urelas | e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0

General

Target

e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
Size

447KB
MD5

4ef67d935d3f16ccf748c6f50c023900
SHA1

25af3f55bb0f0d3f79e9cb806d0263e41a4a06ff
SHA256

e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0
SHA512

8ce2ffe057a36d33569fe3f53a170a8d699f1a78a1c40e791e5be4ae94fdb86d120d2c1224e0d0156d97a358373350f226dbc004c91774643120c8919669778a
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFS:CMpASIcWYx2U6hAJQnh

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2480	lovob.exe
2668	kecogu.exe
2924	zyyrd.exe

Loads dropped DLL 3 IoCs

pid	Process
1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
2480	lovob.exe
2668	kecogu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kecogu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyyrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lovob.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe
2924	zyyrd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2480	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	31
PID 1628 wrote to memory of 2480	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	31
PID 1628 wrote to memory of 2480	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	31
PID 1628 wrote to memory of 2480	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	31
PID 1628 wrote to memory of 3064	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	32
PID 1628 wrote to memory of 3064	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	32
PID 1628 wrote to memory of 3064	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	32
PID 1628 wrote to memory of 3064	1628	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	32
PID 2480 wrote to memory of 2668	2480	lovob.exe	34
PID 2480 wrote to memory of 2668	2480	lovob.exe	34
PID 2480 wrote to memory of 2668	2480	lovob.exe	34
PID 2480 wrote to memory of 2668	2480	lovob.exe	34
PID 2668 wrote to memory of 2924	2668	kecogu.exe	36
PID 2668 wrote to memory of 2924	2668	kecogu.exe	36
PID 2668 wrote to memory of 2924	2668	kecogu.exe	36
PID 2668 wrote to memory of 2924	2668	kecogu.exe	36
PID 2668 wrote to memory of 1996	2668	kecogu.exe	37
PID 2668 wrote to memory of 1996	2668	kecogu.exe	37
PID 2668 wrote to memory of 1996	2668	kecogu.exe	37
PID 2668 wrote to memory of 1996	2668	kecogu.exe	37

C:\Users\Admin\AppData\Local\Temp\e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
"C:\Users\Admin\AppData\Local\Temp\e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\lovob.exe
  "C:\Users\Admin\AppData\Local\Temp\lovob.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\kecogu.exe
    "C:\Users\Admin\AppData\Local\Temp\kecogu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\zyyrd.exe
      "C:\Users\Admin\AppData\Local\Temp\zyyrd.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
5a14475ebd02d386b9b778f7f6ac33b7

SHA1
48b1eb25f3eb05952dbba4ddae0301e811756619

SHA256
b1c31ba67da796cbaa1f466b5ca194830602eff3e4e33fb976029d67aece2e84

SHA512
7969c2cca2a4f0f4d760dafcc880b68c04cc057f511864ae4bdc029e4048dceacd1dee21718b4b1955474c14d6cca5ccdafd99f12db6f4f3d27c90d1051f717a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2e931c63ee1e0b56bd9735245e300a29

SHA1
b5ea30ece7703101d0d561af1c9cda9ef861f8c0

SHA256
5a8c1f065681cc37c37378f383abc94fde484c4b8dfa817ae477b076e7878627

SHA512
23d3c411f4a2d536c3b87440b5d0c9da7cd731f7598f462d42cde192bf09ab0efd9d54295995a1e124b2f764f5366b9c1e7578431b687372ce9731bc70d299b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f26fc3dfe5b305651609f146a14ac69b

SHA1
808311aeec90f09cb0381f303364c1e8aa3964de

SHA256
e427da55001c3286cf1ed88939d8bef551a36698b5647062d3694cd4b3c61f64

SHA512
ac54fa509300f908f24e3fb0bd59aeb710ff217a6ff1afdc7bc98b0836d0147dc6a72932ac52d5e5775b6de34be2e6dee0cb984faa566c2cb297d42c87d7f3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kecogu.exe

Filesize
447KB

MD5
2af9beb5d422dfebd1e2b593b5ea44bd

SHA1
f7a2f4cf6ef639212877ac93e8ea5275ad2309e2

SHA256
116b1aee33f5a354774efe4095d653def81ce6b9b24df1651edbe64de9ff2b09

SHA512
424e5b887658e2c7f3eb994cc33e8747ff286ea8bc8e547b655bd11814eba63f024bfe8e8953a3c923e7f0b4c7cfae0b95f037ca388047ad48ff995d364e9791

Download Submit
C:\Users\Admin\AppData\Local\Temp\lovob.exe

Filesize
447KB

MD5
a04019d478df7f72ced9473005ad8ed2

SHA1
61d03b9fa21b5a67f572bb2ccef736125fca6473

SHA256
11dfecc17174f8cfaf637677161c23d425b326ce581996960a4fa783658d0302

SHA512
6e60f2d5468b1ff23129fdecc128f4db65539a616e2c91ec5ac74914626fd01ed4e8028d7d0a36e433cdcd54b47e3ed7bb9d7dcc3348153715176039fcd2aa98

Download Submit
\Users\Admin\AppData\Local\Temp\zyyrd.exe

Filesize
223KB

MD5
db625dd6af3d7e38d39be05575a72839

SHA1
3b1a9c68facaf066d725849da1035bbedcf0d372

SHA256
d0a2d2fba2fce1a7fdfc9f30380ab2428bcd5d3dff97ea99450d7afa7567cfdd

SHA512
7f801b4ed504a17685a0c873a2c1880c6d303e03c52c753ddc4b5ad9c03cb4679f7e70d23c1f17ee37c9987dd66d53e22f1d0827b6449495039f180169c9714d

Download Submit
memory/1628-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1628-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2480-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2480-25-0x0000000003650000-0x00000000036BE000-memory.dmp

Filesize
440KB

Download
memory/2480-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2668-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2668-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2668-35-0x00000000031D0000-0x0000000003270000-memory.dmp

Filesize
640KB

Download
memory/2668-48-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2924-39-0x0000000000030000-0x00000000000D0000-memory.dmp

Filesize
640KB

Download
memory/2924-51-0x0000000000030000-0x00000000000D0000-memory.dmp

Filesize
640KB

Download
memory/2924-52-0x0000000000030000-0x00000000000D0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing