urelas | 2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd

General

Target

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Size

453KB
MD5

92dbb63475ed85b64c332c1b5a4388b4
SHA1

27aff6f89f1b33c93104cc735e4fc33c5ef5f780
SHA256

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd
SHA512

69f01ad4f2754f05be3375e93e0c97eebdb24778ec225e2473456095e9fb41f6b778a454866e7573f28160b4237aeda27eda56f367a3d678634792e70aa71ada
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFB:CMpASIcWYx2U6hAJQni

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2820	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

qoams.exesubeky.exeliduz.exe

pid	Process
2432	qoams.exe
2772	subeky.exe
400	liduz.exe

Loads dropped DLL 3 IoCs

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exeqoams.exesubeky.exe

pid	Process
804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
2432	qoams.exe
2772	subeky.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesubeky.execmd.exeliduz.exe2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exeqoams.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subeky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liduz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoams.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

liduz.exe

pid	Process
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe
400	liduz.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exeqoams.exesubeky.exe

description	pid	Process	procid_target
PID 804 wrote to memory of 2432	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	30
PID 804 wrote to memory of 2432	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	30
PID 804 wrote to memory of 2432	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	30
PID 804 wrote to memory of 2432	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	30
PID 804 wrote to memory of 2820	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	31
PID 804 wrote to memory of 2820	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	31
PID 804 wrote to memory of 2820	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	31
PID 804 wrote to memory of 2820	804	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	31
PID 2432 wrote to memory of 2772	2432	qoams.exe	33
PID 2432 wrote to memory of 2772	2432	qoams.exe	33
PID 2432 wrote to memory of 2772	2432	qoams.exe	33
PID 2432 wrote to memory of 2772	2432	qoams.exe	33
PID 2772 wrote to memory of 400	2772	subeky.exe	35
PID 2772 wrote to memory of 400	2772	subeky.exe	35
PID 2772 wrote to memory of 400	2772	subeky.exe	35
PID 2772 wrote to memory of 400	2772	subeky.exe	35
PID 2772 wrote to memory of 1712	2772	subeky.exe	36
PID 2772 wrote to memory of 1712	2772	subeky.exe	36
PID 2772 wrote to memory of 1712	2772	subeky.exe	36
PID 2772 wrote to memory of 1712	2772	subeky.exe	36

C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
"C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\qoams.exe
  "C:\Users\Admin\AppData\Local\Temp\qoams.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Users\Admin\AppData\Local\Temp\subeky.exe
    "C:\Users\Admin\AppData\Local\Temp\subeky.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\liduz.exe
      "C:\Users\Admin\AppData\Local\Temp\liduz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a52b5a348d9d3bbd9b35603d466ff6ba

SHA1
ebf33971d24a6bc26ae8b06fa9cd7dde8e6b6697

SHA256
7109f01251179a27c5285e202f6712b548446c166abe2f122d7e60a15a4d9944

SHA512
d9b99c103437527efefa8c6636bb6e100d01314b5dfd99e85503632343f3f234f643571410bb312ddfb1f3e2dfe063237e13bb220b640ba94c616e3ee4818513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
89d1b5637feb9a9a98de7b48239bb626

SHA1
f7991c89ecafd3bed3261902d86af78713d0f40c

SHA256
da034a07cc1e8ccc3d067eb1bdce6699a0af4c4bef2fc9579dbf8ea6122e163d

SHA512
3e64bea492c6f4c6ea5b430462cf9b0a213f4db50b463c8f7df5cff0fd81a937f65ee2a94d8ee32b7c3fb72a13b2df0967e3879f7ac11097ba1a493db72ba1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bea9354650132ccc34f5e160d3ebad34

SHA1
15a36bf13120d669ff1161fc0726ce178b8e92fa

SHA256
c7dc39a102d093b3e5e6e3c9f1080fedaf2db9d124a02c7ea4c8fadabb8645f3

SHA512
3a3924824705fe5af33e33e55499b67576ac943619cf8791587e966ee0f6372cab431943f1277119117973dd9250a3ab0eec77b45827b528f84c8e354cb21128

Download Submit
C:\Users\Admin\AppData\Local\Temp\liduz.exe

Filesize
223KB

MD5
55d515fe146ecf7167baaf36d01ae4dc

SHA1
9b44a0fab64e15dfb30b0a2317bd9c3424fbfdd6

SHA256
a1a258017a3f2912f2041f4b77022be5fb420d6aee1e023280eeff8aa47e5f7f

SHA512
e65a3c849b5ca51f876e59e96f34276c002674803503b96e82c48086f40bfcd27ad5aafe5d59aa81890ce550029f8ffe63f50fd374ca0a19053a358f8b1f3aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\subeky.exe

Filesize
453KB

MD5
26cc8ab3d5c6dda0fd446a8481d9977e

SHA1
d7dba84778f76b5b17cbdc70102c74f8ff2f467e

SHA256
4e3ec6b801ace8bea6f1a254d67fc0f587c69c03a33ffad45a31306244aab9ee

SHA512
2c001d5688a9a9c088515868064d2ebb01dd7b17ddf3a41c63d16141f04f893b4b130b6faba1ddddee8eff09d1d9e9d9949fd025d941e4a99c86d229b339ff70

Download Submit
\Users\Admin\AppData\Local\Temp\qoams.exe

Filesize
453KB

MD5
51caf29491f3b55188d2e18c4007b590

SHA1
6127a2ea9e95b2fb133ef367adba2b332baf97b5

SHA256
5cf1d87659bd0504d2ec98578896f2efa95162db618fd00e0f9bb7e5b88bf9eb

SHA512
7d08060a588f6f7467b333faf0089aade293fc8fcf20ed514d9859211dd89ff040f0304b0437bd9a6358602ffbe0401dd0fd5d51abc52f0844e9317ce7afeaa5

Download Submit
memory/400-46-0x0000000001140000-0x00000000011E0000-memory.dmp

Filesize
640KB

Download
memory/400-50-0x0000000001140000-0x00000000011E0000-memory.dmp

Filesize
640KB

Download
memory/400-51-0x0000000001140000-0x00000000011E0000-memory.dmp

Filesize
640KB

Download
memory/804-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/804-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2432-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2432-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2772-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2772-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2772-43-0x0000000003AF0000-0x0000000003B90000-memory.dmp

Filesize
640KB

Download
memory/2772-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads