urelas | e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0

General

Target

e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
Size

447KB
MD5

4ef67d935d3f16ccf748c6f50c023900
SHA1

25af3f55bb0f0d3f79e9cb806d0263e41a4a06ff
SHA256

e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0
SHA512

8ce2ffe057a36d33569fe3f53a170a8d699f1a78a1c40e791e5be4ae94fdb86d120d2c1224e0d0156d97a358373350f226dbc004c91774643120c8919669778a
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFS:CMpASIcWYx2U6hAJQnh

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	yhbum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	yxescy.exe

Executes dropped EXE 3 IoCs

pid	Process
4276	yhbum.exe
1100	yxescy.exe
2416	vofiq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yhbum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxescy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vofiq.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe
2416	vofiq.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 4276	3280	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	83
PID 3280 wrote to memory of 4276	3280	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	83
PID 3280 wrote to memory of 4276	3280	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	83
PID 3280 wrote to memory of 2628	3280	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	84
PID 3280 wrote to memory of 2628	3280	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	84
PID 3280 wrote to memory of 2628	3280	e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe	84
PID 4276 wrote to memory of 1100	4276	yhbum.exe	87
PID 4276 wrote to memory of 1100	4276	yhbum.exe	87
PID 4276 wrote to memory of 1100	4276	yhbum.exe	87
PID 1100 wrote to memory of 2416	1100	yxescy.exe	107
PID 1100 wrote to memory of 2416	1100	yxescy.exe	107
PID 1100 wrote to memory of 2416	1100	yxescy.exe	107
PID 1100 wrote to memory of 64	1100	yxescy.exe	108
PID 1100 wrote to memory of 64	1100	yxescy.exe	108
PID 1100 wrote to memory of 64	1100	yxescy.exe	108

C:\Users\Admin\AppData\Local\Temp\e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe
"C:\Users\Admin\AppData\Local\Temp\e8f19f777f0a7fd6c3e4ef59c0f2075c68778158dc8bed6c756ca103453901a0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\yhbum.exe
  "C:\Users\Admin\AppData\Local\Temp\yhbum.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Users\Admin\AppData\Local\Temp\yxescy.exe
    "C:\Users\Admin\AppData\Local\Temp\yxescy.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\vofiq.exe
      "C:\Users\Admin\AppData\Local\Temp\vofiq.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:64
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
b65df7184c9976654577adf6fd17b4e9

SHA1
0455c5a8588ccbd28e1aaa08fc0710ed2b53ac5e

SHA256
4518eff1211518e1eaa4baddc44c6c76026133dea6c88d6877996ec6bff07387

SHA512
aaf2961981db6db951fc6c2af549295d0ea1f99db2040e86ec8ff545127b7b4dc919445878a713ec5cf34d54e9e6a7c4fdfb4933490b107f064b14769b3fb503

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
5a14475ebd02d386b9b778f7f6ac33b7

SHA1
48b1eb25f3eb05952dbba4ddae0301e811756619

SHA256
b1c31ba67da796cbaa1f466b5ca194830602eff3e4e33fb976029d67aece2e84

SHA512
7969c2cca2a4f0f4d760dafcc880b68c04cc057f511864ae4bdc029e4048dceacd1dee21718b4b1955474c14d6cca5ccdafd99f12db6f4f3d27c90d1051f717a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7c7f16d9a0a2817fdab7074391a4b97d

SHA1
50adc67a5d646a3d2b4b7b34ac88e98a26a23b9f

SHA256
326d27b4593b92744fd9de567734a93cd452be9821d203b680d1e01be4d21152

SHA512
25142149a9824d003ca99066f1257faf622a8863a94bec9c6f751761326fcb102bde4d1ea8eba82b37f3b8ebbcdeca9e1f609d422c39a7dda69e6efd1f984ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vofiq.exe

Filesize
223KB

MD5
2049fe4f071fc94e932ad9f62080b99f

SHA1
2cde87ba753dea298fc63f2dd9099bc5d332e922

SHA256
d05ec28d3a5bc322a1a04718721f923bbc6bb825e1e0131029a126ed3a2d89eb

SHA512
b2515cd73a4138f4f88cfca9d1f417a69048721d1d4bf7eb3cb3585bd080e5f80c2dc5a86309063c424c7fcf9872043818ef234fe07dac6920b3508475516065

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhbum.exe

Filesize
447KB

MD5
1d4830e853b7fd9310fa707a6b0ff193

SHA1
40990e3dcfb6e3778e1ce24f276756c9c0c00654

SHA256
1486e5f1b51505d8bc8d3cce9f6c1ea535191f7f2da3a6158de6fcb1de00b134

SHA512
54bf2f0fd899834d0d470ef5cc137d82096dfd347652b5235092a3582ea5336b6318cf0a1c3cee69f5663813943eeb4be189f4724d51b3e5b19515a2920e3489

Download Submit
C:\Users\Admin\AppData\Local\Temp\yxescy.exe

Filesize
447KB

MD5
82fec77e88b856542123f3b520e10fce

SHA1
c6f64d7928e782f8330be676cba00ba236e84fa8

SHA256
f02eef00303845419130b1af4e5ea40ec10c8bc60e5315cd491ede76ac4ab8f2

SHA512
2b8d108d417881420121765c957ce62f44532b9792a3894c1699df375aed2b3821394f279b3b001d5377dad2eea905e7f150804f5faf5019425e46512e429499

Download Submit
memory/1100-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1100-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2416-42-0x00000000006E0000-0x0000000000780000-memory.dmp

Filesize
640KB

Download
memory/2416-41-0x00000000006E0000-0x0000000000780000-memory.dmp

Filesize
640KB

Download
memory/2416-36-0x00000000006E0000-0x0000000000780000-memory.dmp

Filesize
640KB

Download
memory/3280-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3280-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4276-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing