urelas | 558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4

General

Target

558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe
Size

441KB
MD5

843997ebd749579ffd00b2a9fe6284de
SHA1

a7443e907bf47fb2b4b16f84ae9235ae90d73ff7
SHA256

558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4
SHA512

437db5146230455e04798bb2e2c87ed8313880d03450e766450b4508beb12aee63d290d67e0f3d65e8fd9ee04618fbe1a1b1cbff91011891d388a5777ab2e093
SSDEEP

6144:oEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpjg:oMpASIcWYx2U6hAJQnn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2960	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

weilx.exekufolo.exewoyqz.exe

pid	Process
2724	weilx.exe
2772	kufolo.exe
2564	woyqz.exe

Loads dropped DLL 3 IoCs

Processes:

558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exeweilx.exekufolo.exe

pid	Process
2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe
2724	weilx.exe
2772	kufolo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

woyqz.execmd.exe558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exeweilx.exekufolo.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woyqz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weilx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kufolo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

woyqz.exe

pid	Process
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe
2564	woyqz.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exeweilx.exekufolo.exe

description	pid	Process	procid_target
PID 2168 wrote to memory of 2724	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	30
PID 2168 wrote to memory of 2724	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	30
PID 2168 wrote to memory of 2724	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	30
PID 2168 wrote to memory of 2724	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	30
PID 2168 wrote to memory of 2960	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	31
PID 2168 wrote to memory of 2960	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	31
PID 2168 wrote to memory of 2960	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	31
PID 2168 wrote to memory of 2960	2168	558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe	31
PID 2724 wrote to memory of 2772	2724	weilx.exe	33
PID 2724 wrote to memory of 2772	2724	weilx.exe	33
PID 2724 wrote to memory of 2772	2724	weilx.exe	33
PID 2724 wrote to memory of 2772	2724	weilx.exe	33
PID 2772 wrote to memory of 2564	2772	kufolo.exe	35
PID 2772 wrote to memory of 2564	2772	kufolo.exe	35
PID 2772 wrote to memory of 2564	2772	kufolo.exe	35
PID 2772 wrote to memory of 2564	2772	kufolo.exe	35
PID 2772 wrote to memory of 2416	2772	kufolo.exe	36
PID 2772 wrote to memory of 2416	2772	kufolo.exe	36
PID 2772 wrote to memory of 2416	2772	kufolo.exe	36
PID 2772 wrote to memory of 2416	2772	kufolo.exe	36

C:\Users\Admin\AppData\Local\Temp\558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe
"C:\Users\Admin\AppData\Local\Temp\558367d11736d5ed87bc4038db2ec9a67cb0c79da07a269e043f2fb7063189c4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\weilx.exe
  "C:\Users\Admin\AppData\Local\Temp\weilx.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\kufolo.exe
    "C:\Users\Admin\AppData\Local\Temp\kufolo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Users\Admin\AppData\Local\Temp\woyqz.exe
      "C:\Users\Admin\AppData\Local\Temp\woyqz.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
e7aec06f39179b83c3a8a5baff53c372

SHA1
2b77ac89422753a0618451ff610ca0f1a77d7fbe

SHA256
b7f0e8fec4c3a87ee80812323c8b41a84d17c7cf89b1b025ad2fb8024049f4bc

SHA512
d58df9c794e0c691faea4e7a615aac806859faf8a1289a61019469a04438a4e5c3bb100239de2434985ae7e91c737d482e11dcbb48b57fbd2fb32865035a4c7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4690da08df574dc9bcc3b381f3cddfea

SHA1
3794d31b7cf3ea60b934abc3e7954e269014cac1

SHA256
e5f14925d651eee9cfb31407710295a8aac51f381a9dad0b78a15740eeed96aa

SHA512
d524e970451a09745acfe38d2e15817f6b80a76c8439b8a908eb13e67b954c16d6d394e7c34c38950d7a65a59ed8a56d7fd62611654e91dc8688e09f7940c545

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b14082cd51d0fc4bbbcb66c6ae67e921

SHA1
a5a16e160f7df8fe9568cecaab3ed407c7007e43

SHA256
1d8fc80d28652e8776db492d3f1093889422511095a5182c542d49f57420fb20

SHA512
58e9d0dc8dc60574359bf970c7f5b4f34277166f523bcb1a4ca4e004ed7be81d2ca369534fe72cb8e1a694b9b9fa6cdce22ef1a420e9a72f7a8c571c81ca332e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kufolo.exe

Filesize
441KB

MD5
38dc322c5682e5408f7433a9cefd6487

SHA1
3a62c201faac8517096fa1fb82e5e9ef3735b3cc

SHA256
049181689e4b80f0dba34b12219525cbb15bb2c8623fd3a0d4ef76632e8a5f07

SHA512
cbdc7bb7eef7d0add085e96a4c5c051b69b85e2f194dfdbd58b6d7b2fdbfa8e9a595d4355845c56dc7886ee741a48bfedc4f998d6e473688ff3a388c8a2dff6a

Download Submit
\Users\Admin\AppData\Local\Temp\weilx.exe

Filesize
441KB

MD5
0cce9c08e7edfe407a8f4361bc76d7ff

SHA1
6737b2d5f388ff694b6619c081070dea99806bc4

SHA256
e4839fe79fac39172c3e94131366f287148616c85e0f8a9ebe80a5f125d5edd5

SHA512
d5e79cdf79e28d2159ed7f2254b02e1b0a2bb53c6a6468c975cce6e980a1a918ab6abbbf1ddd6551cc3cf130a1abb67865727d3a7ff831900174127ff4713965

Download Submit
\Users\Admin\AppData\Local\Temp\woyqz.exe

Filesize
223KB

MD5
d8278b48dd4df74a3629b3838d27dfd0

SHA1
e5fdc7b03337dbd6ba3f2889b7a3488f48ca3df6

SHA256
3ce5cb8baee20e4bfef31a7a050c65336a44c8a261af384039f0b55460b385cf

SHA512
635d5c42c63816c5b9bc05fe080406f8e1b37767586e54a260f2c51dd915a5dc39f5270807d81d20c36fa75acbe9bd2bdebdd8363f473b52fbf1ffbf9d291091

Download Submit
memory/2168-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2168-16-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2168-8-0x0000000002490000-0x00000000024FE000-memory.dmp

Filesize
440KB

Download
memory/2564-51-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/2564-50-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/2564-46-0x0000000000D70000-0x0000000000E10000-memory.dmp

Filesize
640KB

Download
memory/2724-19-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2724-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2772-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2772-44-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2772-28-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads