urelas | 3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7

General

Target

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
Size

690KB
MD5

47fdaedf02f5c6ee63fe3a5d1e2a727c
SHA1

c9f85c47d90fdcd626286c1ab4b9d705c13d3e2b
SHA256

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7
SHA512

9dbbcab9d7d8c260c8e631f68503614691c0b3055265f5d120d4a809121e18eee324096d6e02af2675c3615047c1ea6314f480fa70831de14a6f3c474de7d86b
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nc:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ibhiqi.exe3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exesusil.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ibhiqi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	susil.exe

Executes dropped EXE 3 IoCs

Processes:

susil.exeibhiqi.exewoseq.exe

pid	Process
456	susil.exe
3436	ibhiqi.exe
3344	woseq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exesusil.execmd.exeibhiqi.exewoseq.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	susil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibhiqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woseq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

woseq.exe

pid	Process
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe
3344	woseq.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exesusil.exeibhiqi.exe

description	pid	Process	procid_target
PID 2616 wrote to memory of 456	2616	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	83
PID 2616 wrote to memory of 456	2616	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	83
PID 2616 wrote to memory of 456	2616	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	83
PID 2616 wrote to memory of 1872	2616	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	84
PID 2616 wrote to memory of 1872	2616	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	84
PID 2616 wrote to memory of 1872	2616	3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe	84
PID 456 wrote to memory of 3436	456	susil.exe	86
PID 456 wrote to memory of 3436	456	susil.exe	86
PID 456 wrote to memory of 3436	456	susil.exe	86
PID 3436 wrote to memory of 3344	3436	ibhiqi.exe	103
PID 3436 wrote to memory of 3344	3436	ibhiqi.exe	103
PID 3436 wrote to memory of 3344	3436	ibhiqi.exe	103
PID 3436 wrote to memory of 3144	3436	ibhiqi.exe	104
PID 3436 wrote to memory of 3144	3436	ibhiqi.exe	104
PID 3436 wrote to memory of 3144	3436	ibhiqi.exe	104

C:\Users\Admin\AppData\Local\Temp\3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe
"C:\Users\Admin\AppData\Local\Temp\3b38733fbb8b334d6e8e53cc0d0238dd141cd07f49b55cc6bae21e86b0fe8fd7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\susil.exe
  "C:\Users\Admin\AppData\Local\Temp\susil.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Users\Admin\AppData\Local\Temp\ibhiqi.exe
    "C:\Users\Admin\AppData\Local\Temp\ibhiqi.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\woseq.exe
      "C:\Users\Admin\AppData\Local\Temp\woseq.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
ae2794a94b37e9e51a7e5a92264c3f70

SHA1
8f5538566bf1addbd4694f0ef552d4d8958d8813

SHA256
9ae581ee59a0368aa83a910fe7f87d76775040cb87875bffcd733f22076dc9a5

SHA512
9a4a72f031185f21b0417bffa52a19d6ee22e34b0bfebe479567eecab4a6dba30259fc4823acf8ddfa0312f25504ca699c79dc786a7b87b737e7908d7b61593c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
45458bc223f22e994f6535a049cdcb30

SHA1
c5bc7ee115ef4c95261b131817050c393d3e69f9

SHA256
0a3a4d09973b24e64d3ea9856d0d45ed661ab43368bdebe05bf205ebf303c6ac

SHA512
e2fdf6a40a35fa54ea5c64dd2722b9c9d7260fed77d6e684ca5d5a4d665f6fe0f71c6046623d8db299cfe86195e7f73cff5b138cf7c21ff59708f7edb3752f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
476d520e34dc724cd80ce387f7e139b1

SHA1
65e8532f447b8f6fe0889213693b28a136ead165

SHA256
24e4cbe05350d0f820f4f4d47451856fa50534708622b182260973d144910775

SHA512
900bc5d5675a3b70b237cb2577767afa89f03012d6951274f798961a95557e43d9ab65e7a10646e0174289e1e3afbea2c9c85cf9eceab3b2d9a3967543329b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\susil.exe

Filesize
690KB

MD5
b5a2d196fed5fa5117d28273abc1eb32

SHA1
2151c31a1c17dbdc19458f6969684a4f122cb37f

SHA256
621c5f83fa6b969af2b3cc2e0509f5762a6878eaef83ca9ff0a80ddf74e30066

SHA512
559d54cdaad4bc718c7bd80434a5b4ec68673bb14657b42c63af8422d1bd49073cbfda5ccd621dde3c048e34b94ead4172dec35776321463858d8d657f32a4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\woseq.exe

Filesize
469KB

MD5
cb335eb2639dd702c064d002a547f77a

SHA1
7b7eac6c00dc724d29839d4bed625fad2d23590b

SHA256
2a277ef451712618796f55636c38426d97215dcd32b4bfdccdcd021b1d2652a3

SHA512
b3c995919b24e9d0578dd35422727a512b4fda7b775e73aabb1e573ab58c8c475f7bfb64bef421657e853b739e17f7031a3a5c899b5611925c60733c902a03ff

Download Submit
memory/456-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2616-15-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2616-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3344-37-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3344-42-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/3436-25-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3436-39-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads