urelas | 5a9b91f05d7f5ee660fc98c8da504699b9aa23ed3e16ae2eb0219fbddf1f7d08

General

Target

c77903b2dab32bac459ef385419fcf30N.exe
Size

328KB
MD5

c77903b2dab32bac459ef385419fcf30
SHA1

eba376e894920db2dfb8ed394798e80d96c24e55
SHA256

5a9b91f05d7f5ee660fc98c8da504699b9aa23ed3e16ae2eb0219fbddf1f7d08
SHA512

6cd6fd3ecb02c85c8b5cceea28c89b6c3ede4292cfb7342878df0f4ddcfcf64a45741208a61ee5f7c7cf37e1ad6f0e319189891578f66a5114d56c864b489008
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYh:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2388	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	oxtoi.exe
1524	ijgip.exe

Loads dropped DLL 2 IoCs

pid	Process
292	c77903b2dab32bac459ef385419fcf30N.exe
2364	oxtoi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c77903b2dab32bac459ef385419fcf30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxtoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijgip.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe
1524	ijgip.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 2364	292	c77903b2dab32bac459ef385419fcf30N.exe	30
PID 292 wrote to memory of 2364	292	c77903b2dab32bac459ef385419fcf30N.exe	30
PID 292 wrote to memory of 2364	292	c77903b2dab32bac459ef385419fcf30N.exe	30
PID 292 wrote to memory of 2364	292	c77903b2dab32bac459ef385419fcf30N.exe	30
PID 292 wrote to memory of 2388	292	c77903b2dab32bac459ef385419fcf30N.exe	31
PID 292 wrote to memory of 2388	292	c77903b2dab32bac459ef385419fcf30N.exe	31
PID 292 wrote to memory of 2388	292	c77903b2dab32bac459ef385419fcf30N.exe	31
PID 292 wrote to memory of 2388	292	c77903b2dab32bac459ef385419fcf30N.exe	31
PID 2364 wrote to memory of 1524	2364	oxtoi.exe	34
PID 2364 wrote to memory of 1524	2364	oxtoi.exe	34
PID 2364 wrote to memory of 1524	2364	oxtoi.exe	34
PID 2364 wrote to memory of 1524	2364	oxtoi.exe	34

C:\Users\Admin\AppData\Local\Temp\c77903b2dab32bac459ef385419fcf30N.exe
"C:\Users\Admin\AppData\Local\Temp\c77903b2dab32bac459ef385419fcf30N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:292
- C:\Users\Admin\AppData\Local\Temp\oxtoi.exe
  "C:\Users\Admin\AppData\Local\Temp\oxtoi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\ijgip.exe
    "C:\Users\Admin\AppData\Local\Temp\ijgip.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
b340c11157c4153cf91a5ba4ca088f4f

SHA1
fbd4e772eaf45f30aa7ae9e7573a1efea32630fa

SHA256
ddaf2ca75bac775c473fda174f0952d7499b673ad5c4164114089e6c526a73e3

SHA512
83979dfe4004c1d0d80242ca2527157d71ac84d7bf3b840f9bf2ca9426b3e7c1e45d5ee2365bed03ce9ba2ade222ed65a0ea33a0402bad724d6a54e2ed8efc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a951ad8c23dab5b3d18f59e156fe2736

SHA1
170ee83b51a591069466f2123a95943403c31258

SHA256
5c955b1a9b9ef2d1bf5b32091c8fdd0179932ac3bc223b0887bc911a9d09a17f

SHA512
5a05588e564322b69dddd9b18fe6df0978d1fd6cc16283c67c79f2093536e329fef4b42f431d8a3d46f067e20b190df01417368e1a595732280aece33cfbc97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxtoi.exe

Filesize
328KB

MD5
6176ba00c03923fa702651ed5a2b0ca5

SHA1
4240f23ca958012011cf7acf8d4caefcf50dbcc9

SHA256
5e85dec5438c6c22564f7f970b63296d856827e4f7b6abee7286ae327572c4a8

SHA512
ed11dae6c3733377e1a077cb84b5d6b97cbc44879cf715b59278f69425eb0b609855883a94525f9c52e1495ba7dd653d3e3600dfc0ac4415aae8bdc45290b4e1

Download Submit
\Users\Admin\AppData\Local\Temp\ijgip.exe

Filesize
172KB

MD5
42c56f8326120f4070e5820db29d5268

SHA1
65d2c7e6eede0d898d86b2dfd98a96e5e4b79099

SHA256
0b282e2140a9693cc02271bba656fdd6e648e85b24bcd7a9029d200c2287f442

SHA512
197a0ebb810c866d44b7c0879383e3d4fd964cfb0c52bd14b32f28561a9f91730f26d94d59401c1669a26e3eff26411ce2d0d14b75bf507ad7469207ec098d2f

Download Submit
\Users\Admin\AppData\Local\Temp\oxtoi.exe

Filesize
328KB

MD5
bd34713b352cf52bf6b3d37807054936

SHA1
b0234b6cd45debeb2aa335b86deeb0a45c538336

SHA256
84cd6dff27636b9debf3ab7f96774f915ba2cdebe898a2e96c76cda30e3b6f38

SHA512
0a987bb8f2710a6117aa2d9f2823d241aa0c4363028c4c04ed05b935d2213a63be827b2de85fc83d5621614ba381fa983f5c81e7e20a7581b12fe17208709dab

Download Submit
memory/292-9-0x0000000002A90000-0x0000000002B11000-memory.dmp

Filesize
516KB

Download
memory/292-21-0x0000000000810000-0x0000000000891000-memory.dmp

Filesize
516KB

Download
memory/292-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/292-0-0x0000000000810000-0x0000000000891000-memory.dmp

Filesize
516KB

Download
memory/1524-42-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download
memory/1524-41-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download
memory/1524-47-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download
memory/1524-48-0x0000000000AF0000-0x0000000000B89000-memory.dmp

Filesize
612KB

Download
memory/2364-18-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2364-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2364-24-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2364-39-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing