urelas | 3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38

General

Target

3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe
Size

441KB
MD5

f86dcb4311922e5e86616c5304ba2d19
SHA1

90a2443c818be2c5d347b74e41eda53011386b45
SHA256

3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38
SHA512

874524ea9560d72754092debb60c1962d717f4ca2a986713a40f32e6d99448e19200de54b32bad4034e4522c9ed4ed7cb52f13ae33eb4d186be1fcfa721165c3
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGM/:rKf1PyKa2H3hOHOHz9JQ6zBO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2552	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

vixak.exeqoowx.exe

pid	Process
1644	vixak.exe
2880	qoowx.exe

Loads dropped DLL 2 IoCs

Processes:

3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exevixak.exe

pid	Process
2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe
1644	vixak.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exevixak.execmd.exeqoowx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vixak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoowx.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

qoowx.exe

pid	Process
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe
2880	qoowx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exevixak.exe

description	pid	Process	procid_target
PID 2328 wrote to memory of 1644	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	31
PID 2328 wrote to memory of 1644	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	31
PID 2328 wrote to memory of 1644	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	31
PID 2328 wrote to memory of 1644	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	31
PID 2328 wrote to memory of 2552	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	32
PID 2328 wrote to memory of 2552	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	32
PID 2328 wrote to memory of 2552	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	32
PID 2328 wrote to memory of 2552	2328	3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe	32
PID 1644 wrote to memory of 2880	1644	vixak.exe	35
PID 1644 wrote to memory of 2880	1644	vixak.exe	35
PID 1644 wrote to memory of 2880	1644	vixak.exe	35
PID 1644 wrote to memory of 2880	1644	vixak.exe	35

C:\Users\Admin\AppData\Local\Temp\3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe
"C:\Users\Admin\AppData\Local\Temp\3446560be933db07885e01658cad196df816cde7c8537097de5bb36fdf583d38.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\vixak.exe
  "C:\Users\Admin\AppData\Local\Temp\vixak.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\qoowx.exe
    "C:\Users\Admin\AppData\Local\Temp\qoowx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
34075250eff8037ef38c111e5b2f6156

SHA1
55e3613916263ab6a8b1eef12234e7b27ec2ba0a

SHA256
93f5f9f79fb2b0c7197b0e666c06645bd720fbd6d13784abd07c0d95b9a4ee70

SHA512
51ac7d7dffef789a0250e4497aeba4a379611d92bda8e285f48571593d35bbb32d836452f80e0f07002eb6345292322831905dee21fbfe75d97efed6fa9f4bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
9b7adaeb70c3970b917ae3f752346021

SHA1
8660e8ea0c894782ab1846fec5b76915eb3ba29f

SHA256
3aa0b78d9c99949ea62433724215607c5ba13bbb32caa1784a8b3966de3e6520

SHA512
1b8a3ef955b48ffd6b9d4563ac9f321373421917b379facb8520d50c8d92cc507fcd0b0367b822cbe05e6038d644b64ac533f2e4351960dce545ffd14dd35450

Download Submit
\Users\Admin\AppData\Local\Temp\qoowx.exe

Filesize
230KB

MD5
2c2e5c7c174e59656f5755f5922141f3

SHA1
15d6e7eeb98cdd9c3a417f7a3b63005cebed2081

SHA256
992f8dc8530dc0c97497179448d15d5517d845059bd77d4a22299f9dafb891f0

SHA512
d17655a3de52d6e4dc4dec32577651eb63955eaa73d699dc915cce83a6d7529bba57e2bfecbee83fcbc2fd74aae5f1b47fc210bb88a9be458f4a8759ff52228b

Download Submit
\Users\Admin\AppData\Local\Temp\vixak.exe

Filesize
442KB

MD5
7302b117d8b03c1a2c6715cb0a8ddf61

SHA1
78d7b9446844fc11d4cc61f46cdbde9d5490907a

SHA256
f6e5d1146b84693506ca35c39c7c5fae71cbd73e9ed2481032d62e013fd72003

SHA512
63ea49fe2bea2493a69b7d852337005f029f1469119958f93a60c7e5bc273de7dc6798d8ac9d25e6835303fdb90d033fb36bcb4cc5ba61a377224b1fc8b9f6eb

Download Submit
memory/1644-20-0x0000000000EF0000-0x0000000000F5E000-memory.dmp

Filesize
440KB

Download
memory/1644-25-0x0000000003210000-0x00000000032AE000-memory.dmp

Filesize
632KB

Download
memory/1644-28-0x0000000000EF0000-0x0000000000F5E000-memory.dmp

Filesize
440KB

Download
memory/2328-17-0x0000000000330000-0x000000000039E000-memory.dmp

Filesize
440KB

Download
memory/2328-0-0x0000000000330000-0x000000000039E000-memory.dmp

Filesize
440KB

Download
memory/2328-6-0x0000000002380000-0x00000000023EE000-memory.dmp

Filesize
440KB

Download
memory/2880-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2880-29-0x0000000000220000-0x00000000002BE000-memory.dmp

Filesize
632KB

Download
memory/2880-33-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2880-32-0x0000000000220000-0x00000000002BE000-memory.dmp

Filesize
632KB

Download
memory/2880-34-0x0000000000220000-0x00000000002BE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads