urelas | c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575

General

Target

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
Size

404KB
MD5

23d53c8936d16e416de883e300620714
SHA1

816dab331e13bc7e762fe53ac1b849022cddfd7c
SHA256

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575
SHA512

3c85397e03a11f94fc7f1e895d8c2d4748f8f6fac7ab4ef391ea77d13b4772ba685d97db461684a9e8be59c24d974ef94f3dd95ff390c080b6798fd19447cfb6
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohi:8IfBoDWoyFblU6hAJQnOc

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exemotod.exejyeczo.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	motod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	jyeczo.exe

Executes dropped EXE 3 IoCs

Processes:

motod.exejyeczo.exeuxtah.exe

pid	Process
2044	motod.exe
4080	jyeczo.exe
4008	uxtah.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exec8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exemotod.execmd.exejyeczo.exeuxtah.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	motod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jyeczo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxtah.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

uxtah.exe

pid	Process
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe
4008	uxtah.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exemotod.exejyeczo.exe

description	pid	Process	procid_target
PID 2256 wrote to memory of 2044	2256	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	83
PID 2256 wrote to memory of 2044	2256	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	83
PID 2256 wrote to memory of 2044	2256	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	83
PID 2256 wrote to memory of 2460	2256	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	84
PID 2256 wrote to memory of 2460	2256	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	84
PID 2256 wrote to memory of 2460	2256	c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe	84
PID 2044 wrote to memory of 4080	2044	motod.exe	86
PID 2044 wrote to memory of 4080	2044	motod.exe	86
PID 2044 wrote to memory of 4080	2044	motod.exe	86
PID 4080 wrote to memory of 4008	4080	jyeczo.exe	104
PID 4080 wrote to memory of 4008	4080	jyeczo.exe	104
PID 4080 wrote to memory of 4008	4080	jyeczo.exe	104
PID 4080 wrote to memory of 3068	4080	jyeczo.exe	105
PID 4080 wrote to memory of 3068	4080	jyeczo.exe	105
PID 4080 wrote to memory of 3068	4080	jyeczo.exe	105

C:\Users\Admin\AppData\Local\Temp\c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe
"C:\Users\Admin\AppData\Local\Temp\c8b303a8dabb47fd309852f61c4420885d8026ad14961be4c55e87648359f575.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\motod.exe
  "C:\Users\Admin\AppData\Local\Temp\motod.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\jyeczo.exe
    "C:\Users\Admin\AppData\Local\Temp\jyeczo.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\uxtah.exe
      "C:\Users\Admin\AppData\Local\Temp\uxtah.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
f824f4eec528af4255a6d8ce61627b13

SHA1
31fc5f3d15356e49bb3dd30e523b913f10661f25

SHA256
3fb2ce5cb3d16fab8a4b6e5825ac85fdaf7576cf26cc75101e44251f1cb39890

SHA512
3bf288db4b76dcd212e56c8e8ff38aabd331ecc70d928f908c84c8c4485e6dc2a64855d0c40e9ecae924d1205e3f9995716042d24ed53386e95c40dd7a430d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
65ea325c8cbe7d496ddc2d4439ae8a73

SHA1
c31dc244ce16b385eecaca75e9e8ab6eb51c5972

SHA256
58ab1087dca95db94b7010ff1d7eeb783294127026473bb84360ec20b654531d

SHA512
a6875bfc070f416531513cf7232fda4e3533a28171aab1c0886b51d9ae6d2e67331621757684fa008b912eac5389a4ccfedb2a6772aaf408ea974fe56ecd6924

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
80272f689b1b2f6cdd8b0bc7d1326549

SHA1
9e09c7949f76a5367ed53df8b193d57519560a83

SHA256
ba0cfe6f7e60468de64edc33f9f3605c676bcfedb6061315ad0f7cd481aea035

SHA512
ef364b3c1d9502ba669cce24b8be320b55815531675f2d7f2438b419854dc73fec4390db52c75d47f2c6b63e27beab3dc296b1163c049cb64b4e650a6284e1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jyeczo.exe

Filesize
404KB

MD5
719062bf553df54be7a142824735cecf

SHA1
15c53c80a002d64dbcaa738d74c757de705cf6b2

SHA256
24f155a0f11a4ae134484fe7a7a6ed2fa9db76589d4de86efd2c825d6689fb08

SHA512
ceb830a1749aa471353dceb9e1564db4098e8c91856c8478aeb03a11f86e0ac0a5c5e1433f631ad1f95725b8c2bf8b58fb9cc49a5eb0cbba0f90d06b44edc6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\motod.exe

Filesize
404KB

MD5
9ed475b7e17c46ce80e57f4fc7054ac1

SHA1
8a2c3a453240a98288668d2e34a88eca35558b2b

SHA256
1c73d5119d59a2b0f187590f53116e703c9fd51bc88dcaf89c621d21e7a1913b

SHA512
b8a150776a2e2a2235cf7ff0e0105830450c665474a7dc39537126f5b276dd33599d18e131e290c82377082e96e295c6f0d71f069aeb87a18a1cb963be16e13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxtah.exe

Filesize
223KB

MD5
aad3e628e1516f0f31f8c190a0def776

SHA1
9be84df9c19b98759fd9ea9d0ecf401a9c461151

SHA256
bd684dad660fbca5d062dd40697bfe6c1d0a243938d8b8c066eb039e45ec70c1

SHA512
145d22bb5d10ca602fe6ac83fbe396dfc0fdeb026588615ed88a7d9d3ba241ad99379f3761cf389646b4a4b32261855665316e9290444e8a0d4221cb0c51352e

Download Submit
memory/2044-26-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2044-12-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2256-16-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2256-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4008-38-0x00000000005D0000-0x0000000000670000-memory.dmp

Filesize
640KB

Download
memory/4008-43-0x00000000005D0000-0x0000000000670000-memory.dmp

Filesize
640KB

Download
memory/4008-44-0x00000000005D0000-0x0000000000670000-memory.dmp

Filesize
640KB

Download
memory/4080-27-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4080-25-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/4080-40-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads