urelas | 2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd

General

Target

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Size

453KB
MD5

92dbb63475ed85b64c332c1b5a4388b4
SHA1

27aff6f89f1b33c93104cc735e4fc33c5ef5f780
SHA256

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd
SHA512

69f01ad4f2754f05be3375e93e0c97eebdb24778ec225e2473456095e9fb41f6b778a454866e7573f28160b4237aeda27eda56f367a3d678634792e70aa71ada
SSDEEP

6144:CEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpdFB:CMpASIcWYx2U6hAJQni

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exepuhuw.exepeojyt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	puhuw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	peojyt.exe

Executes dropped EXE 3 IoCs

Processes:

puhuw.exepeojyt.exeejgap.exe

pid process

4012 puhuw.exe
3672 peojyt.exe
1628 ejgap.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4012	puhuw.exe
3672	peojyt.exe
1628	ejgap.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exepuhuw.execmd.exepeojyt.exeejgap.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puhuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peojyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejgap.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

ejgap.exe

pid	process
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe
1628	ejgap.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exepuhuw.exepeojyt.exe

description	pid	process	target process
PID 2644 wrote to memory of 4012	2644	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	puhuw.exe
PID 2644 wrote to memory of 4012	2644	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	puhuw.exe
PID 2644 wrote to memory of 4012	2644	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	puhuw.exe
PID 2644 wrote to memory of 3296	2644	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 2644 wrote to memory of 3296	2644	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 2644 wrote to memory of 3296	2644	2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe	cmd.exe
PID 4012 wrote to memory of 3672	4012	puhuw.exe	peojyt.exe
PID 4012 wrote to memory of 3672	4012	puhuw.exe	peojyt.exe
PID 4012 wrote to memory of 3672	4012	puhuw.exe	peojyt.exe
PID 3672 wrote to memory of 1628	3672	peojyt.exe	ejgap.exe
PID 3672 wrote to memory of 1628	3672	peojyt.exe	ejgap.exe
PID 3672 wrote to memory of 1628	3672	peojyt.exe	ejgap.exe
PID 3672 wrote to memory of 1576	3672	peojyt.exe	cmd.exe
PID 3672 wrote to memory of 1576	3672	peojyt.exe	cmd.exe
PID 3672 wrote to memory of 1576	3672	peojyt.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe
"C:\Users\Admin\AppData\Local\Temp\2bf5f580ff6c5626372d9d63a7ccfcf950c7f955e30d8e5680424c0e088b50fd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\puhuw.exe
  "C:\Users\Admin\AppData\Local\Temp\puhuw.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\peojyt.exe
    "C:\Users\Admin\AppData\Local\Temp\peojyt.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\ejgap.exe
      "C:\Users\Admin\AppData\Local\Temp\ejgap.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1576
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4061a1bef473e80d443c81b8b070364b

SHA1
9065ec6dcfaf49ef1aaa482262ae1e054488ad2e

SHA256
c1c54b87097ddf89030b5a77eb25afa5e876b7daa7b652f99982bbb67b5eca58

SHA512
b7e316dd985475423a40839443557a62804cb4e28b6a52ba397a22e8b7cff698d2810187d9d24e1331cfbcbce18c421535082e2c52b08f28b0d5026fd2517a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a52b5a348d9d3bbd9b35603d466ff6ba

SHA1
ebf33971d24a6bc26ae8b06fa9cd7dde8e6b6697

SHA256
7109f01251179a27c5285e202f6712b548446c166abe2f122d7e60a15a4d9944

SHA512
d9b99c103437527efefa8c6636bb6e100d01314b5dfd99e85503632343f3f234f643571410bb312ddfb1f3e2dfe063237e13bb220b640ba94c616e3ee4818513

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejgap.exe

Filesize
223KB

MD5
f9e38fdfc7b9bef2c56130a7ee185c78

SHA1
deb9e4a6483433efa9e2aedad53e6c4cb978e033

SHA256
5bc06eae20cafb37a86a27eb509f1b26cdc94bea2c9abf7764689e0f3a9d0d8d

SHA512
b3d9c5174880612e1450dc9a3418e13768d899107031349fe1b61ccbc7e164996d55633c77a5fef8571000e65f4fba9d022d8f5cadfeab280f0a4290166fecae

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
44ff8bc93b47149e3c04fafb13bdcfed

SHA1
b749064a0cb0bcc0f15a715244425d253d47e8e3

SHA256
c156273f92a03175186095aee3bce0a639df15aabb337c68d6f2afafb9d3ac35

SHA512
da036911d7d1edf088f61aab9ca21926b4baae80ff7e6f56ce40d9e82d3b38f2859052a3e95ca2b3175abaffdaa06604037cea0dd1b1d104aa1ea829e18295b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\peojyt.exe

Filesize
453KB

MD5
9192d59dd1d9812336277f3570f1dbbb

SHA1
11d330d08f63719ff9e264b620561309424fc3f6

SHA256
0e05ec87e81369bb5b8655ec49ffefa63e7294ff91c97a2678218a5bc1c374c8

SHA512
724e2b668d977f103179e557ced94e036928063025894d4e032cc43b0e16f38c406e0065047c1c900b208b3e3f3b1eac0d4be03396085f7eaa6ff00dc45da6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\puhuw.exe

Filesize
453KB

MD5
a20d2b09ddec5ccd22d412eae5014ca2

SHA1
48ae64a94428d6262c3347d5e9d2c63059620695

SHA256
1f031c9d7372823dc420224e24bc1cca2a3ff5831b0b5ed729832afcb2ef7ee9

SHA512
585c36857813a381e4ce8d73e4b28e0e2ed3f66e0906b625817d52231fffb4395b56ce8d641ab52efda47b15bb310221b3a9c286c09ca32d48329bb14c52a55a

Download Submit
memory/1628-36-0x0000000000360000-0x0000000000400000-memory.dmp

Filesize
640KB

Download
memory/1628-42-0x0000000000360000-0x0000000000400000-memory.dmp

Filesize
640KB

Download
memory/1628-41-0x0000000000360000-0x0000000000400000-memory.dmp

Filesize
640KB

Download
memory/2644-14-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2644-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3672-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3672-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4012-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads