urelas | 53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36

General

Target

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
Size

448KB
MD5

237bf8b80379fecacc1952cf482542a9
SHA1

07c0b8b89b202ada728a9f8a2ee0b967bbe42ece
SHA256

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36
SHA512

ba08ecc6e6acb0dd8d552e7f8a376263aab28a364912edf921c2f25d7e125959616e3052773b4438b5fb94ae91074e1ec3a278f6edc5440be2ac1769220430b2
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFb:CMpASIcWYx2U6hAJQn6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2056 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

ojvif.exesudemu.exegosea.exe

pid process

2104 ojvif.exe
1044 sudemu.exe
1984 gosea.exe
Loads dropped DLL 3 IoCs

Processes:

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exeojvif.exesudemu.exe

pid process

2976 53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
2104 ojvif.exe
1044 sudemu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2056	cmd.exe

pid	process
2104	ojvif.exe
1044	sudemu.exe
1984	gosea.exe

pid	process
2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
2104	ojvif.exe
1044	sudemu.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exeojvif.exesudemu.execmd.exegosea.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojvif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sudemu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gosea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

gosea.exe

pid	process
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe
1984	gosea.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exeojvif.exesudemu.exe

description	pid	process	target process
PID 2976 wrote to memory of 2104	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	ojvif.exe
PID 2976 wrote to memory of 2104	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	ojvif.exe
PID 2976 wrote to memory of 2104	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	ojvif.exe
PID 2976 wrote to memory of 2104	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	ojvif.exe
PID 2976 wrote to memory of 2056	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	cmd.exe
PID 2976 wrote to memory of 2056	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	cmd.exe
PID 2976 wrote to memory of 2056	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	cmd.exe
PID 2976 wrote to memory of 2056	2976	53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe	cmd.exe
PID 2104 wrote to memory of 1044	2104	ojvif.exe	sudemu.exe
PID 2104 wrote to memory of 1044	2104	ojvif.exe	sudemu.exe
PID 2104 wrote to memory of 1044	2104	ojvif.exe	sudemu.exe
PID 2104 wrote to memory of 1044	2104	ojvif.exe	sudemu.exe
PID 1044 wrote to memory of 1984	1044	sudemu.exe	gosea.exe
PID 1044 wrote to memory of 1984	1044	sudemu.exe	gosea.exe
PID 1044 wrote to memory of 1984	1044	sudemu.exe	gosea.exe
PID 1044 wrote to memory of 1984	1044	sudemu.exe	gosea.exe
PID 1044 wrote to memory of 2044	1044	sudemu.exe	cmd.exe
PID 1044 wrote to memory of 2044	1044	sudemu.exe	cmd.exe
PID 1044 wrote to memory of 2044	1044	sudemu.exe	cmd.exe
PID 1044 wrote to memory of 2044	1044	sudemu.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe
"C:\Users\Admin\AppData\Local\Temp\53b499634bfb159fb960f58958ffd4b8338c83a26c9f1b7ddc204aefc9ef3c36.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\ojvif.exe
  "C:\Users\Admin\AppData\Local\Temp\ojvif.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\sudemu.exe
    "C:\Users\Admin\AppData\Local\Temp\sudemu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\gosea.exe
      "C:\Users\Admin\AppData\Local\Temp\gosea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6ad3191e2d25541d1db7455ccb5e6463

SHA1
f145be902af1409d277a40f9b7e6fe44fac7b678

SHA256
9fc1fe63d4e6e863c59d9a4f292d7d2c0b4abbbe0313535914b4d1087577fcef

SHA512
769e455c692722f56ff569bbc2adeb3d5341bddc1b71f510cd54c24cbf064a4a43cdc87e919831cd1ecf5bd44a26ab994fec2a4924b6871aa3123543f8e6bafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
015cb43f9dd153167f33b8d295d9b3ff

SHA1
f0498b3730e6209cbef40d79b68e2c4a6fca13e5

SHA256
220c8b59c993f34ce4c60870c42b4c6d9cd2d554abe906350033f183e890428e

SHA512
2e98ab68617f58c965da4bbbcc09f1dee5dd4157c409de0809e265f707b037b581cb851d5b4b5fa043280d71a42030d9d88f80c31034dbae608921e4dabd4898

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
676460baeb2cc619649f036c649ca3c7

SHA1
a90694c424d951ef0f2fa5ff6ac9137f9d2e322c

SHA256
748169acc668c82b298ec24e72119e017afb023aa60f9580299086292c083a21

SHA512
b6780916546685aa199485a0f9b61fd39780fee4bc52fc5f57548b4133531994ff09a60bd2b32df12d7b99624c171b30ed0a24d1ec51abca46a7f2022e696f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sudemu.exe

Filesize
448KB

MD5
db3612ab94afb91ba2e47ee47195a657

SHA1
1f09352e587ece7df6a63c28ee77dd3e6b44bc0b

SHA256
da5efc4c08babcf0f2c26da690d0cfc98b81231ffae48997c1aa8723e48d083e

SHA512
0982d0b5b5d108df696bd08f058eb19b038ec00de78d15f6ed13d5653d78110a75de26fe780120844fcf84837c89c5fbaa914ed5ed4d62b5bc1539cb061439a6

Download Submit
\Users\Admin\AppData\Local\Temp\gosea.exe

Filesize
223KB

MD5
25992ceb619d57bcc7f1ac2abf6123a5

SHA1
488c2e8a71a75011ee4627c1f83059d13c2a8c05

SHA256
7ed0612c35ac7e7c1a1582784d99a09f20db5414566cf70f2924f734bdee1a9a

SHA512
e35cf732e7679914dd9017c6ed1bfcfc97b1d4510e6a709f6cc655d7f1c8c592a565602ac2323bccf6294cb1838ac903ae8f0b8bc9ac0bb50979c6da5593d69c

Download Submit
\Users\Admin\AppData\Local\Temp\ojvif.exe

Filesize
448KB

MD5
f1b81f33912d54684119c7f972f5eb23

SHA1
59d3bb4fc53ae977c500c4d9392946db692f4fb0

SHA256
e27c4e1c65d16477cd80272935712195c61f0c6874aa52ca0e020a4633f05089

SHA512
afc237ce31c885a3118c0a50d3913bf1c2e97526235cd99eff336a6843d220135fa433a730c639e7e284b58e419aabf0cd7a64281ae37a9bd7a429f75b3982d9

Download Submit
memory/1044-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1044-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1044-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1044-37-0x0000000003B60000-0x0000000003C00000-memory.dmp

Filesize
640KB

Download
memory/1984-39-0x0000000000350000-0x00000000003F0000-memory.dmp

Filesize
640KB

Download
memory/1984-51-0x0000000000350000-0x00000000003F0000-memory.dmp

Filesize
640KB

Download
memory/1984-52-0x0000000000350000-0x00000000003F0000-memory.dmp

Filesize
640KB

Download
memory/2104-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2104-10-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2976-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2976-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2976-7-0x00000000029D0000-0x0000000002A3E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads