urelas | 707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c

General

Target

707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
Size

448KB
MD5

7b19391fe95e7ca39f825f9a97524f99
SHA1

c2a97e3c170d4860dbe274f387382e566763652b
SHA256

707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c
SHA512

1f812cf3f6740ff8b2bc04553c55749c0ac2a0ff61cccca4d48cc995abeac64286d945386c10fe82bea2745898ac9c1ce3581841ff016eb19a117c0d2d2c3856
SSDEEP

6144:PEK25f5ySIcWLsxIIW4DYM6SB6v+qLnAzYmhwrxcvkzmSOpoZ8:PMpASIcWYx2U6hAJQn6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1300	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2408	wihun.exe
2736	tyxeyf.exe
2884	tuxeo.exe

Loads dropped DLL 3 IoCs

pid	Process
2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
2408	wihun.exe
2736	tyxeyf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuxeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wihun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyxeyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe
2884	tuxeo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2408	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	30
PID 2156 wrote to memory of 2408	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	30
PID 2156 wrote to memory of 2408	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	30
PID 2156 wrote to memory of 2408	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	30
PID 2156 wrote to memory of 1300	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	31
PID 2156 wrote to memory of 1300	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	31
PID 2156 wrote to memory of 1300	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	31
PID 2156 wrote to memory of 1300	2156	707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe	31
PID 2408 wrote to memory of 2736	2408	wihun.exe	33
PID 2408 wrote to memory of 2736	2408	wihun.exe	33
PID 2408 wrote to memory of 2736	2408	wihun.exe	33
PID 2408 wrote to memory of 2736	2408	wihun.exe	33
PID 2736 wrote to memory of 2884	2736	tyxeyf.exe	35
PID 2736 wrote to memory of 2884	2736	tyxeyf.exe	35
PID 2736 wrote to memory of 2884	2736	tyxeyf.exe	35
PID 2736 wrote to memory of 2884	2736	tyxeyf.exe	35
PID 2736 wrote to memory of 3028	2736	tyxeyf.exe	36
PID 2736 wrote to memory of 3028	2736	tyxeyf.exe	36
PID 2736 wrote to memory of 3028	2736	tyxeyf.exe	36
PID 2736 wrote to memory of 3028	2736	tyxeyf.exe	36

C:\Users\Admin\AppData\Local\Temp\707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe
"C:\Users\Admin\AppData\Local\Temp\707a539c64d23c9cf836e8c92742b5d4f32895c906cad28966e78d1ed011f25c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\wihun.exe
  "C:\Users\Admin\AppData\Local\Temp\wihun.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\tyxeyf.exe
    "C:\Users\Admin\AppData\Local\Temp\tyxeyf.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\tuxeo.exe
      "C:\Users\Admin\AppData\Local\Temp\tuxeo.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
928c0cf5eede886446f72d1b2d07a5c6

SHA1
81d5ce723c6ad48231aaaf51ac8a41b025c4df0d

SHA256
ed787ceb80f71089055bbdff267277c0f054364d6f319d0c80581c369eef24aa

SHA512
5311cf9c9e5e12540afa0ade076f7a793d19816d2d0b4b90dd919b9fed672b2d23de0b9292160ad98982f18e9eb9a0caeb40e36c97e8175aa3ea19f347168a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
906c88f3fcc6572076b921cd359241de

SHA1
99d9d6d7d16178745f1dc27fa40dfbc34ebac456

SHA256
1ae331ba899f7748ea436cdaadaa2173b7fc72d38be754866660da6f881e4cc2

SHA512
4a239ec2bce507cfcac87b08add609de39e819c8049f2c15b31451aedff6787951746847c00ea2ac3e983ba4c4d760e1ddc7b5d3b683c6a76907a1c9bd42e18e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3bf78421ab03c0bdd7fc5375fea12651

SHA1
40af497a639a54e9d3fdb3f395ee66cf87a6cf08

SHA256
bcd581b4943f9d011e9c6f9d436182c2a59a727c24dc99b005aef79db26747ab

SHA512
38ecb34f74b5081122bd4203bf92d72318a93bc6831401efef3130d1bb3ef1b75c3fa2eaaa447eee161026eda8be464066c5c71a84e2c3549c54acf266f041ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyxeyf.exe

Filesize
448KB

MD5
2bd4f21ae1dda022f5546680e44a1d5d

SHA1
d50a7bd6532dcd36e0867bfb01ad082b06e4e305

SHA256
661fa20728d905c374bd876ffeb79e983ac4f27b3a4c6ae75def6f731c8059ff

SHA512
4207d70b5b0c4f119b4fd0527856502a669376b75b4e181f2d3add90b2eb1cf568208764727b2e8ced8bb42082c2a489a539b41baa60a4bee5cc72cbe4e65860

Download Submit
\Users\Admin\AppData\Local\Temp\tuxeo.exe

Filesize
223KB

MD5
95319309ef0d787eb1eb585fa96146da

SHA1
077ff91d275a5421b48c01d7bed29f2b3884ef3f

SHA256
178f918df1def19c2545b1ca1dfa31af9faaf1da9cfdb46068e6e2650c055529

SHA512
f97994235912ddef269f1aa92cfd2adca7d3f82aead2292b25fe26b87e33c33cfa6669e1b20b316fa26401a20ef7dd0399ad13e862902f2205cc129b97ee6efc

Download Submit
\Users\Admin\AppData\Local\Temp\wihun.exe

Filesize
448KB

MD5
221b1d3c5fea59eb507912774807ca71

SHA1
a63219e52afd63317f5859371ea08e4c43813693

SHA256
af1733255f42ed9accfcc894ff0dbb28db9f11521a6139ffaf67af1cc7ff8097

SHA512
c244b3ad7b8c279105e0caac4c530132979b01c07240b3f91b571e32abe85980095300af0c09b512e304eedaeff9e5044b4594432ac95760a09f9c8dca79b481

Download Submit
memory/2156-8-0x0000000002010000-0x000000000207E000-memory.dmp

Filesize
440KB

Download
memory/2156-21-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2156-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2408-26-0x0000000001F00000-0x0000000001F6E000-memory.dmp

Filesize
440KB

Download
memory/2408-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2408-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-30-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-34-0x0000000002F50000-0x0000000002FF0000-memory.dmp

Filesize
640KB

Download
memory/2736-46-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2884-50-0x0000000000FC0000-0x0000000001060000-memory.dmp

Filesize
640KB

Download
memory/2884-51-0x0000000000FC0000-0x0000000001060000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing