urelas | 0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7

General

Target

0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
Size

404KB
MD5

17d6774357d1ed5cbe298a518e2c0cc0
SHA1

372a1facdf5eb371da9299e53626cbd50abeb982
SHA256

0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7
SHA512

3831174ef07e211504fa9e1c3af376f097d21077cc0ef12e56b458971872a7d8f79b70dc97de7ef51a8d400f799f77f6267e237dd581e4eeb517edfda40ff1c3
SSDEEP

6144:85SXvBoDWoyLYyzbkPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrohw:8IfBoDWoyFblU6hAJQnOa

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2672	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2780	secux.exe
2740	tewutu.exe
2596	mevue.exe

Loads dropped DLL 5 IoCs

pid	Process
2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
2780	secux.exe
2780	secux.exe
2740	tewutu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mevue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tewutu.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe
2596	mevue.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2780	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	30
PID 2128 wrote to memory of 2780	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	30
PID 2128 wrote to memory of 2780	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	30
PID 2128 wrote to memory of 2780	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	30
PID 2128 wrote to memory of 2672	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	31
PID 2128 wrote to memory of 2672	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	31
PID 2128 wrote to memory of 2672	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	31
PID 2128 wrote to memory of 2672	2128	0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe	31
PID 2780 wrote to memory of 2740	2780	secux.exe	33
PID 2780 wrote to memory of 2740	2780	secux.exe	33
PID 2780 wrote to memory of 2740	2780	secux.exe	33
PID 2780 wrote to memory of 2740	2780	secux.exe	33
PID 2740 wrote to memory of 2596	2740	tewutu.exe	35
PID 2740 wrote to memory of 2596	2740	tewutu.exe	35
PID 2740 wrote to memory of 2596	2740	tewutu.exe	35
PID 2740 wrote to memory of 2596	2740	tewutu.exe	35
PID 2740 wrote to memory of 1944	2740	tewutu.exe	36
PID 2740 wrote to memory of 1944	2740	tewutu.exe	36
PID 2740 wrote to memory of 1944	2740	tewutu.exe	36
PID 2740 wrote to memory of 1944	2740	tewutu.exe	36

C:\Users\Admin\AppData\Local\Temp\0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe
"C:\Users\Admin\AppData\Local\Temp\0c3c08d11520de2f7fd47de88a6c137e0a50147a3f6218ab4f7e27602aff08d7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\secux.exe
  "C:\Users\Admin\AppData\Local\Temp\secux.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\tewutu.exe
    "C:\Users\Admin\AppData\Local\Temp\tewutu.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\mevue.exe
      "C:\Users\Admin\AppData\Local\Temp\mevue.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
7672dfff1d9098cb1bfdd60a543eabfe

SHA1
edd393414659c3928c1415e10e462ac5d0ecae39

SHA256
25085223409c9fb24bb274e0af46e67bb76ef493c7d0234b7870ef8d37da9e17

SHA512
a388cfece0d17b1ffd54483111be34f542f9c0629adc2b82dc4cda85a0dd2f03779e2a659a61800b7d3ab0eef3bb7f4282238b9375c13a9bf54ea5b66b60d969

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
2990551e967b6ae8c7f82e8e182687d4

SHA1
f97dc1cb4053e3ffaef2194505ab29c99ee4580b

SHA256
20b231b9e7cd7f78a7aa78d13ad6a3fe888ea7169c583289afb1b1a357baf67c

SHA512
f089e41b3098ddd1008eae528e2b058c6a316a18c492f56bce6dbf4cffa7de68b8b045701584ce4352e345a86966b09388d20901a19ff79b5dfb376d3fbb3417

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e1d5e083af45ffe38bddc26e7590b5bd

SHA1
fe95eec85af46ca39d4dbf8b58da82dabe85d64e

SHA256
c71ce705d65f638ae45d1dc686577f9ba45ad14b0f5fd1cc7d1924fe42097bf7

SHA512
a883f5101dfde986b9a9fa23e4da35cf875e96b982b7e377084f7a683e86d152b28ecc5d09fb0233c6a43b5e5a1df4f83adb3a2e580aff5d9288c05e9c149ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tewutu.exe

Filesize
404KB

MD5
5b4ceec7a81be956b32ec509fb3f928d

SHA1
6cd68a1ed5994ee17aa5431a24c676210ecaeeb3

SHA256
c93736fbd56d3b6331c055e9da255597442ff1abede441f1f29546fd8a0e6857

SHA512
7ac85ed012704971d573639f81378307f3d533fd67c0789939c73aa8d2303ae60a7e1b8cc0f0ec9fc53e0c1f5b3758215c7fbbe5d3d78f12ee9e3f07c21ca81d

Download Submit
\Users\Admin\AppData\Local\Temp\mevue.exe

Filesize
223KB

MD5
d3bd8be01f718ec98564ae4969ac7b13

SHA1
3ff148cb105e0517ec543473a93c5df560e6e23c

SHA256
15fec16717486ec0195d33e588f1aea6db72fd9aaa7b6014e123c2c4f332da62

SHA512
046cb481b4507172ab5837104b6f3af3e850007da99b7aa9c51fdac25a74396782f16a027796a9693e7b4712ef9f833c409523dfec2669a9a1cb68244078f111

Download Submit
\Users\Admin\AppData\Local\Temp\secux.exe

Filesize
404KB

MD5
6fd365235e09b63b4f3c16e557964392

SHA1
d766de78ee5e2405cd9de55b7643701ac2b29cd6

SHA256
566c58f13de55f08b54bf111cbee0c0b6d01658c7c57e270a0f166cec1fecdee

SHA512
e7c0a2221c15bb083d415d3e1dab009e4c537149969382534a4c2764b833ce5ae14f0477e444776a16d5ddce0969f2891790693f9f309b4cfad47b3514f8d7a7

Download Submit
memory/2128-11-0x0000000002AC0000-0x0000000002B28000-memory.dmp

Filesize
416KB

Download
memory/2128-23-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2128-12-0x0000000002AC0000-0x0000000002B28000-memory.dmp

Filesize
416KB

Download
memory/2128-0-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2596-58-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2596-57-0x0000000000E50000-0x0000000000EF0000-memory.dmp

Filesize
640KB

Download
memory/2740-54-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2740-37-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2740-42-0x0000000003BB0000-0x0000000003C50000-memory.dmp

Filesize
640KB

Download
memory/2780-14-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download
memory/2780-33-0x0000000003660000-0x00000000036C8000-memory.dmp

Filesize
416KB

Download
memory/2780-34-0x0000000000400000-0x00000000004679C5-memory.dmp

Filesize
414KB

Download

Analysis

Sharing