urelas | 04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb

General

Target

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
Size

448KB
MD5

1ed68cb1d469c04c1d1c48e84dffd855
SHA1

4f9c195a777ab598b131b45f60b401ff3f5f72aa
SHA256

04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb
SHA512

292b13bf860c98f5ca1ceb2cbaad63680142f5436ed532fd6d5692289678d53fd2766fca3e17a9a236f90a1face2e1b5f646d62ffa166dd59afdd95cc1b744cf
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpomr:PMpASIcWYx2U6hAJQny

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2548	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1740	izdot.exe
2776	avsugu.exe
2964	zuehv.exe

Loads dropped DLL 3 IoCs

pid	Process
1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
1740	izdot.exe
2776	avsugu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avsugu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuehv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izdot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe
2964	zuehv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1740	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 1048 wrote to memory of 1740	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 1048 wrote to memory of 1740	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 1048 wrote to memory of 1740	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	29
PID 1048 wrote to memory of 2548	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	30
PID 1048 wrote to memory of 2548	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	30
PID 1048 wrote to memory of 2548	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	30
PID 1048 wrote to memory of 2548	1048	04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe	30
PID 1740 wrote to memory of 2776	1740	izdot.exe	32
PID 1740 wrote to memory of 2776	1740	izdot.exe	32
PID 1740 wrote to memory of 2776	1740	izdot.exe	32
PID 1740 wrote to memory of 2776	1740	izdot.exe	32
PID 2776 wrote to memory of 2964	2776	avsugu.exe	33
PID 2776 wrote to memory of 2964	2776	avsugu.exe	33
PID 2776 wrote to memory of 2964	2776	avsugu.exe	33
PID 2776 wrote to memory of 2964	2776	avsugu.exe	33
PID 2776 wrote to memory of 2252	2776	avsugu.exe	34
PID 2776 wrote to memory of 2252	2776	avsugu.exe	34
PID 2776 wrote to memory of 2252	2776	avsugu.exe	34
PID 2776 wrote to memory of 2252	2776	avsugu.exe	34

C:\Users\Admin\AppData\Local\Temp\04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe
"C:\Users\Admin\AppData\Local\Temp\04a8932d14724e5e206899bdd6871ed3efb1b7d200ff74d544f4e0773611f1cb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\izdot.exe
  "C:\Users\Admin\AppData\Local\Temp\izdot.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\avsugu.exe
    "C:\Users\Admin\AppData\Local\Temp\avsugu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\zuehv.exe
      "C:\Users\Admin\AppData\Local\Temp\zuehv.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
8460544d912336ca2914a5db42798dee

SHA1
1ed0afa5a0282c07280c105a2c95387185acd6d6

SHA256
36300d434ad053584aa956ba24ec6badf50da80c5d0e2cea129b4dfa684f7637

SHA512
f70c6f8eb8ccb7c46c24dc743638311dc212d5e5951e19e70e0c8396943b888b823113d3946e00689f93261186f559494556e0505cb986657ee5400fd4181c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
0719ec55cb7b679978eacd06bb5f5cb5

SHA1
7d0d8432dede6a2b53e039d6b9d4d1b014ab46aa

SHA256
9bb74dc5e00b2ce46a41c47bcdbe27320fc1f877f55971bfc7fd3438a857d5e3

SHA512
7ee23835c499637fd0b2c3bc773690e5109e8508e6288441e1861dd3291024bd9b7e5e4d8015955d073947cb81094d5b4fd3275e35273b169609a89b553144a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\avsugu.exe

Filesize
448KB

MD5
85ff250ade6245b0103b3829e9cbc926

SHA1
944501111cae339d3453d3fcd784e85ffb61f275

SHA256
0d75194730f3e89b61db886c8ae58b72a823c78a65ee645ad201712832c9e3e3

SHA512
0e5c182fc979cb07f6eaba36b8004ef1c852c60a5eb63bfffe4479643ee09cb6f515d443de600776a3ac723155b1e71ce06fad149b20df02cbdf12d95a69165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fbaac7fded4d31521fd7b783bcb2fa00

SHA1
8cc5ffa909ae142bbef5b12146a0ccd4b8f97129

SHA256
c615067d3e002cc6a357d1e67861b61ca735bfe192fe3a325fb3026e061c02de

SHA512
e6c2b85cf509724e93a7ff16991aed3e062135310a45a844020b802bfd1f4d72f7ac0d107b306b4e59a95d541337e354c094a03e028072afca65d2c7692de0de

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuehv.exe

Filesize
223KB

MD5
26294de768ff1d1b451130a8f3631819

SHA1
601fa19254418855b65ff21cdb33777bfd57cdec

SHA256
e4af4e15207ee7fbe528d29b40b43f6a7a41f2d53c2e5cbb1dd345a017107bd3

SHA512
879f641c4322e2d27459e0ba6173740ec920d93a49107c45d388700a78e3dee4bdd77451602429267bf2e954dad088d32d8f787f33ebb9b9bd9af722f249e84d

Download Submit
\Users\Admin\AppData\Local\Temp\izdot.exe

Filesize
448KB

MD5
f96e111303e026e99d5adc102f545c3d

SHA1
10ce3e5e7e681c4d445767981cce566ce1f01f73

SHA256
521fd22e8ac8a0cfd6c9da59c60bd8b5b56b3ecd0d5b9981755f950f8886b2f9

SHA512
2dd1a5b2ff39f30d918efc8f1ea0ed72ffa0d4bbcd99a8d7e66fd6721ede4cc3ae6e82f94538bc017befaae88f448a558b89f818e4d4c8b5b82cad2a7131ed50

Download Submit
memory/1048-18-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1048-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1740-26-0x0000000002030000-0x000000000209E000-memory.dmp

Filesize
440KB

Download
memory/1740-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1740-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2776-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2776-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2964-45-0x0000000000BB0000-0x0000000000C50000-memory.dmp

Filesize
640KB

Download
memory/2964-49-0x0000000000BB0000-0x0000000000C50000-memory.dmp

Filesize
640KB

Download
memory/2964-50-0x0000000000BB0000-0x0000000000C50000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing