urelas | 2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Size

349KB
MD5

9702b572151322ec6add6c75e2714321
SHA1

db5fa995483243c855ea05496797d4d121d4fa65
SHA256

2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0
SHA512

c1690a85b45eca670fac4d94adf24b19a1c096374261e5cf1393d6d9cbed3dfff28ac57947120c6cff25c79dd8c8cb6abe396b30785b126c0e918185649c11c5
SSDEEP

6144:c/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZD:A0G5obGGraOpUWlpm

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1820	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2508	zoofe.exe
1480	jameoc.exe
836	otlur.exe

Loads dropped DLL 6 IoCs

pid	Process
2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
2508	zoofe.exe
2508	zoofe.exe
1480	jameoc.exe
1480	jameoc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jameoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otlur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoofe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe
836	otlur.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2508	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2072 wrote to memory of 2508	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2072 wrote to memory of 2508	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2072 wrote to memory of 2508	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	30
PID 2072 wrote to memory of 1820	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 2072 wrote to memory of 1820	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 2072 wrote to memory of 1820	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 2072 wrote to memory of 1820	2072	2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe	31
PID 2508 wrote to memory of 1480	2508	zoofe.exe	33
PID 2508 wrote to memory of 1480	2508	zoofe.exe	33
PID 2508 wrote to memory of 1480	2508	zoofe.exe	33
PID 2508 wrote to memory of 1480	2508	zoofe.exe	33
PID 1480 wrote to memory of 836	1480	jameoc.exe	35
PID 1480 wrote to memory of 836	1480	jameoc.exe	35
PID 1480 wrote to memory of 836	1480	jameoc.exe	35
PID 1480 wrote to memory of 836	1480	jameoc.exe	35
PID 1480 wrote to memory of 1792	1480	jameoc.exe	36
PID 1480 wrote to memory of 1792	1480	jameoc.exe	36
PID 1480 wrote to memory of 1792	1480	jameoc.exe	36
PID 1480 wrote to memory of 1792	1480	jameoc.exe	36

C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe
"C:\Users\Admin\AppData\Local\Temp\2b8d846b8d4926a0c387ecc1c557336d4adcfe2d88857d6cabf4d95f1566b8f0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\zoofe.exe
  "C:\Users\Admin\AppData\Local\Temp\zoofe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\jameoc.exe
    "C:\Users\Admin\AppData\Local\Temp\jameoc.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\otlur.exe
      "C:\Users\Admin\AppData\Local\Temp\otlur.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
6bf01d3a28e7c5d025d95ef7851e885e

SHA1
b4af98dab6692fa40040025f13487c5a2fcfb6c3

SHA256
7d3de98a1cb5ddc9481fe0de471903cb4d99b1d61efb89e3381ef777c4bea007

SHA512
19267583b51c7c65444efb4006b2a5378b30682624f6ac873894f6be8b16eb468016d6dccac85d56eb579dd53ab27f7b1e1e37a5fac9cba09a48269282c6cedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f84fed65cea974b07ec408ac3362297b

SHA1
4d556df9abe4a1fac6a37571e2393e50c52b264e

SHA256
61a05b8ce3aeef049aaa6e1f54cbf3124a6495e31c62dccde02b81e2edc1caa1

SHA512
bae84c3cd3da1e3a53d6cbbf7a24094778d487cca106655f6c30a0213dec1e5c53844171193d890225cc21f782506687b94897aa5bf5da61447ae710be860057

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3125177256500e4860747689900b2277

SHA1
8fe599d19834b2c2cfe560c069d2c735dd4e596a

SHA256
f0c84e6ebd43ecd06e017c5edf3d960d2221ef239d1a4f4960049c8372ff70b7

SHA512
163d08b0303ca5583009366510ccd0c4774d3abea7bf52429278863708d3652191778afe4473f0212f672ba654548900f1ac8a07e3a33bb46c84e253e1219cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\otlur.exe

Filesize
115KB

MD5
7b2cf592a5999ee9ca2564516b2dea7e

SHA1
06cfc01cc2379454dfc7c31261cd6b2e2c987755

SHA256
167ed4a612339aa15c19c2b5824288ba64abf80cac48a47823d7723ec4297f1e

SHA512
001e1d9ab64db8530dde657f65b4ad929f018cebc4ad8a62cdbcd6da06aa9ad4188f7e463da398760f2001a8cd2d11e0f9c9834a67f643d164ba63ca1e033654

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoofe.exe

Filesize
349KB

MD5
853f8a5c3b0fc485a7336a79817e048c

SHA1
750b93a1d6acb08da6a8f4fe37d51badc5933898

SHA256
573bb661d0f8f0f26d5843b759c93a442773165f618efa98b6d63bb25fb77033

SHA512
3a8b63b1de1ef7b2c57b8b84f6c61dd91061a0a6cb14de8a1a83b26af211d458961fdc1e7c8c7c4fed7e84645c0376005730169f814f677dcb60e44c20a0612f

Download Submit
memory/836-60-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/836-56-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/836-64-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/836-63-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/836-62-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/836-61-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/836-59-0x0000000000C60000-0x0000000000CE2000-memory.dmp

Filesize
520KB

Download
memory/1480-36-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1480-54-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1480-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2072-19-0x0000000002430000-0x000000000248C000-memory.dmp

Filesize
368KB

Download
memory/2072-2-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2072-21-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2072-20-0x0000000002430000-0x000000000248C000-memory.dmp

Filesize
368KB

Download
memory/2508-35-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download