urelas | 5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d

General

Target

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Size

784KB
MD5

bbec813948c72f96a34ad5b3b10fd118
SHA1

03db2340afe0ae7d2d216edfc880ed36bfd6da9d
SHA256

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d
SHA512

0c10dc61b10143e201660e20ac0fa4e4edb2ac1ffa7862d3e3572f923886e31669583498ee54ead67453724134ded9e6b4da1331a4b353e1c53215b40ffc4239
SSDEEP

12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgn:d7dLBftJLW5YUWLrkJB0PJgn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2760	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2748	gimuk.exe
2640	ulseum.exe
1736	kovua.exe

Loads dropped DLL 6 IoCs

pid	Process
1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
2748	gimuk.exe
2748	gimuk.exe
2640	ulseum.exe
2640	ulseum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gimuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulseum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kovua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe
1736	kovua.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2748	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 1672 wrote to memory of 2748	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 1672 wrote to memory of 2748	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 1672 wrote to memory of 2748	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	30
PID 1672 wrote to memory of 2760	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	31
PID 1672 wrote to memory of 2760	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	31
PID 1672 wrote to memory of 2760	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	31
PID 1672 wrote to memory of 2760	1672	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	31
PID 2748 wrote to memory of 2640	2748	gimuk.exe	33
PID 2748 wrote to memory of 2640	2748	gimuk.exe	33
PID 2748 wrote to memory of 2640	2748	gimuk.exe	33
PID 2748 wrote to memory of 2640	2748	gimuk.exe	33
PID 2640 wrote to memory of 1736	2640	ulseum.exe	35
PID 2640 wrote to memory of 1736	2640	ulseum.exe	35
PID 2640 wrote to memory of 1736	2640	ulseum.exe	35
PID 2640 wrote to memory of 1736	2640	ulseum.exe	35
PID 2640 wrote to memory of 1476	2640	ulseum.exe	36
PID 2640 wrote to memory of 1476	2640	ulseum.exe	36
PID 2640 wrote to memory of 1476	2640	ulseum.exe	36
PID 2640 wrote to memory of 1476	2640	ulseum.exe	36

C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
"C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\gimuk.exe
  "C:\Users\Admin\AppData\Local\Temp\gimuk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\ulseum.exe
    "C:\Users\Admin\AppData\Local\Temp\ulseum.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Users\Admin\AppData\Local\Temp\kovua.exe
      "C:\Users\Admin\AppData\Local\Temp\kovua.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f57ef2e2c519024a151ffdaac1a1f19b

SHA1
eb306100a0537b24fc6738f21a49f5a67c12e364

SHA256
6e1a6afc6fc6200d306b6a477dc1485a01d058c5ef9de8feb17f76965a7368be

SHA512
594a11983ad8bfd6945c06a6150453cc89df720a25eeb5fc505a54c76eeff75f911b334e6ccf0dae796ac15e2985600afd9fac8676df13dbababfbda54b350b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2c7e33c0f2be9fd361410365a34885d1

SHA1
21638113d3f2df325cdcc8b7f06a685d9ebc00e4

SHA256
2ec1c4ebd9339b8ceb19620155ae8f98d913c72b917dd98d1d0b49e456c8ec19

SHA512
b20dc048e8e942c7e15f3657a78d7de32afdeab018a68ce61b36f1be91b78a31cb7ec4f6c6f6a91c7741bdb73327da5cf518e46f5e60b1e3c9c70ca15eb51f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gimuk.exe

Filesize
784KB

MD5
63f84e7a8f9068d5a960b1d1c5f911c3

SHA1
bfb13b60a3af1ec3ddc4b29739ef6bf8c9d71aaf

SHA256
00c67be8f143dc4dfd00e2144639dde07a20e94812604a1314a333dd030742e7

SHA512
47bd9b37fe702652599735b009b4c9fb28724d98890dc8980f7c84fc46393c8ef4039682ab345d65a0105d7de5d2c80446fd3572c1c472f252539433d9b420c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c3a5ceaa6fdcdd62e2dd2f143e68f4b8

SHA1
3d3111ca493f001d8b73c72b15af0d23aeb68317

SHA256
eb71a39c51577dc54418e02362466bb548e4e423b0ebd35455c14cf11d2af6e5

SHA512
e59ce8d4a74c9b609ea28d9f64b33590522affc5932e071b417adbec2b8ac231a9c006930bd234ae532552ee2b643b509be9b4f2a9114780c8ce3a50a43d51ce

Download Submit
\Users\Admin\AppData\Local\Temp\kovua.exe

Filesize
601KB

MD5
27e421d3eeacbd1fe9de48be0c954e90

SHA1
41c3fc515bc619cadeca03e58e993cc31ab4a3e9

SHA256
9f34f46deb75b2eab4cc5fcf4d1a0599b7bc094e25437ee8721a0a1d151e2b18

SHA512
32b2dbca1b2f9f6afa800be2fd66ced92d06c5f133da654bbbabbc1afa7d98a2e5552c7b2838867d8d7082a632c4b04970230e8a9f7ecc3bf85f5d76a4d3f277

Download Submit
memory/1672-11-0x0000000002520000-0x00000000025EB000-memory.dmp

Filesize
812KB

Download
memory/1672-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1672-21-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1736-61-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1736-65-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2640-36-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2640-47-0x0000000003C40000-0x0000000003E62000-memory.dmp

Filesize
2.1MB

Download
memory/2640-48-0x0000000003C40000-0x0000000003E62000-memory.dmp

Filesize
2.1MB

Download
memory/2640-57-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2748-32-0x00000000032D0000-0x000000000339B000-memory.dmp

Filesize
812KB

Download
memory/2748-33-0x00000000032D0000-0x000000000339B000-memory.dmp

Filesize
812KB

Download
memory/2748-35-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing