urelas | c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41

General

Target

c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
Size

393KB
MD5

baf1c83a71668c7062697d1932dc9600
SHA1

e8e847248336c84713dd50effb6c8c38d74edacf
SHA256

c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41
SHA512

b012ee52a44e6398ea65605345a22cfca7d8b2fa9dcd527e58c970e620f268367f46ee9f7a1cba46cfdf21739887534d3943e605de3548145ca397d42f046a6a
SSDEEP

6144:y5SXvBoDWoyLYyzbpPC4DYM6SB6v+qLnAzYmhwrxcvkzmSBrB2:yIfBoDWoyFboU6hAJQnr2

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	zoweu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	qiluwe.exe

Executes dropped EXE 3 IoCs

pid	Process
4068	zoweu.exe
3976	qiluwe.exe
3292	nohao.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qiluwe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nohao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoweu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe
3292	nohao.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4068	392	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	83
PID 392 wrote to memory of 4068	392	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	83
PID 392 wrote to memory of 4068	392	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	83
PID 392 wrote to memory of 4416	392	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	84
PID 392 wrote to memory of 4416	392	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	84
PID 392 wrote to memory of 4416	392	c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe	84
PID 4068 wrote to memory of 3976	4068	zoweu.exe	86
PID 4068 wrote to memory of 3976	4068	zoweu.exe	86
PID 4068 wrote to memory of 3976	4068	zoweu.exe	86
PID 3976 wrote to memory of 3292	3976	qiluwe.exe	104
PID 3976 wrote to memory of 3292	3976	qiluwe.exe	104
PID 3976 wrote to memory of 3292	3976	qiluwe.exe	104
PID 3976 wrote to memory of 5112	3976	qiluwe.exe	105
PID 3976 wrote to memory of 5112	3976	qiluwe.exe	105
PID 3976 wrote to memory of 5112	3976	qiluwe.exe	105

C:\Users\Admin\AppData\Local\Temp\c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe
"C:\Users\Admin\AppData\Local\Temp\c4b0da97081bbd6b38a6846a2c1ec11053284f4a0c9f60221162504de3805a41N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\zoweu.exe
  "C:\Users\Admin\AppData\Local\Temp\zoweu.exe" hi
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\qiluwe.exe
    "C:\Users\Admin\AppData\Local\Temp\qiluwe.exe" OK
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\nohao.exe
      "C:\Users\Admin\AppData\Local\Temp\nohao.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3292
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
0f4ae1c7162c6645bb584b43757e15ec

SHA1
8a1743428b46ab3d4c069774d63264a41b24222c

SHA256
e0ac08e364243e164d562c6811bc46c13475bc433a409ce30eaeaafc770eeec2

SHA512
adc9f21f63d541f4d672072ca6d49608db0f522ddd610c1c7c9526feb5f7f286769d287293e0b1d320493cf969b847282ae8378c933a63db55e3379cf66c5a8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
342B

MD5
4db66fbcee4a5f74cbd2e771547d0286

SHA1
77bc52c65993541d4f7bab2a850ff7072556c0c9

SHA256
b6fc436ecbcfda5a1bd4d11e9eb608fd6bc5956ddd62395f4d2a6aaf7dd6c90c

SHA512
e3b8382c1b34f48fc880da9e7c0bff8ee70bbe538d7ea83d2ffa868da0d45ec787698b6f24416469ef3731d1af40f1955ea56c52932b6d522ca9f2b6afb02d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
94b8bb0b101c3df9c1a8b84fb49333fe

SHA1
056df22a34fa1bf6bd9fc5ef50de904d3f718353

SHA256
9de6d634a7b91ae8f67077d27d8adb8a54992159015a8039cf1d680c43b8de1a

SHA512
e2c1da3762e059c8c791452bdaa481f023dd432078bc713e01bba31d230fd88cab5f642f9dc4931690521dd35c24a8630d408cf60cbac44e5300f5e817f2480a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nohao.exe

Filesize
223KB

MD5
938efc0959f5e63b0af6593fcb566179

SHA1
224ac4965dc8c254b104cff0c2fda66ea08a4691

SHA256
f52bcbe7aefdf9de59f60f36731bdeb684b302458e52c7eed19530f171864657

SHA512
cdfcc5c6672ab6c9c8f376e7a6eb0a9f5a182f4c185b8eccaa5e9c557a37c964cc303cf203d8c5aadb87967f46285fda8e62eb53ca05745dd1a58af871a71cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qiluwe.exe

Filesize
394KB

MD5
0a2754c15cc3559706bb35e750016384

SHA1
fe8066b3c2b1ebfe810055aa91adf4e92311c5a8

SHA256
12a8ce67cba0da620fde0b48ca4ad6295d358abd5065af9b924f44dc3d277113

SHA512
f6d54ea07c9d59ef24878cc94ef52a1f21b3d6e69d2e7a16accd302d49c43373568536e3f6cf1721ecaabc9edc4450dd163805bed95c6784b9e5590924311a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoweu.exe

Filesize
394KB

MD5
f5ea053d30d07ec7d61398f7718d848a

SHA1
96069ecae18402bd8a81e421d8a40b97bc9cb062

SHA256
7d0b495fa1aeebd988f5e659e6060e5ec431802e54e3a5d35e2523e116de948c

SHA512
8467bc87e2983f8a1cfd2cdf41eb2ae771d482a0494dea2079f46a8687b314cfc3a87c15e2a7c19ed0079c25025a9d6e103558a8baf7c5c3c07857cf13da4bdc

Download Submit
memory/392-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/392-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3292-36-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/3292-44-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/3292-43-0x0000000000200000-0x00000000002A0000-memory.dmp

Filesize
640KB

Download
memory/3976-25-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3976-41-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3976-27-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4068-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4068-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing