urelas | 3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7

General

Target

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
Size

690KB
MD5

47fdaedf02f5c6ee63fe3a5d1e2a727c
SHA1

c9f85c47d90fdcd626286c1ab4b9d705c13d3e2b
SHA256

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7
SHA512

9dbbcab9d7d8c260c8e631f68503614691c0b3055265f5d120d4a809121e18eee324096d6e02af2675c3615047c1ea6314f480fa70831de14a6f3c474de7d86b
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nc:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2304	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

ososq.exewusien.exeabgut.exe

pid	Process
2480	ososq.exe
2872	wusien.exe
1968	abgut.exe

Loads dropped DLL 5 IoCs

Processes:

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exeososq.exewusien.exe

pid	Process
2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
2480	ososq.exe
2480	ososq.exe
2872	wusien.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exeososq.exewusien.execmd.exeabgut.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ososq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wusien.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abgut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

abgut.exe

pid	Process
1968	abgut.exe
1968	abgut.exe
1968	abgut.exe
1968	abgut.exe
1968	abgut.exe
1968	abgut.exe
1968	abgut.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exeososq.exewusien.exe

description	pid	Process	procid_target
PID 2580 wrote to memory of 2480	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	30
PID 2580 wrote to memory of 2480	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	30
PID 2580 wrote to memory of 2480	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	30
PID 2580 wrote to memory of 2480	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	30
PID 2580 wrote to memory of 2304	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	31
PID 2580 wrote to memory of 2304	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	31
PID 2580 wrote to memory of 2304	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	31
PID 2580 wrote to memory of 2304	2580	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	31
PID 2480 wrote to memory of 2872	2480	ososq.exe	33
PID 2480 wrote to memory of 2872	2480	ososq.exe	33
PID 2480 wrote to memory of 2872	2480	ososq.exe	33
PID 2480 wrote to memory of 2872	2480	ososq.exe	33
PID 2872 wrote to memory of 1968	2872	wusien.exe	35
PID 2872 wrote to memory of 1968	2872	wusien.exe	35
PID 2872 wrote to memory of 1968	2872	wusien.exe	35
PID 2872 wrote to memory of 1968	2872	wusien.exe	35
PID 2872 wrote to memory of 1736	2872	wusien.exe	36
PID 2872 wrote to memory of 1736	2872	wusien.exe	36
PID 2872 wrote to memory of 1736	2872	wusien.exe	36
PID 2872 wrote to memory of 1736	2872	wusien.exe	36

C:\Users\Admin\AppData\Local\Temp\3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
"C:\Users\Admin\AppData\Local\Temp\3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\ososq.exe
  "C:\Users\Admin\AppData\Local\Temp\ososq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\wusien.exe
    "C:\Users\Admin\AppData\Local\Temp\wusien.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\AppData\Local\Temp\abgut.exe
      "C:\Users\Admin\AppData\Local\Temp\abgut.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
45458bc223f22e994f6535a049cdcb30

SHA1
c5bc7ee115ef4c95261b131817050c393d3e69f9

SHA256
0a3a4d09973b24e64d3ea9856d0d45ed661ab43368bdebe05bf205ebf303c6ac

SHA512
e2fdf6a40a35fa54ea5c64dd2722b9c9d7260fed77d6e684ca5d5a4d665f6fe0f71c6046623d8db299cfe86195e7f73cff5b138cf7c21ff59708f7edb3752f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
667a19efa29c37b578d30525c6a63b67

SHA1
27a1a32d84573f43ef6b6dff67f74b19388c059a

SHA256
ed374d63584f07531e763e10f89ead7ebc4d2ae8b6414e2558a39777a06057e9

SHA512
fc988facdb0eaf1f16d119d5a9e699654ea2abae60402c1a0e3e35c3199ec7fcb53383a6b137da0559b8bbe9c4da4c974665b8073f3396d9825d73f4c3d1ba04

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2a71e6b969410d6e7764eb190a3c5702

SHA1
23e901f0baa92d1c801aed47588dce1e677856f7

SHA256
ec89a44eba5e827309f45d752108b14aac0e63702eeb3b29f0006e55f436f5c9

SHA512
b67bbe2a4a164ad892c2e421afe08b5d24bfe8aac9c8eac9e1158a94683b944736f86500eed9248b7bf2c65f7041ab5406fd271e9f283dea8937bd3d6c922276

Download Submit
C:\Users\Admin\AppData\Local\Temp\ososq.exe

Filesize
690KB

MD5
7de570ea1a71d2ee5cd321d9522d7542

SHA1
3c92969d8f4904ba940b4d6fbaf8bc7ca840b4a3

SHA256
96dc6ee74c02e8b7bcedee7e1e9aa282d83a95c3cc611b7f359bfa6a0ee30db5

SHA512
be40dbd1597190800d55df075992c89ee558e51e26de567fecb13a869a4e21a173310a6f95ace0e5e59844e7ec9facf3ea54538e040da986be93a5857222b99f

Download Submit
\Users\Admin\AppData\Local\Temp\abgut.exe

Filesize
469KB

MD5
05586587db81fbe3565b95860f367e95

SHA1
2dd6af4f7299637383917471ab2a709df69e82d6

SHA256
55159b11cb10f2f4320e55184bd682e06d022bf179f056bdce712e772b5415a2

SHA512
d455e9a3edd021d8166f341746a7f014522f73fdc8cfd38256a78302a35cd2d871fda3c650ddca6371f820b5d8e0b2d3557707beb7fcfba790e1f1ac787fd989

Download Submit
memory/1968-54-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1968-59-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2480-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2480-33-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2580-20-0x00000000025D0000-0x0000000002683000-memory.dmp

Filesize
716KB

Download
memory/2580-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2580-22-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2872-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2872-34-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2872-53-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2872-52-0x0000000003B20000-0x0000000003CB6000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads