urelas | 914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04

General

Target

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Size

440KB
MD5

2fdc20c1e32fa67a507b5ffca485c8c2
SHA1

0b6d7cf42541f7127679a98c0e998349e15ee8f4
SHA256

914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04
SHA512

7ae476b7952eb479c3b7931ed71a7cf2c9f0894f5ccff2ad130c327f5a8b91f18c49c892a0a723e3ba3bc53194a39a56f7e58dce1de0a85ba6a425d136afc01a
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjC:oMpASIcWYx2U6hAJQnr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	bimex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	komowo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe

Executes dropped EXE 3 IoCs

pid	Process
2124	bimex.exe
3612	komowo.exe
1236	bolyy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	komowo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bolyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bimex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe
1236	bolyy.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 2124	3492	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	82
PID 3492 wrote to memory of 2124	3492	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	82
PID 3492 wrote to memory of 2124	3492	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	82
PID 3492 wrote to memory of 2956	3492	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	83
PID 3492 wrote to memory of 2956	3492	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	83
PID 3492 wrote to memory of 2956	3492	914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe	83
PID 2124 wrote to memory of 3612	2124	bimex.exe	85
PID 2124 wrote to memory of 3612	2124	bimex.exe	85
PID 2124 wrote to memory of 3612	2124	bimex.exe	85
PID 3612 wrote to memory of 1236	3612	komowo.exe	95
PID 3612 wrote to memory of 1236	3612	komowo.exe	95
PID 3612 wrote to memory of 1236	3612	komowo.exe	95
PID 3612 wrote to memory of 532	3612	komowo.exe	96
PID 3612 wrote to memory of 532	3612	komowo.exe	96
PID 3612 wrote to memory of 532	3612	komowo.exe	96

C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe
"C:\Users\Admin\AppData\Local\Temp\914ec7a46c0855bbcffac3c21fc196c41347b60578865d2722673b7445986a04.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Users\Admin\AppData\Local\Temp\bimex.exe
  "C:\Users\Admin\AppData\Local\Temp\bimex.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\komowo.exe
    "C:\Users\Admin\AppData\Local\Temp\komowo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\bolyy.exe
      "C:\Users\Admin\AppData\Local\Temp\bolyy.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
106517653be969b2acd552d40a4c113e

SHA1
09debc23c8211bbe049ae6479e065ea9c0b5e9fb

SHA256
f05e15b115b4a0a8d9d864778b461fa1b6401b2f586fd9fb2e7f8f2b609c7e0e

SHA512
1cc3bc7f248ae3fefa2268c45018927e246de8a5a86259e29888d31e49be9f27d15d0ed487c4728fde31603203dbc440b1b7e1bca221815f5223db8d444fb352

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
335337b9377ce25dc6f425bdb4710c04

SHA1
0e8d1b3a4625acfa3e90f192a756b9bd3cf2b459

SHA256
ecde50a9f50d9d109ba4263d4256a708da68f8c57f2354c35c5243df3fb35d98

SHA512
88e01ba11170f66387d77a4c558945845e6255a74f41da7a9c3ff1fa37d8ce7d6e13113e70a6546a56ad46e17da9d806c8e3c3b63308f865a90badabdc9a601d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bimex.exe

Filesize
441KB

MD5
9ba81b73742f21facf4bb734efa2b440

SHA1
f157da1472de9a143ffe6874a575e4222a282000

SHA256
58ff14801ee62cc86306ad06914d3b45173272b00f03955cf537d913231527e0

SHA512
dd6dab28ef5b8b6807d4514b19e601d5f93d397b93930398bac6be526cbc17ee3676e846cda81930174ff5ba671c5a0bb1154ce52d217cbbff741f8949940e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bolyy.exe

Filesize
223KB

MD5
605800664d881b18941463237b7ddd38

SHA1
d700dcc81fe5776978eb1dab57f4fe83e65da322

SHA256
29e0cc16829028de8cec8d6fb339f3fad9df591de02a1f3713c41752d23187a8

SHA512
7fb3653ea11fdb727438f7fcd8a16420cd9fa65623fe36fd36bcf51773d88a540ef7781c746eb1551eca103024dd2f0dfffb083d063cc613d90d25ece788d9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bcc1f59f5470f71e7bedc9056074945e

SHA1
5bdab034cb9be0544cd7ba4462b2c552435a959f

SHA256
719075fa543489175436a6b9d1e0eab206d08e2950718c3af4279485f2a2eac7

SHA512
4036a3f05fa66d4c45a9ba5ca7b9ad292d64075e4f2fffcd86d478fb607e38c0a102d802e66d3a2831ce372b04077594e0159b763e6ba2177a52dc2235e071d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\komowo.exe

Filesize
441KB

MD5
fdcb6cdf091f3a468ac6bf7f9ad0239f

SHA1
97640b58df55e67c3e5913ee2a6acfe85cf46cdb

SHA256
8cff1781fe154e402e58b053ae6725b3767e0c464b71cd6f0410968570371df3

SHA512
29dbc6e62e0dff3f46a7e2793497cf8e06f49540da7f21d811b9c642d0849f487a3c8c6098cf1aab982965b01b0e2918a1928aff319d980a002c36bd5f729e1b

Download Submit
memory/1236-34-0x0000000000E40000-0x0000000000EE0000-memory.dmp

Filesize
640KB

Download
memory/1236-42-0x0000000000E40000-0x0000000000EE0000-memory.dmp

Filesize
640KB

Download
memory/1236-41-0x0000000000E40000-0x0000000000EE0000-memory.dmp

Filesize
640KB

Download
memory/2124-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3492-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3492-15-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3612-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3612-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing