHA1
b6f2ce98d23445d31e7680f9e94f161b295f4a05

SHA256
2b195f51a9694c983ed84630e7a97fcdfa42dfe7663e126ee245d7f102e0f747

SHA512
8e0562bd057d636f28bc92a9db61b3ca04d72faddc7f33153b6acbb10b61c488b7d1583f401dc019356d03c1de7081881b69f02cc0138bfd830cf1072878bebd

Download Submit
\Users\Admin\AppData\Local\Temp\opcia.exe

Filesize
332KB

MD5
85fe47812543713dc9321e526b592ba0

SHA1
4181180fac6e4c054b53d560d45df4865c8d013d

SHA256
bbfcbcff938084e6f4813dfaa35a984ff07c1a0b204e66ff5a2b6af3acbee091

SHA512
3989a5700cf03241e4cd26fff265011e6d33c038506904ff2ab662d0d36a42732a5cc57ab1b867cfcaec06a55caceede41594e1b02de5ea8a881e93acf3c77bc

Download Submit
memory/1376-67-0x0000000000040000-0x00000000000E0000-memory.dmp

Filesize
640KB

Download
memory/1376-71-0x0000000000040000-0x00000000000E0000-memory.dmp

Filesize
640KB

Download
memory/1376-70-0x0000000000040000-0x00000000000E0000-memory.dmp

Filesize
640KB

Download
memory/1376-69-0x0000000000040000-0x00000000000E0000-memory.dmp

Filesize
640KB

Download
memory/1376-63-0x0000000000040000-0x00000000000E0000-memory.dmp

Filesize
640KB

Download
memory/1376-68-0x0000000000040000-0x00000000000E0000-memory.dmp

Filesize
640KB

Download
memory/2408-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2408-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2812-38-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2812-62-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2812-36-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2908-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2908-20-0x0000000001E50000-0x0000000001EB7000-memory.dmp

Filesize
412KB

Download
memory/2908-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads