urelas | bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c

General

Target

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
Size

404KB
MD5

90f29b38c805fd6cbc409b2da5860a29
SHA1

9a9cfb16e5a37721e35449733a37b995243776cf
SHA256

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c
SHA512

7d1587a658ab4b0c5fa923b11b9d60988b56500f3daf6f127aa2a0cf99f0d572c7eeb066a50b23c2753c91d55cb0b7deea60d01085a46df57d13b173fb9336d5
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBroht:8IfBoDWoyFblU6hAJQnO7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3012	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

woixp.exeynobjy.exeobgep.exe

pid	Process
1692	woixp.exe
2208	ynobjy.exe
2860	obgep.exe

Loads dropped DLL 5 IoCs

Processes:

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exewoixp.exeynobjy.exe

pid	Process
2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
1692	woixp.exe
1692	woixp.exe
2208	ynobjy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

obgep.execmd.exebb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.execmd.exewoixp.exeynobjy.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obgep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woixp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynobjy.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

obgep.exe

pid	Process
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe
2860	obgep.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exewoixp.exeynobjy.exe

description	pid	Process	procid_target
PID 2496 wrote to memory of 1692	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	30
PID 2496 wrote to memory of 1692	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	30
PID 2496 wrote to memory of 1692	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	30
PID 2496 wrote to memory of 1692	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	30
PID 2496 wrote to memory of 3012	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	31
PID 2496 wrote to memory of 3012	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	31
PID 2496 wrote to memory of 3012	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	31
PID 2496 wrote to memory of 3012	2496	bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe	31
PID 1692 wrote to memory of 2208	1692	woixp.exe	33
PID 1692 wrote to memory of 2208	1692	woixp.exe	33
PID 1692 wrote to memory of 2208	1692	woixp.exe	33
PID 1692 wrote to memory of 2208	1692	woixp.exe	33
PID 2208 wrote to memory of 2860	2208	ynobjy.exe	34
PID 2208 wrote to memory of 2860	2208	ynobjy.exe	34
PID 2208 wrote to memory of 2860	2208	ynobjy.exe	34
PID 2208 wrote to memory of 2860	2208	ynobjy.exe	34
PID 2208 wrote to memory of 2300	2208	ynobjy.exe	35
PID 2208 wrote to memory of 2300	2208	ynobjy.exe	35
PID 2208 wrote to memory of 2300	2208	ynobjy.exe	35
PID 2208 wrote to memory of 2300	2208	ynobjy.exe	35

C:\Users\Admin\AppData\Local\Temp\bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe
"C:\Users\Admin\AppData\Local\Temp\bb42be3303774f195b58b88de0befe1f2b5d41f114f482e7d0b0b58093242d4c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\woixp.exe
  "C:\Users\Admin\AppData\Local\Temp\woixp.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\ynobjy.exe
    "C:\Users\Admin\AppData\Local\Temp\ynobjy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\obgep.exe
      "C:\Users\Admin\AppData\Local\Temp\obgep.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
c83953e280e85b002090b2fbe0c2390c

SHA1
dce05c2998a7b2122eda6d0db19b1b622d8f0e30

SHA256
973a9954c0a8f4b3b282b05be4108d1176e664ddbc5eddae6a723097c2794db9

SHA512
a8a3c1c1d1d82b7b4e3f508b7e41d92e268d7f4397f563917a16fa66c95b2a3f07ce6481fb8d95fbafd9032ba690868c7b1cc6169bad59958403bd0d56940b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
bdf0b0a18c1876afe177e953dc05b427

SHA1
0f1e7495de2d9753162454d71f254001c4e23741

SHA256
feb9daa4dcf404860312c8d35419ec58a0f8e8883eb62f550e88e4993c5a9942

SHA512
4f8ecdf30a470e66dc4ce70b71a5f12bd6d0f6f70564e9e1a1982ad320a4481646b60944e7f9b44e3d75d2c20757222a2d9dedf3bb30153bb07a62803a042f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
60fef11d2e1aff3c377ac24761c00f1a

SHA1
efee728709f597ba0e38206259029629c1053028

SHA256
d026a900f7a2804104fbe97ee9e2fc50cfae3cec8f2d8ccc6f63d3da7c325290

SHA512
b9b6f52cdf83f4dcdfb8a3c62cbbefad5b089f9c844f9863c956d4e7f5931dca2f7ee5428e5fe696cb48d94bb83c5638f045eb75927922bacf3d30896395878b

Download Submit
\Users\Admin\AppData\Local\Temp\obgep.exe

Filesize
223KB

MD5
4830cea9934415d74779964b1516adca

SHA1
db0a53abd5bed0815e41255a4b37cf3fdbc9eca4

SHA256
77e7be1a4d45fa7a74ee8dca07fd2f4c1e627838e07da2541d531101d4a392aa

SHA512
51425fcb3017e606ad5bb26e0b00da715bd4f7da4ae3614a56768d547e79da16d08ddeca6431a6f7264f430e1f65ccc952be5ce3778ee9b15fd6c8c0ab337868

Download Submit
\Users\Admin\AppData\Local\Temp\woixp.exe

Filesize
404KB

MD5
2edbee45eb3c747052ab530068b61963

SHA1
9c47c9b75bbb286a5bb9ef4db1a5bf7ac7ecb297

SHA256
5e1dca62648faf1cb24bf242beb2c2492cbdd81133b1ca4c98e9df634fa0e953

SHA512
06826b88adac37f2c326a0fb63b2776851edd44435afd580c0438bdaf2488fe2edd732de9a53b9d4527bfc7846bf712f78da4745b39001ce255207a935665055

Download Submit
\Users\Admin\AppData\Local\Temp\ynobjy.exe

Filesize
404KB

MD5
7fb0c9b3c838ef12689414728ed19753

SHA1
fcf812403eeb7350cb1e2b8132dd174747133264

SHA256
2713bef325c53a2c1d8545ab66eae7ff4822459b04b20ab440b99f330aa185df

SHA512
ffa0e6298cd124f7291b056d856bc1520ad6594113a255261e8c4fb08d91f1f72b4b1b3f2604cecaa8704e1086f7f94c5001d11da5e88fe847a5eff846619827

Download Submit
memory/1692-35-0x0000000003000000-0x0000000003068000-memory.dmp

Filesize
416KB

Download
memory/1692-13-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/1692-34-0x0000000003000000-0x0000000003068000-memory.dmp

Filesize
416KB

Download
memory/1692-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2208-45-0x0000000002E60000-0x0000000002F00000-memory.dmp

Filesize
640KB

Download
memory/2208-56-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2208-38-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2208-39-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2496-2-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2496-14-0x00000000027E0000-0x0000000002848000-memory.dmp

Filesize
416KB

Download
memory/2496-22-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2496-12-0x00000000027E0000-0x0000000002848000-memory.dmp

Filesize
416KB

Download
memory/2860-48-0x0000000001190000-0x0000000001230000-memory.dmp

Filesize
640KB

Download
memory/2860-60-0x0000000001190000-0x0000000001230000-memory.dmp

Filesize
640KB

Download
memory/2860-61-0x0000000001190000-0x0000000001230000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads