urelas | 7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294d

General

Target

7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe
Size

332KB
MD5

9ebbe290a19b316f1d2e4c3f03599c20
SHA1

763c3d634611dd47711e9e5e6a20e150029a70fb
SHA256

7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294d
SHA512

c2267a3ac9a93dec9dd04f9359b377ad98da067325985bebfc70c2268309dce34e06e25b6e826a44eff06d7880e5fa1d0e4533d7c84d5492beb9ef580ae6c73a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYx:vHW138/iXWlK885rKlGSekcj66cig

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
1196	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2332	eltun.exe
3000	ylkos.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe
2332	eltun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylkos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eltun.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe
3000	ylkos.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2332	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	30
PID 2452 wrote to memory of 2332	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	30
PID 2452 wrote to memory of 2332	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	30
PID 2452 wrote to memory of 2332	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	30
PID 2452 wrote to memory of 1196	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	31
PID 2452 wrote to memory of 1196	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	31
PID 2452 wrote to memory of 1196	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	31
PID 2452 wrote to memory of 1196	2452	7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe	31
PID 2332 wrote to memory of 3000	2332	eltun.exe	34
PID 2332 wrote to memory of 3000	2332	eltun.exe	34
PID 2332 wrote to memory of 3000	2332	eltun.exe	34
PID 2332 wrote to memory of 3000	2332	eltun.exe	34

C:\Users\Admin\AppData\Local\Temp\7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe
"C:\Users\Admin\AppData\Local\Temp\7aa19f93599b76197e927df94e15d49d2ad81354544e787bd1780e017aab294dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\eltun.exe
  "C:\Users\Admin\AppData\Local\Temp\eltun.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\ylkos.exe
    "C:\Users\Admin\AppData\Local\Temp\ylkos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
87b28d18cd1d50234fd62f48107ab269

SHA1
e71b8bf3ae78055a32d0b338b0fd5d187b35f18e

SHA256
7ee4ca925c7649966ff93ab9e761c69a81917df6a18ee0c2d635730db29cf655

SHA512
f37f75ac1995cc6e0b107e4dab853185e3393657fb9aa823454c51d58cffb417cf395e481040384bf5a30e17fad212b3e61f3ef486c27f600a4c6d889fcd57b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
24206c5dbb065e02b23cb0350fb8a9ee

SHA1
ed5ded80bd0679a811b7c4d7d76a8842cb206d08

SHA256
b7863ebd4a8a53735dee09e28c3dde230507d5df9cf68dfa48d42aecddd10c18

SHA512
6fad0a86b9f3a2b363d0dcaab2b3cf6a0b1c7ead9e40efebf60940185f6240c76a8c059de06ef9a2ceb75d771c2320151ff76fcc2104fc971114821ceac3ece6

Download Submit
\Users\Admin\AppData\Local\Temp\eltun.exe

Filesize
332KB

MD5
eb1e07c2b3af85459084d07fc8696141

SHA1
edc8d1435e55ff5ca7b15db2ddba73a755960cb7

SHA256
73ca7e976da9f38661b7efa3ae452d4043580d272063a01f021f97d1866cba39

SHA512
1e4deb70d20e28bf4d1246480776dc51ecbd00c5401daf5b01193aa49466d0320c245f36d5e2f16b0a7db6351d4e44313207a7bdb1173408a058cc7aaf9e1067

Download Submit
\Users\Admin\AppData\Local\Temp\ylkos.exe

Filesize
172KB

MD5
7deddb65b881f2b21f2bd09385929b24

SHA1
97c5f4efc5ebf998f97fb892dee30be131a99db7

SHA256
c8b4ce0af1efbfe68153e0f79a55d021f9c100a7c643379c699e16c44c2ca654

SHA512
f0f765af1366c5f720f445a7ea6a9bd620211152c6d98eb86b0f3c8d8f19875f227cb3be9f2ff5569ba2d385dfda0eb7c81f631ff0603f9685feb391ee66194d

Download Submit
memory/2332-42-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/2332-25-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/2332-40-0x0000000003580000-0x0000000003619000-memory.dmp

Filesize
612KB

Download
memory/2332-18-0x0000000000CB0000-0x0000000000D31000-memory.dmp

Filesize
516KB

Download
memory/2332-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2332-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2452-0-0x0000000001270000-0x00000000012F1000-memory.dmp

Filesize
516KB

Download
memory/2452-9-0x00000000010E0000-0x0000000001161000-memory.dmp

Filesize
516KB

Download
memory/2452-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2452-21-0x0000000001270000-0x00000000012F1000-memory.dmp

Filesize
516KB

Download
memory/3000-44-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-43-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-48-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download
memory/3000-49-0x00000000013D0000-0x0000000001469000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing