urelas | 67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/10/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe
Size

402KB
MD5

795df109157cb3019f46be982a65d77d
SHA1

78a49ed0afcf9ce48f164ca6f47f0d79b76aa1f1
SHA256

67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616
SHA512

5e0fa3f69d9ef541071d2ed3adfb9ff2117a5bdf4a970409f2b97db4a1a5152b5ddb3e69f274bb30635eff341c16004c699ef576ec76cb681427ff44c297eb7c
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroh3:8IfBoDWoyFblU6hAJQnON

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2368	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1560	ezqyh.exe
2828	vubote.exe
2908	riset.exe

Loads dropped DLL 5 IoCs

pid	Process
2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe
2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe
1560	ezqyh.exe
1560	ezqyh.exe
2828	vubote.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezqyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vubote.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	riset.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe
2908	riset.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1560	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	31
PID 2024 wrote to memory of 1560	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	31
PID 2024 wrote to memory of 1560	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	31
PID 2024 wrote to memory of 1560	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	31
PID 2024 wrote to memory of 2368	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	32
PID 2024 wrote to memory of 2368	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	32
PID 2024 wrote to memory of 2368	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	32
PID 2024 wrote to memory of 2368	2024	67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe	32
PID 1560 wrote to memory of 2828	1560	ezqyh.exe	34
PID 1560 wrote to memory of 2828	1560	ezqyh.exe	34
PID 1560 wrote to memory of 2828	1560	ezqyh.exe	34
PID 1560 wrote to memory of 2828	1560	ezqyh.exe	34
PID 2828 wrote to memory of 2908	2828	vubote.exe	35
PID 2828 wrote to memory of 2908	2828	vubote.exe	35
PID 2828 wrote to memory of 2908	2828	vubote.exe	35
PID 2828 wrote to memory of 2908	2828	vubote.exe	35
PID 2828 wrote to memory of 1124	2828	vubote.exe	36
PID 2828 wrote to memory of 1124	2828	vubote.exe	36
PID 2828 wrote to memory of 1124	2828	vubote.exe	36
PID 2828 wrote to memory of 1124	2828	vubote.exe	36

C:\Users\Admin\AppData\Local\Temp\67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe
"C:\Users\Admin\AppData\Local\Temp\67fbca0d1e899ec4b1148996488b1664b50601e4e452e98b41aa27a4e93a0616.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\ezqyh.exe
  "C:\Users\Admin\AppData\Local\Temp\ezqyh.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\vubote.exe
    "C:\Users\Admin\AppData\Local\Temp\vubote.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Users\Admin\AppData\Local\Temp\riset.exe
      "C:\Users\Admin\AppData\Local\Temp\riset.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
5a57678f44cd7e37b4617ba00bb0241b

SHA1
08b21f1de2e67816ebe8a2bd040190750d9d32a3

SHA256
6afe1873026bd63633ba712afee1892aa0af42a43e9320f11f537baa434b5970

SHA512
73c7a8446752da86a2e37c42754439a319e351051b387a0f99fd2b8c92a0c4d99f25eaa9ce7b3640e12712c0ff8f3d5bc78278abe3f075c70616c4ea838d2a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
61dc0877306dd4154fc885f11de02a04

SHA1
bc8b575a9b706076f5ea9a96a970980b77ad686d

SHA256
b3b0edf7c16f68ec6927fdcd3ff27d193bef0ef256be916bf6fdf9489f2684a5

SHA512
8f6530d1834b6aa2598091e68f2c90a7b45202e130cbe264c0343f5814513df46c98c9c3a11154884d140d1741afee1c94920d63d0937789a02f53080266df8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fdceb010a6e47690cc64902d6ccc8af7

SHA1
b8f6052ee16c3178ba69fca4ffa702679e9706f7

SHA256
376f72f51360583580751a0a9a516bda8c8e18ff7416eb871533c880638acd6c

SHA512
c7d301fefb865aff6a17cfce3d9bf3b4d545e7e93651c46418a7ffb5b58199d0f6827e3b1000dcbb8e2790315ecb2b76437a653d4380e9e23452e682faa113a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\riset.exe

Filesize
223KB

MD5
912112aa2fd6bb8564f9759a960d0f30

SHA1
a932174eaae0bdd28e4c993748b36b0967f76987

SHA256
3e6792709c2059a7dbe99de545b08e11bfa95878683c2839d44dcd9af485fdbb

SHA512
8323ba4ef3fe84c987633f7b952ef0b66f14cb598f6d2cbcc97601bb1a378f170097c6927bdd2cd6b5c5078fbdb05d607d42c9d87552958ed7e51be256e0a717

Download Submit
\Users\Admin\AppData\Local\Temp\ezqyh.exe

Filesize
402KB

MD5
63fde9e740671fd5b825ad0541bb656e

SHA1
5e30877aa6d0327c899665d8ad7b044bea300d8f

SHA256
dbab6db4be8ab3e78eaf94b5091c13aa81a68ac51e25880312142c81cc261c90

SHA512
d75704955abc84441d6bb8eb3cfc957278bb19e493651f1abec61bd2fa0faf109022b6b535f24a7b74e1e4b51115d8c1ce325b15ba5c0468556bb903af48bb4b

Download Submit
\Users\Admin\AppData\Local\Temp\vubote.exe

Filesize
402KB

MD5
889f781f4ca90e30d451d219c910e0c6

SHA1
cc0925c8da7c6bae56688bf8ee9a368a9d269b7b

SHA256
8459fdcba73c914c0e5ad3a0ffec9a618daf84aa2ccfc1b2e9a58cfe20a451e2

SHA512
bd3febd29b1c7bf0d32c82e10dc79342749373779dfba081f10f1b08a9d35585dc5591b499164d5e23b39be9adc2c1d850c0b9f30f62844d33a06de3e5c310f5

Download Submit
memory/1560-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1560-21-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1560-34-0x0000000003170000-0x00000000031D8000-memory.dmp

Filesize
416KB

Download
memory/2024-12-0x0000000002280000-0x00000000022E8000-memory.dmp

Filesize
416KB

Download
memory/2024-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2024-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2024-11-0x0000000002280000-0x00000000022E8000-memory.dmp

Filesize
416KB

Download
memory/2828-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2828-52-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2908-53-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download
memory/2908-57-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download
memory/2908-58-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download
memory/2908-59-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download
memory/2908-60-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download
memory/2908-61-0x0000000000170000-0x0000000000210000-memory.dmp

Filesize
640KB

Download