urelas | d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127

General

Target

d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
Size

402KB
MD5

4b72cb7dd2593e7d26485ab3f41c24e0
SHA1

3e9703abf1d2466afcb8ad4a67251702e4f7ad89
SHA256

d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127
SHA512

1c620ede140af2d52e170c763be53a2ffc3fd3ed378e45ad234b5ad8d22521d2083ba1cf644b7c6613dc0bcc42a87ae18b8a3384f52f7b7ba5026ece9a924dd3
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohCq:8IfBoDWoyFblU6hAJQnO1

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2848	hoifn.exe
2800	bufoco.exe
1632	rosut.exe

Loads dropped DLL 5 IoCs

pid	Process
2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
2848	hoifn.exe
2848	hoifn.exe
2800	bufoco.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hoifn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bufoco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rosut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe
1632	rosut.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2848	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	30
PID 2484 wrote to memory of 2848	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	30
PID 2484 wrote to memory of 2848	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	30
PID 2484 wrote to memory of 2848	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	30
PID 2484 wrote to memory of 3004	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	31
PID 2484 wrote to memory of 3004	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	31
PID 2484 wrote to memory of 3004	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	31
PID 2484 wrote to memory of 3004	2484	d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe	31
PID 2848 wrote to memory of 2800	2848	hoifn.exe	33
PID 2848 wrote to memory of 2800	2848	hoifn.exe	33
PID 2848 wrote to memory of 2800	2848	hoifn.exe	33
PID 2848 wrote to memory of 2800	2848	hoifn.exe	33
PID 2800 wrote to memory of 1632	2800	bufoco.exe	35
PID 2800 wrote to memory of 1632	2800	bufoco.exe	35
PID 2800 wrote to memory of 1632	2800	bufoco.exe	35
PID 2800 wrote to memory of 1632	2800	bufoco.exe	35
PID 2800 wrote to memory of 2096	2800	bufoco.exe	36
PID 2800 wrote to memory of 2096	2800	bufoco.exe	36
PID 2800 wrote to memory of 2096	2800	bufoco.exe	36
PID 2800 wrote to memory of 2096	2800	bufoco.exe	36

C:\Users\Admin\AppData\Local\Temp\d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe
"C:\Users\Admin\AppData\Local\Temp\d81cfc9b62f633e8388defe768ddaa5454272c1d8e733e2bbadb688770a6d127N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\hoifn.exe
  "C:\Users\Admin\AppData\Local\Temp\hoifn.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\bufoco.exe
    "C:\Users\Admin\AppData\Local\Temp\bufoco.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\rosut.exe
      "C:\Users\Admin\AppData\Local\Temp\rosut.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
f94c012ff4e5fa45f55778df0f3feeb2

SHA1
680b6eefb7a88dadd16a38e25456e8a14a133a76

SHA256
93a0c638363865382e9c9eaf61e37fc2dfe2840c292a69e53403ec07ef270bb8

SHA512
c4b789b0b23e8386d6529ed68ee00c040219bc9e5fb0813f531a475901fcd19804fbc2fce9090a313d8e92468538d9eed67cc94d7cdec09db2e065d52aa85b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
16df94bd4f1d8201fdffd062b145040c

SHA1
5ac34cfd53f909f648143e23bbb713f0c27fabf9

SHA256
753896ac850171081f7dcf3d87e176c7fe79f313a11d6e99ebf322633556dd5a

SHA512
3b4c0bfc4511d18d4349e560c6b746a96f15c2bd828c79676b6732c5d5942b6dec2e8dfc0980cab5c4e1823bebebfca23bf104266c0534729b2e291fa9b78951

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
baa5a969eac825f54b3ae4c6e894f7ea

SHA1
5f6ceb95110d470464434ba737d1b5e370fb4e5c

SHA256
b60c2c0556c28d84c7abf75fc38aeb8fcffe080194b1574e5ed1bf32f63adf8b

SHA512
52fb439d8fe859eb81f626f27fb6695ad92c38959dc8a85183875a24b2b6fff516a9b1c442d793128e4b8459237b0c7c4b0f35325c004f828304e23ce0d144b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hoifn.exe

Filesize
402KB

MD5
03b540fa1c67c6225ba22aeffb05042d

SHA1
2391e1f213249bc117942314786f48a765169cf8

SHA256
87ffde8492ce601b21e359e36fec084047770dd2688ce74aaaea308582ccac37

SHA512
96edf517be42cc15d0488b8edc756d148295f8d13bcb4877a2df71debb90b0381d2251245317551ced1325a2454a2082622f2c29aa555b4e62d44674cab97163

Download Submit
\Users\Admin\AppData\Local\Temp\bufoco.exe

Filesize
402KB

MD5
354c46dbed0379731390317c283f98bf

SHA1
60467efedb582e68315e99581148280bc95fd4d1

SHA256
8a0db4312b8fe98bf3f93dd73faa25efe4588ceeb1d1df04ed1443ef3a6ba30b

SHA512
7bcc7cf1113b5ff433d067c62fd26710480f2991f00dce734a9751b599429d69aace6a807164f483bfeb88a96a05ac11403f4e88b190c05d0b02d41b98bd2313

Download Submit
\Users\Admin\AppData\Local\Temp\rosut.exe

Filesize
223KB

MD5
ccb2679ad0f7640cee9efb75ca79212d

SHA1
5079beb7926fa461dc73ae3afd7e3427491345df

SHA256
ec24c384aa3596dbb428a01a5b9be8b541ebfa407a089baf7fd44ae5d96ff557

SHA512
45d5d36bdee6117ecf039071882e25c4c487e58cbcbdb3084d8a9792fe668e34f2c08b3e3b15d46fd7d4d1eb0430edba63fa49ac1301ad7b452b264cab731003

Download Submit
memory/1632-59-0x00000000000D0000-0x0000000000170000-memory.dmp

Filesize
640KB

Download
memory/1632-58-0x00000000000D0000-0x0000000000170000-memory.dmp

Filesize
640KB

Download
memory/1632-46-0x00000000000D0000-0x0000000000170000-memory.dmp

Filesize
640KB

Download
memory/2484-6-0x0000000002810000-0x0000000002878000-memory.dmp

Filesize
416KB

Download
memory/2484-13-0x0000000002810000-0x0000000002878000-memory.dmp

Filesize
416KB

Download
memory/2484-21-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2484-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2800-54-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2800-44-0x0000000002E50000-0x0000000002EF0000-memory.dmp

Filesize
640KB

Download
memory/2800-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2848-32-0x0000000003000000-0x0000000003068000-memory.dmp

Filesize
416KB

Download
memory/2848-33-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2848-34-0x0000000003000000-0x0000000003068000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing