urelas | cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8

General

Target

cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
Size

404KB
MD5

abe0b89899d9cc0a84ab562966c4b514
SHA1

c166ac96ccd31af9314b4cf22dc87800c3ad3481
SHA256

cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8
SHA512

b2097b97164eb3a06ac43e0881a7c89949fa55b029e734fd2cdff36acacb17219ed9787c21fb7f26a842afebabfbc4a1b8317b1fb45e5b8a5484dbac0739631f
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohO:8IfBoDWoyFblU6hAJQnOU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2064	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1432	coisx.exe
2484	emroko.exe
2844	mujea.exe

Loads dropped DLL 5 IoCs

pid	Process
1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
1432	coisx.exe
1432	coisx.exe
2484	emroko.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emroko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mujea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coisx.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe
2844	mujea.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1432	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	30
PID 1908 wrote to memory of 1432	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	30
PID 1908 wrote to memory of 1432	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	30
PID 1908 wrote to memory of 1432	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	30
PID 1908 wrote to memory of 2064	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	31
PID 1908 wrote to memory of 2064	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	31
PID 1908 wrote to memory of 2064	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	31
PID 1908 wrote to memory of 2064	1908	cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe	31
PID 1432 wrote to memory of 2484	1432	coisx.exe	33
PID 1432 wrote to memory of 2484	1432	coisx.exe	33
PID 1432 wrote to memory of 2484	1432	coisx.exe	33
PID 1432 wrote to memory of 2484	1432	coisx.exe	33
PID 2484 wrote to memory of 2844	2484	emroko.exe	35
PID 2484 wrote to memory of 2844	2484	emroko.exe	35
PID 2484 wrote to memory of 2844	2484	emroko.exe	35
PID 2484 wrote to memory of 2844	2484	emroko.exe	35
PID 2484 wrote to memory of 2828	2484	emroko.exe	36
PID 2484 wrote to memory of 2828	2484	emroko.exe	36
PID 2484 wrote to memory of 2828	2484	emroko.exe	36
PID 2484 wrote to memory of 2828	2484	emroko.exe	36

C:\Users\Admin\AppData\Local\Temp\cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe
"C:\Users\Admin\AppData\Local\Temp\cbd5f2b4a6435dd290f258de2ac39f554bff2dcd36fcf9d45e47abd3bdb91ea8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\coisx.exe
  "C:\Users\Admin\AppData\Local\Temp\coisx.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Users\Admin\AppData\Local\Temp\emroko.exe
    "C:\Users\Admin\AppData\Local\Temp\emroko.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\mujea.exe
      "C:\Users\Admin\AppData\Local\Temp\mujea.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
1b46df8decd496516a36a3b0b4775cf5

SHA1
d9e1cb1123ae97fe0b2cdb5864fbdee80ba31122

SHA256
08be487b3099437b87492c6386b26c1408962876512f894c3c2563d2bf117f62

SHA512
5bb7e452601f527cabf6cef8da9e8ba12c7647b5735fbaa12fdf977dd4801acf20dd6aacc6bebbcd189d2cd2a1a21a0f4c9121be00158fe00f3b0479e5c534de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
acf4652467490f4b400ab919d6345180

SHA1
fea658ed59d3d766a613a3b32410a0f07b5c0412

SHA256
628132de75c5ef7eadd98aff3b1162cf384b5e0cca49446bb238c1d621833004

SHA512
09aa1ddfc27e238546852c6500ea33e0b431872b39f1ebcbd2ddff4805d9bcbfab696b8434e7586f0f7af6fe080640ba8e044ef2563f117ed87301abf623dc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\emroko.exe

Filesize
404KB

MD5
0a1ea696a2f566540e79eb38fa33b43d

SHA1
25f11e009c71bb86c814290e58032f0232267bef

SHA256
0450fbe39df6be9682851d4170dbe64e346af34acafb3bdbd17a607cf6e79bfd

SHA512
499bd9c971cf9124829be89848081c4640f29468c5f8d685b6d5c1e09593f8b0832c8213d44057e0b017e85d9a2247ddd2312b78008ca26970070c81eb698c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f4421a571f9b0b475fbbcc1ab26a759c

SHA1
9234ebbf9825a9a34c2946bb193a262066945366

SHA256
143b75ac94c19e28ca0f1314b81d9276b9f2ca7ac4387e751ddcf6669b573f7b

SHA512
44d1ec96fe4e65d2d4e0b2ba580ad833feed6d48fd8120d04eaa780e53d8291acb3e5ea5c7866ec760926eebd9b2ef67e782ca47899a607a5cb64d85f75af25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mujea.exe

Filesize
223KB

MD5
3464de4e68addfe2b899c6826a2fa1a5

SHA1
e28005d10ef30c6c9b3b3857c2bf811800c80f74

SHA256
ba2cabd19c0dc66dd55486a6842d67f7c129e3f748eb3f3b2358302aebc31d31

SHA512
b08acf93e60b8a084bc45e86d15cb9932a7bf8a95a475651a861037cdacb9785585a768e8febfb2006640876a1cb02577d0a0426932c5cb0cee829fdddfa3d07

Download Submit
\Users\Admin\AppData\Local\Temp\coisx.exe

Filesize
404KB

MD5
03a12baa440f2aadd5f066540b8abc08

SHA1
cbb10caa9888a3e962b21351391b1a43124332f1

SHA256
ccc5501d6caf9885e33f7997183b7635a719060e36b2ca818c59fef80b03a254

SHA512
8c16e26c751ebbf2a3fc9317277367b0658f2990089e0f35265ee5700a2e81878b8892b168d5c2b2b23d81db57f8f775d0dfeab5ca1a148d3e3c5b39e42686ae

Download Submit
memory/1432-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1432-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1908-22-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1908-12-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download
memory/1908-11-0x0000000002490000-0x00000000024F8000-memory.dmp

Filesize
416KB

Download
memory/1908-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2484-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2484-54-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2484-52-0x0000000002EB0000-0x0000000002F50000-memory.dmp

Filesize
640KB

Download
memory/2484-35-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2844-53-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download
memory/2844-58-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download
memory/2844-59-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing