urelas | c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41

General

Target

c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
Size

393KB
MD5

baf1c83a71668c7062697d1932dc9600
SHA1

e8e847248336c84713dd50effb6c8c38d74edacf
SHA256

c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41
SHA512

b012ee52a44e6398ea65605345a22cfca7d8b2fa9dcd527e58c970e620f268367f46ee9f7a1cba46cfdf21739887534d3943e605de3548145ca397d42f046a6a
SSDEEP

6144:y5SXvBoDWoyLYyzbpPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrB2:yIfBoDWoyFboU6hAJQnr2

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2868	gujiw.exe
3064	dexeqy.exe
916	aqygh.exe

Loads dropped DLL 5 IoCs

pid	Process
2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
2868	gujiw.exe
2868	gujiw.exe
3064	dexeqy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqygh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gujiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dexeqy.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe
916	aqygh.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2868	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	30
PID 2068 wrote to memory of 2868	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	30
PID 2068 wrote to memory of 2868	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	30
PID 2068 wrote to memory of 2868	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	30
PID 2068 wrote to memory of 2772	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	31
PID 2068 wrote to memory of 2772	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	31
PID 2068 wrote to memory of 2772	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	31
PID 2068 wrote to memory of 2772	2068	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	31
PID 2868 wrote to memory of 3064	2868	gujiw.exe	33
PID 2868 wrote to memory of 3064	2868	gujiw.exe	33
PID 2868 wrote to memory of 3064	2868	gujiw.exe	33
PID 2868 wrote to memory of 3064	2868	gujiw.exe	33
PID 3064 wrote to memory of 916	3064	dexeqy.exe	35
PID 3064 wrote to memory of 916	3064	dexeqy.exe	35
PID 3064 wrote to memory of 916	3064	dexeqy.exe	35
PID 3064 wrote to memory of 916	3064	dexeqy.exe	35
PID 3064 wrote to memory of 2416	3064	dexeqy.exe	36
PID 3064 wrote to memory of 2416	3064	dexeqy.exe	36
PID 3064 wrote to memory of 2416	3064	dexeqy.exe	36
PID 3064 wrote to memory of 2416	3064	dexeqy.exe	36

C:\Users\Admin\AppData\Local\Temp\c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
"C:\Users\Admin\AppData\Local\Temp\c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\gujiw.exe
  "C:\Users\Admin\AppData\Local\Temp\gujiw.exe" hi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\dexeqy.exe
    "C:\Users\Admin\AppData\Local\Temp\dexeqy.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\aqygh.exe
      "C:\Users\Admin\AppData\Local\Temp\aqygh.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
4db66fbcee4a5f74cbd2e771547d0286

SHA1
77bc52c65993541d4f7bab2a850ff7072556c0c9

SHA256
b6fc436ecbcfda5a1bd4d11e9eb608fd6bc5956ddd62395f4d2a6aaf7dd6c90c

SHA512
e3b8382c1b34f48fc880da9e7c0bff8ee70bbe538d7ea83d2ffa868da0d45ec787698b6f24416469ef3731d1af40f1955ea56c52932b6d522ca9f2b6afb02d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a2b085462ffacc04fdb006901e0f898e

SHA1
14183c5f71fc904711c2960edf655376124724b8

SHA256
e9c56ab6cf2f7df2b6e94ae7f9bfa90ba0ba9219913c230b004989f235c149b0

SHA512
8c32b8d28471c64ed7eff6e41adfed6ef7a1f8110b597caffc83e3dd5798c612c09ea7c0cef468d7beb658bcc4be38551cf7010c52934d0c9b8b0213046227c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqygh.exe

Filesize
223KB

MD5
3f11c7181672b996d29fc6d7f8fb02ce

SHA1
e4e58327f925603e8cb8c178ea66a1813b81ebd2

SHA256
3b939f22a98d393ed14a94bc4b0d302c1e88f5f2a7613eca9b12cc1ac1506549

SHA512
01f659ef95f93690acb5326c1c9272c924a502f44d640bfb67ce2e7cb0e8d678369aea2e8c480d9b584c5107a569e4de4b03686f029ab670f537a44849c6a7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dexeqy.exe

Filesize
394KB

MD5
813de5cba7cd23e5c9bc1ef0ff65ffa7

SHA1
eae8cefb25f8b345e82b5ad8cb0335f82a186a5a

SHA256
8dd157b9e670dc79250835b3394d4c2679393fbb1f8f7937113847e9e6b87aaf

SHA512
d98d87eab9e922c9fbd0090d59cbe793165641ff594f7953524c9a5ebeb57836caa0c41c38358d3abcd281e5a9893b0000ce6ea3834f5dc9f14b1a5afacd8073

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
52601461a8e14b7b4c008d67ad324aaf

SHA1
83498ec98a87c31cade7f79db5d574412d3cb0ac

SHA256
ba20f0de5660b1cd5a2d850453e5d7635a3aec490cd91276af25c0e909072f81

SHA512
3829419bdb7517b69519c3c8ec6354ab55f3292a784d03f7fc9c13e92f802df2f99a610181cb6e7eb8f9fec46c25418da0b1ab6db57c62eb60602833707bef39

Download Submit
\Users\Admin\AppData\Local\Temp\gujiw.exe

Filesize
394KB

MD5
711df375478cd525c33a691f30709ec1

SHA1
cf8070c3b2428d76555aae700923c5122ccfb1da

SHA256
80693331e2132c49a407e9ffa34e624127da493247ae9a20e709d8fbb25209a2

SHA512
f0ac12c90ca409ad63e3ee7ea35defdf54c8dad2005263cdfdd1c869168b412f5773d237fa53aaf86e25859f6607c1b2450b3a659fdff3e2b84cd162ac72cb38

Download Submit
memory/916-59-0x0000000000DE0000-0x0000000000E80000-memory.dmp

Filesize
640KB

Download
memory/916-58-0x0000000000DE0000-0x0000000000E80000-memory.dmp

Filesize
640KB

Download
memory/916-57-0x0000000000DE0000-0x0000000000E80000-memory.dmp

Filesize
640KB

Download
memory/2068-21-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2068-19-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/2068-20-0x0000000002280000-0x00000000022E7000-memory.dmp

Filesize
412KB

Download
memory/2068-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2868-23-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2868-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-37-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-53-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-56-0x0000000003B40000-0x0000000003BE0000-memory.dmp

Filesize
640KB

Download
memory/3064-35-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing