urelas | 4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9

General

Target

4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
Size

330KB
MD5

463f5610b951b6cca819ec598c1e5e90
SHA1

be4d199ce6592614e3964f6ba37da23a81281621
SHA256

4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9
SHA512

c341b274a03dfe726eead3aef688a47742c93985e0768562fac61e3d980ea8b951c5c694a348a67c7daba2a7400cbc68e33d30f7c3594299b1287f70bf568367
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1336	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2304	zoecd.exe
3068	ritar.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
2304	zoecd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ritar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoecd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe
3068	ritar.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2304	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	31
PID 3032 wrote to memory of 2304	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	31
PID 3032 wrote to memory of 2304	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	31
PID 3032 wrote to memory of 2304	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	31
PID 3032 wrote to memory of 1336	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	32
PID 3032 wrote to memory of 1336	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	32
PID 3032 wrote to memory of 1336	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	32
PID 3032 wrote to memory of 1336	3032	4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe	32
PID 2304 wrote to memory of 3068	2304	zoecd.exe	34
PID 2304 wrote to memory of 3068	2304	zoecd.exe	34
PID 2304 wrote to memory of 3068	2304	zoecd.exe	34
PID 2304 wrote to memory of 3068	2304	zoecd.exe	34

C:\Users\Admin\AppData\Local\Temp\4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe
"C:\Users\Admin\AppData\Local\Temp\4816f302177143676a2c415259b2b1ca889adf99a97b97a0b6ff18f1e221ffe9N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\zoecd.exe
  "C:\Users\Admin\AppData\Local\Temp\zoecd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Users\Admin\AppData\Local\Temp\ritar.exe
    "C:\Users\Admin\AppData\Local\Temp\ritar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2d458e2e5fb0ca55c3e6c41da5e1a8f8

SHA1
2395fbb7aa04f79d7f7f69c32a637decce91cbc4

SHA256
981328514ce143f6f56d351b41051cd0b14cf57c8852be0ea0fd2f605b3d874e

SHA512
14563dc629e39aaa19816958301c1c933afe99efefab82ac71b9d7dd4ab699e638d7646e6c9b81df1ead64fc9a89633c4d94e5be07c25884f3bf092594052086

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
367b01963d39521db768a046f9958799

SHA1
b6239209d21089564d0edc96d16a86ec02bf923b

SHA256
5b021f8e0888e0b57f69ec27a468739d2974860e83d0cfe618c0c8401430bb9a

SHA512
1982b27e9536196e80ebd7cf2312ca9584feff678a02bdd00086a8bb53fa7e7fb90e4f2f4281bdb6116a5766b93b33d3629a6272e8c4a698e4aa86c48657ea8e

Download Submit
\Users\Admin\AppData\Local\Temp\ritar.exe

Filesize
172KB

MD5
422023f962b4e9bbeac5cfe6c53da7ae

SHA1
b03c5d516d006b1224650d276eced1db488c5e5c

SHA256
c68998c27dd79be0a6e2ac8df3667287ef99833cbf6555da1046143e1a520a76

SHA512
829800110d0d06a015ea16f126b77ee31209b7f8cf49e3c71082cecf8d6db7115405e5464274e58d88d3b64aeed13bd4466f6c6444038922221108d03cf6562d

Download Submit
\Users\Admin\AppData\Local\Temp\zoecd.exe

Filesize
331KB

MD5
fb8ef248586f4c23ab2514ebe44d6cab

SHA1
d8f6679af65c26e8f68b3b6d98d04a9249fc4a4a

SHA256
8e5cc0f52a734cdd8cf7a87ef2a7d51187f00876951515621f390ed08fa8d3a5

SHA512
a671314695ab104f8166fa2c65e6fc7a43dd9b1ed2fef084167652cbb027137bd5d19968bf69fb5e7f0936a070152c650aaaad2e455bf06db8debe41205d0fbc

Download Submit
memory/2304-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2304-41-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2304-25-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2304-21-0x0000000001030000-0x00000000010B1000-memory.dmp

Filesize
516KB

Download
memory/2304-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3032-15-0x0000000002490000-0x0000000002511000-memory.dmp

Filesize
516KB

Download
memory/3032-19-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/3032-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3032-0-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/3068-43-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/3068-42-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/3068-47-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/3068-48-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing