urelas | 9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4

General

Target

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Size

348KB
MD5

a89691f3add0a3fa328f60dacbb8e2aa
SHA1

a3fcdd5e991e835f7956c6ef5b30bb9c7f59b8a1
SHA256

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4
SHA512

409ad5f9e81d11f26b543611e327b1575589568bd6cebe568b3ff379f1361221a1e4a3925ecbe1ea51628d06d702309e6aa6c2182eb2100b340a8a1ef6e5e8fd
SSDEEP

6144:8/bE5G5KiR0J0dCsnGb/6VOpLc91WlvhDSNZ5c:g0G5obGGraOpUWlpZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2400	cmd.exe

Executes dropped EXE 3 IoCs

Processes:

abypb.exemoqugo.exewudyi.exe

pid	Process
2824	abypb.exe
2784	moqugo.exe
340	wudyi.exe

Loads dropped DLL 6 IoCs

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exeabypb.exemoqugo.exe

pid	Process
2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
2824	abypb.exe
2824	abypb.exe
2784	moqugo.exe
2784	moqugo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exeabypb.exemoqugo.execmd.exewudyi.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abypb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moqugo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wudyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

wudyi.exe

pid	Process
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe
340	wudyi.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exeabypb.exemoqugo.exe

description	pid	Process	procid_target
PID 2960 wrote to memory of 2824	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	30
PID 2960 wrote to memory of 2824	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	30
PID 2960 wrote to memory of 2824	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	30
PID 2960 wrote to memory of 2824	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	30
PID 2960 wrote to memory of 2400	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	31
PID 2960 wrote to memory of 2400	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	31
PID 2960 wrote to memory of 2400	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	31
PID 2960 wrote to memory of 2400	2960	9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe	31
PID 2824 wrote to memory of 2784	2824	abypb.exe	33
PID 2824 wrote to memory of 2784	2824	abypb.exe	33
PID 2824 wrote to memory of 2784	2824	abypb.exe	33
PID 2824 wrote to memory of 2784	2824	abypb.exe	33
PID 2784 wrote to memory of 340	2784	moqugo.exe	35
PID 2784 wrote to memory of 340	2784	moqugo.exe	35
PID 2784 wrote to memory of 340	2784	moqugo.exe	35
PID 2784 wrote to memory of 340	2784	moqugo.exe	35
PID 2784 wrote to memory of 1248	2784	moqugo.exe	36
PID 2784 wrote to memory of 1248	2784	moqugo.exe	36
PID 2784 wrote to memory of 1248	2784	moqugo.exe	36
PID 2784 wrote to memory of 1248	2784	moqugo.exe	36

C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe
"C:\Users\Admin\AppData\Local\Temp\9513013f069dd2dd48324e6620ae14df540b7af34a56bc36b441423451b05af4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\abypb.exe
  "C:\Users\Admin\AppData\Local\Temp\abypb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\moqugo.exe
    "C:\Users\Admin\AppData\Local\Temp\moqugo.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\wudyi.exe
      "C:\Users\Admin\AppData\Local\Temp\wudyi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:340
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
f2ae8246f3927151f352e04b2e3a603f

SHA1
68b53101d1b8bb79de11eaf3d1926f1d1d25e91b

SHA256
254dc6af7bef48c10c54b6885317e242b65967c2ccffbe6503d5eeaf7caeab65

SHA512
18e5e3f9f1115fe4c1e99453a8a6d9489dd6c42f3c9b09cea599be3cfcc3ab28dd21e4e60af658424ef093a549211d2ad6c1e5ae1809875267cd2f974587e67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
d6a4e4931f51d373fa3f66e88e50cc77

SHA1
5ca1726b5a2ac245868309973e28e759eb182d58

SHA256
74de42af3123e90eb5aa36c4e52b0072fd1a7f957c4bea8fcaaec847f56d489b

SHA512
b42c4b619e2a06c8742abd70f74d78ccf09a593672da3b0efb0eb27ef0ce894ae36a822cb39ecb6774ecab1cc26d71d0bf17530d96fa4cb080e48d0ea356e7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
07103aebacfa81744269bb070bdda8a4

SHA1
076951f921739db591e61fcf2c064de70ed79bdc

SHA256
97ede0a05047fa737eeb941a910b2ac496c42d1e0f73812bc16efbbcf189616a

SHA512
2cdbee999cdcada7915cd9616826ec857d16dfc0b43981ced0a96d14bfcbde17d4d7b699fa10a1c998d6c3c21dbee18a570225e1515db9adfb8355accdc586e2

Download Submit
\Users\Admin\AppData\Local\Temp\abypb.exe

Filesize
348KB

MD5
49f7e821d31258a0ac293581cd9be391

SHA1
ccae6b9c61c9d94db428d2132f7f370569566e62

SHA256
25c509e611719e922da3e68bf123dca8418ac11d9503e49b1df2aa4a43bf5ba1

SHA512
aa3b8eac8fe6221928815509c7227063d119f717150f07f624e964797fb2b31a8fce4f60b40520b54043c0ad08066d0c798f5f6732a66ec98363f53226603b25

Download Submit
\Users\Admin\AppData\Local\Temp\wudyi.exe

Filesize
115KB

MD5
9a423995217b3ad9ef68febf3c7a4291

SHA1
7011e01e3609a0d58088bd3aacdb32ab00db7f1f

SHA256
714bf43f72e0f5a92be9d4459230f8350f2f0b414b81a1b82d23f4e47f450de2

SHA512
3b181ff450559fa43173473cd4703f41250c7edfe0a77045597f5e57dd1c65e6ac12679bc2f5de55fe97451ef04f15e488eedb70850f10be70858e6a81a487c6

Download Submit
memory/340-59-0x0000000000280000-0x0000000000302000-memory.dmp

Filesize
520KB

Download
memory/340-58-0x0000000000280000-0x0000000000302000-memory.dmp

Filesize
520KB

Download
memory/340-57-0x0000000000280000-0x0000000000302000-memory.dmp

Filesize
520KB

Download
memory/2784-40-0x0000000003AD0000-0x0000000003B52000-memory.dmp

Filesize
520KB

Download
memory/2784-34-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2784-54-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2824-31-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2960-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2960-23-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2960-10-0x00000000023A0000-0x00000000023FC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads