urelas | 2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0

General

Target

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Size

349KB
MD5

9702b572151322ec6add6c75e2714321
SHA1

db5fa995483243c855ea05496797d4d121d4fa65
SHA256

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0
SHA512

c1690a85b45eca670fac4d94adf24b19a1c096374261e5cf1393d6d9cbed3dfff28ac57947120c6cff25c79dd8c8cb6abe396b30785b126c0e918185649c11c5
SSDEEP

6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZD:A0G5obGGraOpUWlpm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2540	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3028	viifo.exe
2336	coryde.exe
2372	hikii.exe

Loads dropped DLL 6 IoCs

pid	Process
2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
3028	viifo.exe
3028	viifo.exe
2336	coryde.exe
2336	coryde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coryde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hikii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe
2372	hikii.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3028	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2420 wrote to memory of 3028	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2420 wrote to memory of 3028	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2420 wrote to memory of 3028	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2420 wrote to memory of 2540	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 2420 wrote to memory of 2540	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 2420 wrote to memory of 2540	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 2420 wrote to memory of 2540	2420	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 3028 wrote to memory of 2336	3028	viifo.exe	33
PID 3028 wrote to memory of 2336	3028	viifo.exe	33
PID 3028 wrote to memory of 2336	3028	viifo.exe	33
PID 3028 wrote to memory of 2336	3028	viifo.exe	33
PID 2336 wrote to memory of 2372	2336	coryde.exe	35
PID 2336 wrote to memory of 2372	2336	coryde.exe	35
PID 2336 wrote to memory of 2372	2336	coryde.exe	35
PID 2336 wrote to memory of 2372	2336	coryde.exe	35
PID 2336 wrote to memory of 2136	2336	coryde.exe	36
PID 2336 wrote to memory of 2136	2336	coryde.exe	36
PID 2336 wrote to memory of 2136	2336	coryde.exe	36
PID 2336 wrote to memory of 2136	2336	coryde.exe	36

C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
"C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\viifo.exe
  "C:\Users\Admin\AppData\Local\Temp\viifo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Local\Temp\coryde.exe
    "C:\Users\Admin\AppData\Local\Temp\coryde.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\hikii.exe
      "C:\Users\Admin\AppData\Local\Temp\hikii.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f84fed65cea974b07ec408ac3362297b

SHA1
4d556df9abe4a1fac6a37571e2393e50c52b264e

SHA256
61a05b8ce3aeef049aaa6e1f54cbf3124a6495e31c62dccde02b81e2edc1caa1

SHA512
bae84c3cd3da1e3a53d6cbbf7a24094778d487cca106655f6c30a0213dec1e5c53844171193d890225cc21f782506687b94897aa5bf5da61447ae710be860057

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
3120f5a2295addacf322970a39240453

SHA1
94a22ddf64d08026aaa48f8e407c0a66b6ddede9

SHA256
61f8cff62a6dcbc9dc4d474c364798e647ddb9d8ebc4c4c1a3d2e16d181b92b9

SHA512
06f31c58d073d455f3038701de90047d402ae0865cbd894514ff9e1931cc9c6cee020984199d747cc847828eaaa7422b37b666aa3a5bfac911db6794179eb55d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d225c2e1d2dde24c8934dcfec1447b9b

SHA1
b5212466f992d13f3861f332d51c34f115b573e0

SHA256
3b6561931a327a2726cd644127556fbe824bc2eb4461de73e99947c5787747fb

SHA512
ed1b210abeb67e1957546efdf0a0385b93a7fc6dc2d6810edd0109619b57e0e0f821b407daf3a780ba6fb6863f583cc6a825e71f333629258ad534e06ba10398

Download Submit
C:\Users\Admin\AppData\Local\Temp\hikii.exe

Filesize
115KB

MD5
d62e39a345a2a99ce5191e1a36d3e246

SHA1
bd957be2ba79c175dbc33541ef62d35af517fa13

SHA256
5e64b87c063ae9eafe1c0e343a0c17fdd41fb298f3b5dfc2ff313feb35d5d4d0

SHA512
e1330e13a5e46be2e7180bc06ab723410f730b8714cd09c2a99cf5af43c7159d62be214364a53a01f4a664ff73175840350d6a2080a88d63f9a553025314c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\viifo.exe

Filesize
349KB

MD5
412709f010580022786e0dc350fb98c1

SHA1
3bd78f760336f1d3ce1af1634a0333f179935a96

SHA256
e7af2460b4be4bbf30ab30b09b5f26ba3d0bd8f7330369bc789e2f343fb7ea69

SHA512
dd7e307eee5c8e378b76ff356207b05329ff538444394bb678e4974b0fdee8776ab83d6c45098487418abc24eaa490df28a36c9d17194fe67658880e68d2a2c3

Download Submit
memory/2336-37-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2336-48-0x0000000003C60000-0x0000000003CE2000-memory.dmp

Filesize
520KB

Download
memory/2336-49-0x0000000003C60000-0x0000000003CE2000-memory.dmp

Filesize
520KB

Download
memory/2336-58-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2336-36-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2372-59-0x0000000000160000-0x00000000001E2000-memory.dmp

Filesize
520KB

Download
memory/2372-62-0x0000000000160000-0x00000000001E2000-memory.dmp

Filesize
520KB

Download
memory/2372-63-0x0000000000160000-0x00000000001E2000-memory.dmp

Filesize
520KB

Download
memory/2372-64-0x0000000000160000-0x00000000001E2000-memory.dmp

Filesize
520KB

Download
memory/2420-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2420-20-0x0000000002560000-0x00000000025BC000-memory.dmp

Filesize
368KB

Download
memory/2420-21-0x0000000002560000-0x00000000025BC000-memory.dmp

Filesize
368KB

Download
memory/2420-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-22-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3028-35-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing