urelas | 5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d

General

Target

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Size

784KB
MD5

bbec813948c72f96a34ad5b3b10fd118
SHA1

03db2340afe0ae7d2d216edfc880ed36bfd6da9d
SHA256

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d
SHA512

0c10dc61b10143e201660e20ac0fa4e4edb2ac1ffa7862d3e3572f923886e31669583498ee54ead67453724134ded9e6b4da1331a4b353e1c53215b40ffc4239
SSDEEP

12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgn:d7dLBftJLW5YUWLrkJB0PJgn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2156	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2116	miims.exe
2952	gevudu.exe
852	uvijn.exe

Loads dropped DLL 6 IoCs

pid	Process
432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
2116	miims.exe
2116	miims.exe
2952	gevudu.exe
2952	gevudu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvijn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miims.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gevudu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
852	uvijn.exe
852	uvijn.exe
852	uvijn.exe
852	uvijn.exe
852	uvijn.exe
852	uvijn.exe
852	uvijn.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2116	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	29
PID 432 wrote to memory of 2116	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	29
PID 432 wrote to memory of 2116	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	29
PID 432 wrote to memory of 2116	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	29
PID 432 wrote to memory of 2156	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 432 wrote to memory of 2156	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 432 wrote to memory of 2156	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 432 wrote to memory of 2156	432	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 2116 wrote to memory of 2952	2116	miims.exe	32
PID 2116 wrote to memory of 2952	2116	miims.exe	32
PID 2116 wrote to memory of 2952	2116	miims.exe	32
PID 2116 wrote to memory of 2952	2116	miims.exe	32
PID 2952 wrote to memory of 852	2952	gevudu.exe	33
PID 2952 wrote to memory of 852	2952	gevudu.exe	33
PID 2952 wrote to memory of 852	2952	gevudu.exe	33
PID 2952 wrote to memory of 852	2952	gevudu.exe	33
PID 2952 wrote to memory of 2996	2952	gevudu.exe	34
PID 2952 wrote to memory of 2996	2952	gevudu.exe	34
PID 2952 wrote to memory of 2996	2952	gevudu.exe	34
PID 2952 wrote to memory of 2996	2952	gevudu.exe	34

C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
"C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\miims.exe
  "C:\Users\Admin\AppData\Local\Temp\miims.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\gevudu.exe
    "C:\Users\Admin\AppData\Local\Temp\gevudu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\uvijn.exe
      "C:\Users\Admin\AppData\Local\Temp\uvijn.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f57ef2e2c519024a151ffdaac1a1f19b

SHA1
eb306100a0537b24fc6738f21a49f5a67c12e364

SHA256
6e1a6afc6fc6200d306b6a477dc1485a01d058c5ef9de8feb17f76965a7368be

SHA512
594a11983ad8bfd6945c06a6150453cc89df720a25eeb5fc505a54c76eeff75f911b334e6ccf0dae796ac15e2985600afd9fac8676df13dbababfbda54b350b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9aea7587483b1b87f2611402939833b5

SHA1
c26aab50ad53e1e8090abd671c5d2e07aaad47d5

SHA256
d404d3c08e825dd54392d5e672bb38e967fee22945518289851c8d0365834404

SHA512
143934e315a60efbbd739f778a08c8d7d611a4ed88f079a5807e067e392da85187a1bfab303c64fbd3fcedea60c4cb5f711d2bbf15e552554b9fbe3fd8218750

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bf3cf04df608e5d565e857e59c3ba3e3

SHA1
0cb97f18b41a420a6a166c7e544c2baf33f9d5b3

SHA256
d8ac385a2c5108b54f6e3bf10d6f0968ff2df85a1b74cf3fb7043909b7b5f2d0

SHA512
e2138a0035cbaefe23c811e399e3cadbb0650b46bc0e53d78f0c6faef782bcb978be6810a0d55e381ea1bdf12994568333351b960f92fc7de4de2a5eff4ceb08

Download Submit
\Users\Admin\AppData\Local\Temp\miims.exe

Filesize
784KB

MD5
c9da144233ccb99762114585c3db7d48

SHA1
fd9682dd4f70de30a9639900281cbce112ffda4d

SHA256
ab3ed84aeb64900ffc7bb6b1d0d1162636cde1aafa885eb302fabf42001ee1e4

SHA512
cd494d091a004787e95db4a76f7511ba019c3e689f5c405c56fbc4e148b9d7003a30b683d58a2eaddb4b3aa27ab7cc57b6c5286d3c29061933801c9f0245f9e7

Download Submit
\Users\Admin\AppData\Local\Temp\uvijn.exe

Filesize
601KB

MD5
712312f6618e13f92d0f948843018f57

SHA1
da053d5c951f1b243c87d36a9db46fd1b4e92356

SHA256
dd23f91d4196c3618065ff5216a62669cb8324f2392653f414fab1a6b86d5b8a

SHA512
40b3a38c7f69dc5733863c5cf1cbb9dfc3b52d90f4e6c6625591e5528dd8551ebbd138e59f73f405fd0e4192b457d3fd23c249aa9444612564cc1ecd1019f859

Download Submit
memory/432-2-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/432-20-0x0000000002570000-0x000000000263B000-memory.dmp

Filesize
812KB

Download
memory/432-23-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/432-21-0x0000000002570000-0x000000000263B000-memory.dmp

Filesize
812KB

Download
memory/852-64-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/852-58-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2116-34-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2116-22-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2952-56-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2952-55-0x00000000037A0000-0x00000000039C2000-memory.dmp

Filesize
2.1MB

Download
memory/2952-37-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2952-35-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2952-62-0x00000000037A0000-0x00000000039C2000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing