urelas | e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e

General

Target

e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
Size

393KB
MD5

73005a47e70ee59905df8dc1d81cd2df
SHA1

86273bb1e238b77f5308f67217cb9d38899a9bf4
SHA256

e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e
SHA512

d76dae54212429764bbe8309f7b73de3c5e85ff4096cc4bffe390b82ebf1469bc4133aef0fe0d8c460923e60240f0573b5f0710c3fb354706b1faad82c47fa13
SSDEEP

6144:y5SXvBoDWoyLYyzbpPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrBS:yIfBoDWoyFboU6hAJQnrS

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2096	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
1040	tapyj.exe
2484	ihusyf.exe
1716	coxit.exe

Loads dropped DLL 5 IoCs

pid	Process
2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
1040	tapyj.exe
1040	tapyj.exe
2484	ihusyf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tapyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihusyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coxit.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe
1716	coxit.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1040	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	30
PID 2120 wrote to memory of 1040	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	30
PID 2120 wrote to memory of 1040	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	30
PID 2120 wrote to memory of 1040	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	30
PID 2120 wrote to memory of 2096	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	31
PID 2120 wrote to memory of 2096	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	31
PID 2120 wrote to memory of 2096	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	31
PID 2120 wrote to memory of 2096	2120	e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe	31
PID 1040 wrote to memory of 2484	1040	tapyj.exe	33
PID 1040 wrote to memory of 2484	1040	tapyj.exe	33
PID 1040 wrote to memory of 2484	1040	tapyj.exe	33
PID 1040 wrote to memory of 2484	1040	tapyj.exe	33
PID 2484 wrote to memory of 1716	2484	ihusyf.exe	35
PID 2484 wrote to memory of 1716	2484	ihusyf.exe	35
PID 2484 wrote to memory of 1716	2484	ihusyf.exe	35
PID 2484 wrote to memory of 1716	2484	ihusyf.exe	35
PID 2484 wrote to memory of 1668	2484	ihusyf.exe	36
PID 2484 wrote to memory of 1668	2484	ihusyf.exe	36
PID 2484 wrote to memory of 1668	2484	ihusyf.exe	36
PID 2484 wrote to memory of 1668	2484	ihusyf.exe	36

C:\Users\Admin\AppData\Local\Temp\e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe
"C:\Users\Admin\AppData\Local\Temp\e8c39d3f4016966d93579189aa331f4f54c9650eb9aa96bfabb1969745a9e91e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\tapyj.exe
  "C:\Users\Admin\AppData\Local\Temp\tapyj.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\ihusyf.exe
    "C:\Users\Admin\AppData\Local\Temp\ihusyf.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\coxit.exe
      "C:\Users\Admin\AppData\Local\Temp\coxit.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
e59bac5f1cd310a18397863769b894b9

SHA1
190928c3b9efbbc17f43e0ae2163b716dedbd63e

SHA256
395f91d954e87bb0d69016a2d9085624c41402fff84d4e783d8eef3def9f8680

SHA512
06762c398dade421620e4d5e1be4117bcce95fe0fcd97d32ad6891b6136239110264569511cbe182c6f75fe3157be30880d30ab233befd720cd2dbd777901e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
9fa4107ffbf1baa8084a4bc3b1fbee6c

SHA1
1c487798101fc8c43378afaf21bf77a867bae60d

SHA256
b4be297e1d2a812bd391b079fb78f3337d9d5e240ddeec4da14e433c7044bbb1

SHA512
ebbbb032dd211c5ddd56d1d6490ffec33b1426a3c1f03e9d9d50cb129472bbcb58fccf450377f37210dab3489a649a8f8638af7cb4d7e3c376f69abe8dfc1b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\coxit.exe

Filesize
223KB

MD5
98d398b6dd2d899d844fccb96ddeaac8

SHA1
d162a263d3f3870648cf149f9f9874475b8a42ac

SHA256
495d575e51530d6d306aa928158f7cd2f769e5adb5d831683ecbc5687339062d

SHA512
d8b1c493b6d5e6145c0f0383f99deaa16c7116f697d01d18abfc4b20b3206a41873a801642cc684df07394a0b66b5b10997a6da673ab5920d283cb7418fefdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
41c67c5f58b9bfb80c8750203a04c743

SHA1
c06a5687686c3b7144baf0a73244a3f2c921d1cb

SHA256
86cd0420f32ccc65eb80a65c495002e1ff007f71777fd13b9d5e77726c19ebd9

SHA512
d37941f542644bbb83e8f4fecd17f5400c391b29349435f882fb9328a040cabbd2f31d316179bdb67ba5bf85600d34c743d6871253577bdec9cbd82661cc3c4a

Download Submit
\Users\Admin\AppData\Local\Temp\ihusyf.exe

Filesize
394KB

MD5
4711094ba712b01f90496537a23988b0

SHA1
4f403921f861f659457244b85d5fb6009d28c998

SHA256
c7ad1a57d5aeaa288f685c3de61a0286466b846113c7befb84272494de281297

SHA512
39fd3ca69786ec8401b2390f8065fff09bf7c34572ee733bf60003664567576d6e9960614fadb4289d2a5c2e9fea727e20ceb35feffea2993529d52ed13e6a22

Download Submit
\Users\Admin\AppData\Local\Temp\tapyj.exe

Filesize
394KB

MD5
973c2f9e752606583e489865e556ff7b

SHA1
af04be981e986b79591d43020a41fe1b5b1cbb96

SHA256
ed4f37b3f2d587932dbe9d007b746826446af2dfa9ba7fee581693b9ab89ea84

SHA512
8c0aadbbcf1533049f5a550fc202f26aabedf7430afee91293a698d5d49ea7f0b0cdccdb50b66d298039baef38811e6c891868662d4044de2108ad3b87b7232f

Download Submit
memory/1040-32-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1716-56-0x0000000000DD0000-0x0000000000E70000-memory.dmp

Filesize
640KB

Download
memory/1716-55-0x0000000000DD0000-0x0000000000E70000-memory.dmp

Filesize
640KB

Download
memory/2120-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2120-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2120-11-0x0000000002AD0000-0x0000000002B37000-memory.dmp

Filesize
412KB

Download
memory/2484-42-0x0000000003BA0000-0x0000000003C40000-memory.dmp

Filesize
640KB

Download
memory/2484-51-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2484-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing