urelas | b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341

General

Target

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
Size

333KB
MD5

7c52fa1dc9e1c5e59b28723dfab0a5b6
SHA1

90838f4318a86b255e60c6d6d44faabcf7a3e254
SHA256

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341
SHA512

52110668c323a0e6fb653f7aa17c28ad5fa4f30bf6cba9e582f89b1ad4004b8596d4bc534b52c3f31b530298878caf01342c5979ea4edcb5f8d96b5a98805d52
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYiU:vHW138/iXWlK885rKlGSekcj66ci/U

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2548 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

lecop.exeqoxur.exe

pid process

1216 lecop.exe
1996 qoxur.exe
Loads dropped DLL 2 IoCs

Processes:

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exelecop.exe

pid process

1736 b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
1216 lecop.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2548	cmd.exe

pid	process
1216	lecop.exe
1996	qoxur.exe

pid	process
1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
1216	lecop.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exelecop.execmd.exeqoxur.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lecop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoxur.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

qoxur.exe

pid	process
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe
1996	qoxur.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exelecop.exe

description	pid	process	target process
PID 1736 wrote to memory of 1216	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	lecop.exe
PID 1736 wrote to memory of 1216	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	lecop.exe
PID 1736 wrote to memory of 1216	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	lecop.exe
PID 1736 wrote to memory of 1216	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	lecop.exe
PID 1736 wrote to memory of 2548	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	cmd.exe
PID 1736 wrote to memory of 2548	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	cmd.exe
PID 1736 wrote to memory of 2548	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	cmd.exe
PID 1736 wrote to memory of 2548	1736	b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe	cmd.exe
PID 1216 wrote to memory of 1996	1216	lecop.exe	qoxur.exe
PID 1216 wrote to memory of 1996	1216	lecop.exe	qoxur.exe
PID 1216 wrote to memory of 1996	1216	lecop.exe	qoxur.exe
PID 1216 wrote to memory of 1996	1216	lecop.exe	qoxur.exe

C:\Users\Admin\AppData\Local\Temp\b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe
"C:\Users\Admin\AppData\Local\Temp\b9a4ef2e93da2c76fdf66f0054078c993adb4aba091449213f95920f7760d341.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\lecop.exe
  "C:\Users\Admin\AppData\Local\Temp\lecop.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Local\Temp\qoxur.exe
    "C:\Users\Admin\AppData\Local\Temp\qoxur.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
a54630d7c21fb442b07d11534ffc4e22

SHA1
1f18054b31dc4f877ae5bb5ffe13a818db9f02bf

SHA256
761dccdc20e1864808dbe66b5dd552bcbf0232270955c82a25af07f2720eb5a6

SHA512
1002d310e6f02b9275b1a4d77d90cb50682c96716d999c7dac564310fa8134cf785a5102ca2093d3d1c595b1e0d94f55468b04a33289cabb2a9a12c98c222305

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ff86ad3ba05ce1c6c9cbce91ebf83286

SHA1
209637bbf0a5b86a12b9563e72bfa2073e3c7296

SHA256
12dbbe7f9851f0fc76fab92c704558e28da3a824ba304137658eac9da7d0af0d

SHA512
b60b6b948c833b92053fee7faee3befb49ad6ea1c57d3570cd53915de0e8c96f767094e4715bc0619e74814a01e43722a5910a94f46ffb0686afc1eae0bc2424

Download Submit
\Users\Admin\AppData\Local\Temp\lecop.exe

Filesize
333KB

MD5
aca52b3f750bc0c1c063254c8cb4416e

SHA1
a7ea1ff2e81e6ddcbd65bb73e1973d2027b563f0

SHA256
326b8263f3cf145f5d24e772c483a1e5144f37cb69108817cf4140f9b258e2f6

SHA512
2b5da0eed2e0b230fa05cc5933dde85a94cb92e919856a87c882911f38bb8befab177ec95aab8e8350dc871b760df7b0187f7a1feae1b4866506a85f00ec0f2e

Download Submit
\Users\Admin\AppData\Local\Temp\qoxur.exe

Filesize
172KB

MD5
dd27dd943660fa4372b0051053eb06c4

SHA1
65f70f5688149b5b7be2770f12b78b2212db4d4a

SHA256
f34e21669000ba641c134c1dfb228a7b3cb8fc45d4b14d64fbf52f95a7ff278b

SHA512
38e3924dd4d88fbda868d1bd2eeddb8a6ac23a8cd8f1fd3a593ce794155e7d480c041a6a0fad9934594ee2367765f60dcb9e028b570fce396c9be34b2b9c28fb

Download Submit
memory/1216-39-0x0000000002170000-0x0000000002209000-memory.dmp

Filesize
612KB

Download
memory/1216-43-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/1216-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1216-24-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/1216-20-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/1736-19-0x0000000002600000-0x0000000002681000-memory.dmp

Filesize
516KB

Download
memory/1736-18-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/1736-32-0x0000000002600000-0x0000000002681000-memory.dmp

Filesize
516KB

Download
memory/1736-0-0x0000000000160000-0x00000000001E1000-memory.dmp

Filesize
516KB

Download
memory/1736-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1996-44-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/1996-41-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/1996-48-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/1996-49-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/1996-50-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/1996-51-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/1996-52-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads