urelas | 5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d

General

Target

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Size

784KB
MD5

bbec813948c72f96a34ad5b3b10fd118
SHA1

03db2340afe0ae7d2d216edfc880ed36bfd6da9d
SHA256

5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d
SHA512

0c10dc61b10143e201660e20ac0fa4e4edb2ac1ffa7862d3e3572f923886e31669583498ee54ead67453724134ded9e6b4da1331a4b353e1c53215b40ffc4239
SSDEEP

12288:d7dL4AkwWNk82HAEGfKKBhVGT5OY8pgA65t8mv5pThkJ8HxW0d8GYEgn:d7dLBftJLW5YUWLrkJB0PJgn

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	dogec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	kugavu.exe

Executes dropped EXE 3 IoCs

pid	Process
5056	dogec.exe
3732	kugavu.exe
2236	jeheo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dogec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kugavu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeheo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe
2236	jeheo.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 5056	2708	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	83
PID 2708 wrote to memory of 5056	2708	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	83
PID 2708 wrote to memory of 5056	2708	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	83
PID 2708 wrote to memory of 1912	2708	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	84
PID 2708 wrote to memory of 1912	2708	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	84
PID 2708 wrote to memory of 1912	2708	5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe	84
PID 5056 wrote to memory of 3732	5056	dogec.exe	86
PID 5056 wrote to memory of 3732	5056	dogec.exe	86
PID 5056 wrote to memory of 3732	5056	dogec.exe	86
PID 3732 wrote to memory of 2236	3732	kugavu.exe	104
PID 3732 wrote to memory of 2236	3732	kugavu.exe	104
PID 3732 wrote to memory of 2236	3732	kugavu.exe	104
PID 3732 wrote to memory of 4672	3732	kugavu.exe	105
PID 3732 wrote to memory of 4672	3732	kugavu.exe	105
PID 3732 wrote to memory of 4672	3732	kugavu.exe	105

C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe
"C:\Users\Admin\AppData\Local\Temp\5a5cefab37f78e90efdd6d0ce940bfec022f64a6702b856a704a6500d5e4756d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\dogec.exe
  "C:\Users\Admin\AppData\Local\Temp\dogec.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\kugavu.exe
    "C:\Users\Admin\AppData\Local\Temp\kugavu.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\jeheo.exe
      "C:\Users\Admin\AppData\Local\Temp\jeheo.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
47efd7d000ccb22ca65a5979c17d9e50

SHA1
623a9a49394004626cf32720ea9dee58b678da85

SHA256
6db58fb3e924f2bc22bbd50d53aa46b091f2f26eac23c6c5bd0679ff98b616e5

SHA512
06eede9cdee20add184d5b6fec4c56015ba478d862175ca2726e27d483986b340cd242d9756f6cc90a4be3cd375c2a37cd676c895b46c197efd356e1f27b0faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f57ef2e2c519024a151ffdaac1a1f19b

SHA1
eb306100a0537b24fc6738f21a49f5a67c12e364

SHA256
6e1a6afc6fc6200d306b6a477dc1485a01d058c5ef9de8feb17f76965a7368be

SHA512
594a11983ad8bfd6945c06a6150453cc89df720a25eeb5fc505a54c76eeff75f911b334e6ccf0dae796ac15e2985600afd9fac8676df13dbababfbda54b350b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dogec.exe

Filesize
784KB

MD5
178bbe34e93e5044160abe561f6d07db

SHA1
a60bc703698686149999de5484094c6fa356749a

SHA256
937f677cefb4754f00b888eb8dee890fb3fec6f8637673ef54f6ffc96be81c06

SHA512
e2216892913fefad7a7d47878e77004a54d0daa2f9fc261edb04067e8c2bb49827cf61e2e299ae707185f7935cc7bb8ebb7fb93da3bd4d5ffdf86479554a684b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0e0e3e999f242eb9109e9dd3addd34ad

SHA1
58861477fff0866a51e59bee2c50aa3b78b7dc80

SHA256
2807236b3e1651fe27ab994356d4745c6fe552d7ae17fb4e8a2e7d119de8e40f

SHA512
bc52f58245cfe721c53499100780a4f1096a35cc75923ec4c335860a1963ba8d524eaf7a66b997d3b3d95c9810597c5e07bae89f5fcdc4d62b27b9dbf194daac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeheo.exe

Filesize
601KB

MD5
55099390c2b4143d46e0fffd98e50c02

SHA1
ec8a230088145ade28a29669a375eaf22e5e4a68

SHA256
bd598f77efa8dc94c33e158049379e3359555dbbea02ee78f34eda2b6c72c2d0

SHA512
63ed167afc07b3d42440629c67c38b178fa5af50a12a8ffb92b4db87f00bc267b6aca29dde481c781b7b95d301f0ed06cb16d6bdd77e5e32baf8568cc05a087d

Download Submit
memory/2236-47-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2236-37-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2236-42-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2708-15-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-0-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3732-25-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/3732-39-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/5056-24-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download

Analysis

Sharing