urelas | 7347df3dabb4d3024d32142c854bc53bf3a5220f69fe34d8bfaceefdbd191ff6

General

Target

fcc5d6a338d280b4ab1a7551749eec10N.exe
Size

323KB
MD5

fcc5d6a338d280b4ab1a7551749eec10
SHA1

bd2468cbaab197ed984de895b26aab04643255a8
SHA256

7347df3dabb4d3024d32142c854bc53bf3a5220f69fe34d8bfaceefdbd191ff6
SHA512

46e4cf60023a6d6b018ea93c882c237a4c15422d4876a563fc478d1be4b920a05be33c317f24cf49daaccdcb03a88ecef5e41e8ad7720b2c2dbcac82a69e9ae0
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYA:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	dytiu.exe
1416	vinaa.exe

Loads dropped DLL 2 IoCs

pid	Process
2112	fcc5d6a338d280b4ab1a7551749eec10N.exe
3068	dytiu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcc5d6a338d280b4ab1a7551749eec10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dytiu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vinaa.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe
1416	vinaa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3068	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	30
PID 2112 wrote to memory of 3068	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	30
PID 2112 wrote to memory of 3068	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	30
PID 2112 wrote to memory of 3068	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	30
PID 2112 wrote to memory of 2808	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	31
PID 2112 wrote to memory of 2808	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	31
PID 2112 wrote to memory of 2808	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	31
PID 2112 wrote to memory of 2808	2112	fcc5d6a338d280b4ab1a7551749eec10N.exe	31
PID 3068 wrote to memory of 1416	3068	dytiu.exe	34
PID 3068 wrote to memory of 1416	3068	dytiu.exe	34
PID 3068 wrote to memory of 1416	3068	dytiu.exe	34
PID 3068 wrote to memory of 1416	3068	dytiu.exe	34

C:\Users\Admin\AppData\Local\Temp\fcc5d6a338d280b4ab1a7551749eec10N.exe
"C:\Users\Admin\AppData\Local\Temp\fcc5d6a338d280b4ab1a7551749eec10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\dytiu.exe
  "C:\Users\Admin\AppData\Local\Temp\dytiu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\vinaa.exe
    "C:\Users\Admin\AppData\Local\Temp\vinaa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
278B

MD5
48f1db0a636d1f6751745b28bedef4ba

SHA1
335b2cbcd7f9d639d684f080c7ea663134db59ce

SHA256
42f48a66650865b22799602069df58daba6b96235fc3abd649bd0d1d8a061e50

SHA512
baaac9d420b0076c7694694f62ccd713df0187ea34ef1d479a254fcc11dc89fcf64d0a344b89549e5ec0a09266e8346c5f077a1d38e9cd4ebcf06a998e2d7840

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8cdf9b9dd7c64d77c8aee345d3d74385

SHA1
1384ddaa0485b16cbd6d2518cb7c322ea710aa10

SHA256
7fd1a90c6ea9312974391af4384b309f793d6ac16f807ebfe77d4ac86b738dd2

SHA512
616b7ca025625999f5f0e10b3a650998465744610e15fb13a6df7aa92820daa87da6ecf9e46d75981cb557b05e09c80035bc78a7db523f527b8400799d4ad6f8

Download Submit
\Users\Admin\AppData\Local\Temp\dytiu.exe

Filesize
323KB

MD5
bb8146bf5452556871f2f898594dd5db

SHA1
2e17780f2491ca6e5fc4c13e6bad7cdec3844864

SHA256
09aafcc9e0dbc56e3f6f8045059d9917b8e6e88be6c9d50fcf2313717dd0ea7e

SHA512
2e09ae69db10bbaa8834db307a467af80f82456debf67be3ff6e17ef5bdc23bce2b994b3c55b6145e5eb0c6169a436af32f2083f89c649c5ae5dddcd75435db3

Download Submit
\Users\Admin\AppData\Local\Temp\vinaa.exe

Filesize
172KB

MD5
0512ed62e34a512e155b8895e67304f0

SHA1
7c9b8cce465e721f0dee5c07ec50261fb1e7ab5c

SHA256
171a8c9844cb36bc823030281f80327ed8b3a76980aa01a221dc58b6590e8613

SHA512
0d8d2f893c3cde45f477c04c6eb6e65ff5717a9c56c7b70c84dd340cf379c8a3c0a951899bc2c36e51751465e2761db1a09d6306abc5b096f5baf791e5d76e2d

Download Submit
memory/1416-43-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/1416-49-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/1416-48-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/1416-44-0x0000000000F20000-0x0000000000FB9000-memory.dmp

Filesize
612KB

Download
memory/2112-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2112-0-0x0000000000850000-0x00000000008D1000-memory.dmp

Filesize
516KB

Download
memory/2112-15-0x00000000025D0000-0x0000000002651000-memory.dmp

Filesize
516KB

Download
memory/2112-21-0x0000000000850000-0x00000000008D1000-memory.dmp

Filesize
516KB

Download
memory/3068-18-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/3068-42-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/3068-40-0x0000000003260000-0x00000000032F9000-memory.dmp

Filesize
612KB

Download
memory/3068-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3068-24-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/3068-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing