urelas | 76f3b4fd872476566139d536c7a0ef39ff4c3f71981bd8637119bc375f45b257

General

Target

cb5265d8300261e98182aa6753ecbe30N.exe
Size

689KB
MD5

cb5265d8300261e98182aa6753ecbe30
SHA1

117e1d7c5860fe2f5efdd3a3af585a754c026729
SHA256

76f3b4fd872476566139d536c7a0ef39ff4c3f71981bd8637119bc375f45b257
SHA512

94efd13872d52583da8b43f7a7f9311d4786f758125136f9716b05a3aa7bf8f1bcffcc5c18bc92c82608e3de1a1b5b4c13ff495db84b69c94500c46c3eaf8605
SSDEEP

12288:EUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nT:YVh6gl6Iy8R9+ZdnnP94jpgl9BnT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2168	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2792	geqyb.exe
2616	wieqso.exe
1128	qehis.exe

Loads dropped DLL 5 IoCs

pid	Process
1508	cb5265d8300261e98182aa6753ecbe30N.exe
1508	cb5265d8300261e98182aa6753ecbe30N.exe
2792	geqyb.exe
2792	geqyb.exe
2616	wieqso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geqyb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wieqso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qehis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb5265d8300261e98182aa6753ecbe30N.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1128	qehis.exe
1128	qehis.exe
1128	qehis.exe
1128	qehis.exe
1128	qehis.exe
1128	qehis.exe
1128	qehis.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2792	1508	cb5265d8300261e98182aa6753ecbe30N.exe	30
PID 1508 wrote to memory of 2792	1508	cb5265d8300261e98182aa6753ecbe30N.exe	30
PID 1508 wrote to memory of 2792	1508	cb5265d8300261e98182aa6753ecbe30N.exe	30
PID 1508 wrote to memory of 2792	1508	cb5265d8300261e98182aa6753ecbe30N.exe	30
PID 1508 wrote to memory of 2168	1508	cb5265d8300261e98182aa6753ecbe30N.exe	31
PID 1508 wrote to memory of 2168	1508	cb5265d8300261e98182aa6753ecbe30N.exe	31
PID 1508 wrote to memory of 2168	1508	cb5265d8300261e98182aa6753ecbe30N.exe	31
PID 1508 wrote to memory of 2168	1508	cb5265d8300261e98182aa6753ecbe30N.exe	31
PID 2792 wrote to memory of 2616	2792	geqyb.exe	33
PID 2792 wrote to memory of 2616	2792	geqyb.exe	33
PID 2792 wrote to memory of 2616	2792	geqyb.exe	33
PID 2792 wrote to memory of 2616	2792	geqyb.exe	33
PID 2616 wrote to memory of 1128	2616	wieqso.exe	35
PID 2616 wrote to memory of 1128	2616	wieqso.exe	35
PID 2616 wrote to memory of 1128	2616	wieqso.exe	35
PID 2616 wrote to memory of 1128	2616	wieqso.exe	35
PID 2616 wrote to memory of 2884	2616	wieqso.exe	36
PID 2616 wrote to memory of 2884	2616	wieqso.exe	36
PID 2616 wrote to memory of 2884	2616	wieqso.exe	36
PID 2616 wrote to memory of 2884	2616	wieqso.exe	36

C:\Users\Admin\AppData\Local\Temp\cb5265d8300261e98182aa6753ecbe30N.exe
"C:\Users\Admin\AppData\Local\Temp\cb5265d8300261e98182aa6753ecbe30N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\geqyb.exe
  "C:\Users\Admin\AppData\Local\Temp\geqyb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\wieqso.exe
    "C:\Users\Admin\AppData\Local\Temp\wieqso.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\qehis.exe
      "C:\Users\Admin\AppData\Local\Temp\qehis.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
278B

MD5
d29ff250c64301f5011fecd35a9784d4

SHA1
f207ccfb02628b0db0f09a1f1d3e4d217757f0ae

SHA256
96cc7445cd525d9f6f9bf47eb59949045db3f86eb97d05ec78cec80250220e48

SHA512
d8bdc31654f4f24138cd02b98da9e696ce3f5b85d51323d899b89214ae1fb2eb311b9b40af2fc01e73dabc51627fd76248600c87a1a423672442dd19cf24dde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
48ce484e5e7507fb9055e64d53d02bdf

SHA1
6442ded933289c9e71c708a8a1e65851f1109bbb

SHA256
86885dc3c7416ccd5de00cc50002707fb12b7c5023d302f91c5d54c9c791af04

SHA512
1440a151530e7367ed31cc0f51d2478374ce82a2afc3dd8980d16226f24ce40a3eb6f13f42f3dfb9dc5364272861114c65ef6a08b5880ff0008dec2a555d403a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\geqyb.exe

Filesize
689KB

MD5
3ff7cf914b2982488b9dd97a46e15f8b

SHA1
0e63760fd25ef9fe3525097e0587496dd42edd4a

SHA256
235a506a2ab4d490aa26dd4866913e72b90e24308bbf5ed61c47bb49869202cd

SHA512
db13978c69792d5e985f544c365ce088b4527b65e53e6105cddfb73a1c9abbe914a1fac6673475ab5a78bfa3a8ec9df6e4f21b479a2cafe46c60542ef43e4a6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
46576492cdcd9d24ad62e70ec56c0f7a

SHA1
31128682b053325788cdd9d49b6ef4c6ed4be978

SHA256
3b55fe3e96af59d24a4601ae350b5075ce8bcf2f18155e4bd29a052c8230cb2c

SHA512
b5512ba0ea72027bb50704e1b1fcbcd1a20be41c61f98cfee174d7f127ffeac86075a90ca5c0d0431e029f66593cc2ef4bf01047cd0a69e003e3b4c387cb4524

Download Submit
\Users\Admin\AppData\Local\Temp\qehis.exe

Filesize
469KB

MD5
f7c7e7ba9d716a4fcdc33375ae673e77

SHA1
416acfdd4c9ea1809a05fbea0d1b2d4abd02e49c

SHA256
cd31d8f7154cc134c5374d6292ba77e5fed444da61d71fa95f7436e1417a3d43

SHA512
75a763886806d94e815bdcf33c87573c835b789c3730215aa39fd2372d1b67c29ce7562714818824661ac9e0a549af5fdaf7a0bd38c8bc80507b3cce8e421bb1

Download Submit
memory/1128-61-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1128-60-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1128-56-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1508-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1508-3-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1508-19-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2616-46-0x0000000003CD0000-0x0000000003E66000-memory.dmp

Filesize
1.6MB

Download
memory/2616-38-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2616-54-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2616-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2792-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2792-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2792-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing