urelas | 8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5

General

Target

8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe
Size

403KB
MD5

c769bee14908ab982b432883968b83e0
SHA1

c49f0b736847fa69ccc308f61ed6d5e65f6e128b
SHA256

8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5
SHA512

90151e14f65afe3c9471a812591b9fd61f0cf3387ddcc2755ef9d59309c6529978e5001daad9ffbc65559eb3ca420123f5716b1b0a2897056f9876a72a88db44
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohl:8IfBoDWoyFblU6hAJQnOz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2116	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

qoojt.exenuazxy.exequwyt.exe

pid	Process
2868	qoojt.exe
2584	nuazxy.exe
2752	quwyt.exe

Loads dropped DLL 5 IoCs

Processes:

8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exeqoojt.exenuazxy.exe

pid	Process
2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe
2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe
2868	qoojt.exe
2868	qoojt.exe
2584	nuazxy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exeqoojt.execmd.exenuazxy.exequwyt.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoojt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuazxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quwyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

quwyt.exe

pid	Process
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe
2752	quwyt.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exeqoojt.exenuazxy.exe

description	pid	Process	procid_target
PID 2708 wrote to memory of 2868	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	31
PID 2708 wrote to memory of 2868	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	31
PID 2708 wrote to memory of 2868	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	31
PID 2708 wrote to memory of 2868	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	31
PID 2708 wrote to memory of 2116	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	32
PID 2708 wrote to memory of 2116	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	32
PID 2708 wrote to memory of 2116	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	32
PID 2708 wrote to memory of 2116	2708	8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe	32
PID 2868 wrote to memory of 2584	2868	qoojt.exe	34
PID 2868 wrote to memory of 2584	2868	qoojt.exe	34
PID 2868 wrote to memory of 2584	2868	qoojt.exe	34
PID 2868 wrote to memory of 2584	2868	qoojt.exe	34
PID 2584 wrote to memory of 2752	2584	nuazxy.exe	36
PID 2584 wrote to memory of 2752	2584	nuazxy.exe	36
PID 2584 wrote to memory of 2752	2584	nuazxy.exe	36
PID 2584 wrote to memory of 2752	2584	nuazxy.exe	36
PID 2584 wrote to memory of 536	2584	nuazxy.exe	37
PID 2584 wrote to memory of 536	2584	nuazxy.exe	37
PID 2584 wrote to memory of 536	2584	nuazxy.exe	37
PID 2584 wrote to memory of 536	2584	nuazxy.exe	37

C:\Users\Admin\AppData\Local\Temp\8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe
"C:\Users\Admin\AppData\Local\Temp\8fe4515d44b72e96a26bcf148ffeb52311de418255bc3e6c635e71c791d2fec5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\qoojt.exe
  "C:\Users\Admin\AppData\Local\Temp\qoojt.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\nuazxy.exe
    "C:\Users\Admin\AppData\Local\Temp\nuazxy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\quwyt.exe
      "C:\Users\Admin\AppData\Local\Temp\quwyt.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
d5cda0c50c2cfdd33e5d1f0f0a72a235

SHA1
695bcf9195615b9e1971ba311d17bee0d7836ef6

SHA256
69a5bed46ccae4ca029f3ddd8e18bfff5a799e3457fed5e0b3552ec10e2f378c

SHA512
d29c5c1b562a201cc6cffd12ec571c6ac9d1e4ef1a1818d6625d55528a69569c9549a03bc017bf03bc96ad97685a10319fae72ee09c027b3272d17d1814096aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
55514e1e2a6533fc2f94c34e3a3963e0

SHA1
52a50d59bad50253d6ecf879d47c094982c52548

SHA256
32601b1afd1ec00130cfc807654954c7cf3c77985665ecd3be5b949d7f4b3d38

SHA512
a172c7f3310f5a5ea3567e802ccb30ebd627d48605e6440c97d301117807f5f8962ec63b83128d3ba21dc69bc251c76641ef2fca9f05572e0865c60af3d0cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7cce3c7d55d423536b91269786d6acd4

SHA1
2a6d742783ed9ca09d480cbef8e481966382ed69

SHA256
4c7646775a42da111cdc74910e84daa8b56d5d16c3176443b8daba8099b075f7

SHA512
3811387ad9b7a60592d482ae624093daa9fcb1c71de4ddc428bd04222eb12bda92bb2915bba1a93fd728cefd26b71b16ed5db3cb6f63aff9d60ec1c2032b0998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoojt.exe

Filesize
403KB

MD5
a32331db7f74afc130f2c1872384b4b9

SHA1
553a4029abee729c32bd38f363a5abf3298f4c16

SHA256
5d915a80d9c3eb540d97a9330965284e5503c83225c9d0c028507d348e9b1508

SHA512
2ed4cad9d695131c72feca1805e1b7c4b005f14031296a79184b76b0b7ff721f2cdc3882e9142a75246085ce5fb4647733b8caf2f8c1cf682da4c37d2cba7fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nuazxy.exe

Filesize
403KB

MD5
0cb50e2c3897127ad8c7db18700b59f6

SHA1
fd215ea35ab4db14b27125825488614346afb0c5

SHA256
a41f337047493c843825c6e148b08048e445509d45107646245ceb57ec69ed54

SHA512
004631b6fc5a48a3932d7f635fa615074087d0cbfe7cc5b81f72704752d4a4d3fad26af6266ae206d4d57fd6cb0a560e07a74c4de16d4ddfe0deefd41396eaca

Download Submit
\Users\Admin\AppData\Local\Temp\quwyt.exe

Filesize
223KB

MD5
2cab8832ccd0827c0b153ea0f49b9bcd

SHA1
13119aaa53f665d9543150ee4276b3867094e563

SHA256
387cce54f669ba2ce6557bcccf00373e3ad41d8f9be136ae9cead688a8cb1ef2

SHA512
d93e5076957985d8e30c2e0fa8c94ac50444e004a9e304d6f696849999232c12c32535d86cc86e9de880638076b758ded3732f876dfadbce6ca23e112d971aa7

Download Submit
memory/2584-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2584-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2584-40-0x0000000003C20000-0x0000000003CC0000-memory.dmp

Filesize
640KB

Download
memory/2584-51-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2708-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2708-19-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2752-55-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2752-56-0x0000000000BE0000-0x0000000000C80000-memory.dmp

Filesize
640KB

Download
memory/2868-33-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2868-27-0x00000000030E0000-0x0000000003148000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads