urelas | c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575

General

Target

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
Size

404KB
MD5

23d53c8936d16e416de883e300620714
SHA1

816dab331e13bc7e762fe53ac1b849022cddfd7c
SHA256

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575
SHA512

3c85397e03a11f94fc7f1e895d8c2d4748f8f6fac7ab4ef391ea77d13b4772ba685d97db461684a9e8be59c24d974ef94f3dd95ff390c080b6798fd19447cfb6
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohi:8IfBoDWoyFblU6hAJQnOc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2996	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

wocae.exehijupu.exepuruq.exe

pid	Process
2140	wocae.exe
2428	hijupu.exe
2316	puruq.exe

Loads dropped DLL 5 IoCs

Processes:

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exewocae.exehijupu.exe

pid	Process
2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
2140	wocae.exe
2140	wocae.exe
2428	hijupu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exewocae.exehijupu.execmd.exepuruq.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wocae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hijupu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puruq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

puruq.exe

pid	Process
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe
2316	puruq.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exewocae.exehijupu.exe

description	pid	Process	procid_target
PID 2536 wrote to memory of 2140	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	28
PID 2536 wrote to memory of 2140	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	28
PID 2536 wrote to memory of 2140	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	28
PID 2536 wrote to memory of 2140	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	28
PID 2536 wrote to memory of 2996	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	29
PID 2536 wrote to memory of 2996	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	29
PID 2536 wrote to memory of 2996	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	29
PID 2536 wrote to memory of 2996	2536	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	29
PID 2140 wrote to memory of 2428	2140	wocae.exe	31
PID 2140 wrote to memory of 2428	2140	wocae.exe	31
PID 2140 wrote to memory of 2428	2140	wocae.exe	31
PID 2140 wrote to memory of 2428	2140	wocae.exe	31
PID 2428 wrote to memory of 2316	2428	hijupu.exe	34
PID 2428 wrote to memory of 2316	2428	hijupu.exe	34
PID 2428 wrote to memory of 2316	2428	hijupu.exe	34
PID 2428 wrote to memory of 2316	2428	hijupu.exe	34
PID 2428 wrote to memory of 2780	2428	hijupu.exe	35
PID 2428 wrote to memory of 2780	2428	hijupu.exe	35
PID 2428 wrote to memory of 2780	2428	hijupu.exe	35
PID 2428 wrote to memory of 2780	2428	hijupu.exe	35

C:\Users\Admin\AppData\Local\Temp\c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
"C:\Users\Admin\AppData\Local\Temp\c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\wocae.exe
  "C:\Users\Admin\AppData\Local\Temp\wocae.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\hijupu.exe
    "C:\Users\Admin\AppData\Local\Temp\hijupu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Users\Admin\AppData\Local\Temp\puruq.exe
      "C:\Users\Admin\AppData\Local\Temp\puruq.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
65ea325c8cbe7d496ddc2d4439ae8a73

SHA1
c31dc244ce16b385eecaca75e9e8ab6eb51c5972

SHA256
58ab1087dca95db94b7010ff1d7eeb783294127026473bb84360ec20b654531d

SHA512
a6875bfc070f416531513cf7232fda4e3533a28171aab1c0886b51d9ae6d2e67331621757684fa008b912eac5389a4ccfedb2a6772aaf408ea974fe56ecd6924

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
4e26c9a01e03b55bf2676d794ca0072e

SHA1
2a3b7b724c181f7aea01f73ad3e0facc009e54bc

SHA256
ac4cfe632fc5d34fa3416b4ef7b691a0c75fe1831a60f789c060a92ca113bb64

SHA512
a0a4392a33442d823fba28c3a6544a9336e978d508b214f72f5fbfba3c510ce7437cef649a44df4d6849c6b7ac2bc659595c2f2478207d573a29d2a0b77cf021

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
78a13ba0d733feccf0aff1e064e89597

SHA1
0d96101686b1e085fbcf9555d3df060aaa030a0b

SHA256
f991b4c2b554ec93975e105b04b89b7c7f228db7f48b4180af1ec3f884ee5261

SHA512
12c391f2f086809bd65de82befe67eec5588940864f78990d064d1844b69e5547129ba64d2bfcd52cdbf365ed4284bda33d8c76c0504746963e3d768508e8ee5

Download Submit
\Users\Admin\AppData\Local\Temp\hijupu.exe

Filesize
404KB

MD5
a96fdfbb368566ea2f383fa0c8b267fc

SHA1
3c4b6b457ca48f29051a4ca2e5b4f806c25ac0dd

SHA256
0a234dc58e5f084d564e2e0352acc86da318c5c78fc6f1e803948a25c9271076

SHA512
7afbcc849bd5c1542f0486ae756b8d87d329f5d3a99a32a1b6afb263382adb6c4bbf6494c33ab91118deab9ba6ccc0a6ce04afd4c35e004a124a2b3698cd5959

Download Submit
\Users\Admin\AppData\Local\Temp\puruq.exe

Filesize
223KB

MD5
e49c4aa369b6958aec87ddcfba2e6880

SHA1
62bf349252f48fffd04f6e52fc040a1eab858dd7

SHA256
2a98e229a084a1c07a6a9f1524b71ef800cee25bdad0857f86bccc7177bbe928

SHA512
20e55560fdc8f9dfc35455ad8d783a10df3a77443f3739a40a626fae6db377de02fe2b7be2de09d9eca9df181a4b040150e1e4d0f57ed362c9c84536167a77a3

Download Submit
\Users\Admin\AppData\Local\Temp\wocae.exe

Filesize
404KB

MD5
f12668786ae567c4cd9ef2096bc136e1

SHA1
efdb405d6860fc853ad9b31b3cc55cfe12cadb85

SHA256
4d691eac33a7ca2d036dd2007f539c67d5ed124b522f1ddaa1cbad388722fc64

SHA512
1ff3ee921d03227c9c2910d80110230aaffa1ed05eb271ea9ab1fd28e947b119938d963bdb1bb7266af979cd9e74c224dbe827e39e27dd6f2017baa8c31b1c1d

Download Submit
memory/2140-35-0x00000000037A0000-0x0000000003808000-memory.dmp

Filesize
416KB

Download
memory/2140-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2140-24-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2316-59-0x0000000000B20000-0x0000000000BC0000-memory.dmp

Filesize
640KB

Download
memory/2316-58-0x0000000000B20000-0x0000000000BC0000-memory.dmp

Filesize
640KB

Download
memory/2316-54-0x0000000000B20000-0x0000000000BC0000-memory.dmp

Filesize
640KB

Download
memory/2428-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2428-42-0x0000000003B30000-0x0000000003BD0000-memory.dmp

Filesize
640KB

Download
memory/2428-53-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2536-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2536-20-0x00000000024E0000-0x0000000002548000-memory.dmp

Filesize
416KB

Download
memory/2536-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2536-14-0x00000000024E0000-0x0000000002548000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads