urelas | 910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b

General

Target

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Size

692KB
MD5

b53e591f1b41aab36a05fd560ec491ce
SHA1

683d8ce3f61a8b13f2b6803e8060d3708c6a61bd
SHA256

910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b
SHA512

e3b9e38b6409080b15bff22a1db0db9e1bc2a1aaee006e755add83b9a32d54d1b4340e423917bef1ae244f08223f2127faabaf65e923173f339783674f4cadc2
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nr0:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnr0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	loufy.exe
704	laeqto.exe
2832	morub.exe

Loads dropped DLL 5 IoCs

pid	Process
2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
1704	loufy.exe
1704	loufy.exe
704	laeqto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	laeqto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	morub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loufy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe
2832	morub.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1704	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2200 wrote to memory of 1704	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2200 wrote to memory of 1704	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2200 wrote to memory of 1704	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	30
PID 2200 wrote to memory of 2268	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 2200 wrote to memory of 2268	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 2200 wrote to memory of 2268	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 2200 wrote to memory of 2268	2200	910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe	31
PID 1704 wrote to memory of 704	1704	loufy.exe	33
PID 1704 wrote to memory of 704	1704	loufy.exe	33
PID 1704 wrote to memory of 704	1704	loufy.exe	33
PID 1704 wrote to memory of 704	1704	loufy.exe	33
PID 704 wrote to memory of 2832	704	laeqto.exe	34
PID 704 wrote to memory of 2832	704	laeqto.exe	34
PID 704 wrote to memory of 2832	704	laeqto.exe	34
PID 704 wrote to memory of 2832	704	laeqto.exe	34
PID 704 wrote to memory of 592	704	laeqto.exe	35
PID 704 wrote to memory of 592	704	laeqto.exe	35
PID 704 wrote to memory of 592	704	laeqto.exe	35
PID 704 wrote to memory of 592	704	laeqto.exe	35

C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe
"C:\Users\Admin\AppData\Local\Temp\910bb791c2ad2c5bf54816b430b5f2500a572a70e2fa1a228c0e2fbcbe76f53b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\loufy.exe
  "C:\Users\Admin\AppData\Local\Temp\loufy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\laeqto.exe
    "C:\Users\Admin\AppData\Local\Temp\laeqto.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Users\Admin\AppData\Local\Temp\morub.exe
      "C:\Users\Admin\AppData\Local\Temp\morub.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
fc0c687e429f4e6ce0ff0707d753537c

SHA1
4db0d027fb00de586a8b9205fd36b81606f72d72

SHA256
417eda1fe2c91f5595bf8898777a7efdfe37dea6844397af6a2c9a19f4396292

SHA512
ab460c48858fe0428923f0a696a36b12cd39a012e0e8d9ae97798a4ae5f1b601f1e982f48deac62eaf2f0a20f9d658b8e5ad68d0ba1a6ec72bce6ad12bb3cfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4ce4392cfa276381b5d6ce006daf3193

SHA1
f8edcd9632a53166970759eba03da9382750a99f

SHA256
1535c7f76a080b6537f4b9d3afc795e2c734d94eb07b8fb4f881c43c5a674777

SHA512
e406b6f1c9050113615a841a873abce038b6b418f3abbe3975c7a36319211f2dda071b61339fd9ad206e60fa272b15aba64db1e0ab3043e220de756ed1d8cdaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bf68d19b5cd08bc88f9ca0cc99eaebd7

SHA1
3458845c163f43347b2ca6d1ee85288d51c7894b

SHA256
a626edbe96572a043adff15195592decc8914221cabdae5d3f402d4db93bc608

SHA512
0c36b11138be6c94a0a21e262c0919a0ce3bc2b9d24ad82366a49bff61da2f30040c48bce3d6df04cb5eac6676cdf039785531d53ab7b2986bbe9d2c13abc371

Download Submit
\Users\Admin\AppData\Local\Temp\loufy.exe

Filesize
692KB

MD5
2f3076c4330f4c58b0d48996f9cb0ffb

SHA1
c338b59e46a9e29a2d64835f627d109636e4811d

SHA256
8af33d152aab0ab366940796d67aa146a5101d33f617213a5d87af3e42f87bd7

SHA512
0b197512cc56d6b30d70e536b3a54838b0031b5c4995e01273dc1d9c4cb670e7feb2b06f9a5e5ccbee1793e3dc6cfab422b88aeeee7280f24923c1c0a08e88e2

Download Submit
\Users\Admin\AppData\Local\Temp\morub.exe

Filesize
469KB

MD5
5063f97f06811733bf61227270256920

SHA1
c8600924eedaaefadbfed638cacf3e9efbf5c72d

SHA256
68bbfdd909c0d301f1e331a64204c82b6bb2c3c6c5497182c084e0c6b035d2fb

SHA512
17f6fe5712e5b39c392097450c9a04bb17dc87c252a5668dbabf7d4fb298fd75d36c364ae9ca990b6ae53786f5aa71284e5c62e05a31a3bd115b57987ec8b4b1

Download Submit
memory/704-34-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/704-36-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/704-51-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1704-33-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2200-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2200-18-0x0000000002460000-0x0000000002513000-memory.dmp

Filesize
716KB

Download
memory/2200-24-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2200-6-0x0000000002460000-0x0000000002513000-memory.dmp

Filesize
716KB

Download
memory/2832-53-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2832-57-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing