urelas | 67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fb

General

Target

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
Size

448KB
MD5

eab7f8c8a9a42c5880fdbf3929e15a70
SHA1

516886d2b2b05c7774c4aff0480a44f17152c79e
SHA256

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fb
SHA512

efc09439cfce232e71bc5e97586355fe59ccf9d0a4c5c9a9332c95830a08dec42c3d00d818e6a5c983c1456848638f052ce0e4aca289a9fde70caf9ace59efbd
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFb:CMpASIcWYx2U6hAJQn6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2896 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

toebm.exevewoby.exegytui.exe

pid process

1632 toebm.exe
2704 vewoby.exe
2976 gytui.exe
Loads dropped DLL 3 IoCs

Processes:

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exetoebm.exevewoby.exe

pid process

1352 67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
1632 toebm.exe
2704 vewoby.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2896	cmd.exe

pid	process
1632	toebm.exe
2704	vewoby.exe
2976	gytui.exe

pid	process
1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
1632	toebm.exe
2704	vewoby.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

toebm.execmd.exevewoby.exegytui.execmd.exe67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toebm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vewoby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gytui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

gytui.exe

pid	process
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe
2976	gytui.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exetoebm.exevewoby.exe

description	pid	process	target process
PID 1352 wrote to memory of 1632	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	toebm.exe
PID 1352 wrote to memory of 1632	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	toebm.exe
PID 1352 wrote to memory of 1632	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	toebm.exe
PID 1352 wrote to memory of 1632	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	toebm.exe
PID 1352 wrote to memory of 2896	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	cmd.exe
PID 1352 wrote to memory of 2896	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	cmd.exe
PID 1352 wrote to memory of 2896	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	cmd.exe
PID 1352 wrote to memory of 2896	1352	67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe	cmd.exe
PID 1632 wrote to memory of 2704	1632	toebm.exe	vewoby.exe
PID 1632 wrote to memory of 2704	1632	toebm.exe	vewoby.exe
PID 1632 wrote to memory of 2704	1632	toebm.exe	vewoby.exe
PID 1632 wrote to memory of 2704	1632	toebm.exe	vewoby.exe
PID 2704 wrote to memory of 2976	2704	vewoby.exe	gytui.exe
PID 2704 wrote to memory of 2976	2704	vewoby.exe	gytui.exe
PID 2704 wrote to memory of 2976	2704	vewoby.exe	gytui.exe
PID 2704 wrote to memory of 2976	2704	vewoby.exe	gytui.exe
PID 2704 wrote to memory of 2928	2704	vewoby.exe	cmd.exe
PID 2704 wrote to memory of 2928	2704	vewoby.exe	cmd.exe
PID 2704 wrote to memory of 2928	2704	vewoby.exe	cmd.exe
PID 2704 wrote to memory of 2928	2704	vewoby.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe
"C:\Users\Admin\AppData\Local\Temp\67980c2d0d647df48bdedc9637049e7f6da945bd574f66f22538923f99f067fbN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\toebm.exe
  "C:\Users\Admin\AppData\Local\Temp\toebm.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\vewoby.exe
    "C:\Users\Admin\AppData\Local\Temp\vewoby.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\gytui.exe
      "C:\Users\Admin\AppData\Local\Temp\gytui.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
db605b6f1d7aa265c278831a12ca09df

SHA1
fac8b7476576df2c60dd8e1ee789e6dae4f48177

SHA256
8bdf6d1ecdffb1e722a057ece13b2e619ddb4f84b4d087314338a93f209c3273

SHA512
85068d322f1f6504c35ec4dcd1890c8ca81e9c1c543f1df9aab27bc0cc8610e2ced40a22cabc317d8fc1197ad15b3a8d8ef26cb3af5cd3753ea50f8453951c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6ad118d8262a20b2d533f5c158a851d0

SHA1
4221ed7fd31005231c1e1c5d6ddfd3caf7138820

SHA256
28abbc31c92d3289a4db32031761851b4ff8107f04594f45b6829fec0a4bd881

SHA512
30a7e4253cf0cb340b834ac73e1c77dc92d650ebf03b48d7a50935bbb6bea89284a7e783d577ea31d774bc9268d57604dccda82c44a6450bf0d6873b04671e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a86533da800eb8d956ef716f8c0dffb3

SHA1
eb56001fcde6947cb1f5be0e606d7149b671a45f

SHA256
c99d07ced8f4f93c050a1214cea676ab9867b194d003064e8cc1fcb0d2477a9a

SHA512
af8b7e18cde273301beb7654ff230636b537dd63c2dd39dc68adaf53343fce03d74227f7e91e55561a273a9b8a00c3c2d3e6142212161b23a5ace2c3cf00c8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vewoby.exe

Filesize
448KB

MD5
9326e7e8895d8785b20cd75e9d60f942

SHA1
3c8ea0b71901f338e3f48b6ff3fc15710c4be48a

SHA256
da1103261bbe58107ee13ab3fec8ceeaaa2dcd035fd4e8253a1709fce404fbf4

SHA512
d6e59df68d6bf11305e100bcec900b297ebe572acaa3710fb1ad4e00eea2ab7b8342a50665c4a000baa49827ce9e9823fcbe357a2cc88f876c3525d77ab4f556

Download Submit
\Users\Admin\AppData\Local\Temp\gytui.exe

Filesize
223KB

MD5
8d02659220d3b266687638e4997ea7f0

SHA1
0a64b677bf26a09b808bf9f6d8f5fb3b9a35d0ca

SHA256
14f3c3ea29f6b9beb1f589657a2691e7cfc36b6995298c10909a0a709a74e953

SHA512
cdef2c679cc8726e755adb4c8aead6f196664ce736b1eb49d1938fe9e35987265f2209fecc12d9df46dd880c1d7662695501063125cbefc08f75e32d0cf2e59d

Download Submit
\Users\Admin\AppData\Local\Temp\toebm.exe

Filesize
448KB

MD5
8758cf590ba4b4082ee98c3ae121242a

SHA1
cd87e07aba9f17bb590ffd6230e9cc3eedb5e800

SHA256
6a8f89120f869cb3f5eecba2f9b3e7575fd96751ae62ad79f1ccd6fb8652d4d1

SHA512
ec1246037ae8e1ec8b87ecccc46e7a2a634413536a1c84dc25916de1b9a5350602a67e0bec19112d4feb30c0acf3e5439b0914c6384ecb6be01963bcf284366f

Download Submit
memory/1352-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1352-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1632-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1632-9-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2704-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2704-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2704-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2704-36-0x0000000002CF0000-0x0000000002D90000-memory.dmp

Filesize
640KB

Download
memory/2976-46-0x0000000000800000-0x00000000008A0000-memory.dmp

Filesize
640KB

Download
memory/2976-50-0x0000000000800000-0x00000000008A0000-memory.dmp

Filesize
640KB

Download
memory/2976-51-0x0000000000800000-0x00000000008A0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads