urelas | 8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833e

General

Target

8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
Size

323KB
MD5

54aac8667bedfee7994df8c337a7b170
SHA1

bc0dd454c453f0bb03ff14e1c05ace0270905cf6
SHA256

8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833e
SHA512

2e32e72186d173f2a5199869f71d1b0aa944a4801ca4bb46d4ed91c340339ff727b607d65c757d1e98e76c14269bbeaab68b0ce7c90084afb4012e85cfa6c114
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYF:vHW138/iXWlK885rKlGSekcj66cik

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Deletes itself 1 IoCs

pid	Process
2408	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2324	rivyj.exe
1932	wyiga.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
2324	rivyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rivyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyiga.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe
1932	wyiga.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2324	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	31
PID 1716 wrote to memory of 2324	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	31
PID 1716 wrote to memory of 2324	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	31
PID 1716 wrote to memory of 2324	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	31
PID 1716 wrote to memory of 2408	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	32
PID 1716 wrote to memory of 2408	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	32
PID 1716 wrote to memory of 2408	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	32
PID 1716 wrote to memory of 2408	1716	8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe	32
PID 2324 wrote to memory of 1932	2324	rivyj.exe	35
PID 2324 wrote to memory of 1932	2324	rivyj.exe	35
PID 2324 wrote to memory of 1932	2324	rivyj.exe	35
PID 2324 wrote to memory of 1932	2324	rivyj.exe	35

C:\Users\Admin\AppData\Local\Temp\8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe
"C:\Users\Admin\AppData\Local\Temp\8b2604bdccd1e9b55fa7ec43737b4d2d50db023654db9562a2550eceb9f8833eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\rivyj.exe
  "C:\Users\Admin\AppData\Local\Temp\rivyj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\wyiga.exe
    "C:\Users\Admin\AppData\Local\Temp\wyiga.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e5a710945ccb435648dade351fc5f34d

SHA1
eb6b10ebc6f02f31f59c8bc5cb9a56baf2f7270f

SHA256
5348a01acd30fd07eea86973b6e178bd0fc94c00fddbb6c5af894273a9f1e7fe

SHA512
268d496deac975daf09e8ef0626b3030639622f08299c6aa7f3119cc4d1b780e00df87b551638281a36e4782ec72c7ecb492fff6253e6cb78641c3086815e69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c5b449e0527f62e64716c869ee3864e2

SHA1
99abd5526827102d907c3743aa51b52864022a60

SHA256
0019f15da01a1def68ef40c03610e7b702e39afc8187b533b5c25593b6b6ff4c

SHA512
efbc193e671ea5961a0fbd70350f91b8b631e834c58c5099bc1ba5d246857dab9f42e39c5759e3b12803412bbf63eb3eb8f208178b59d0edd043302464beb9a9

Download Submit
\Users\Admin\AppData\Local\Temp\rivyj.exe

Filesize
324KB

MD5
b2d4c61bd34f152112c67e4f315d1294

SHA1
4b3e3d88ccbd43008ed175f4f30cbc0bc3c0e484

SHA256
8e00e891200cb7aada1537703d2b07dd69c2eb43b4794b70049a3284cb49ce5f

SHA512
6f1ecde5e7788a47b21d899c267bcc090e43e2d4058895a69236ad8244dd1f58bd4fdd3b13631b395ec91248bf6cd11cbd46eb4097b441823e1180b0c33da0b3

Download Submit
\Users\Admin\AppData\Local\Temp\wyiga.exe

Filesize
172KB

MD5
d1102f155a6db7c28bafef8b970bcb19

SHA1
6b69f82a5492c7ec06c83cf96e44ca204e195c0c

SHA256
a542980240ed23f9b548ce3f9872e7a7e0a2d08602e9bf1fd774378ce18e2593

SHA512
410520deb8365d59aa5a6e52f24597c29a50f8c22e97b9490391068b801dd2f9f0f4332396f798d87b0474d6aae614a85580952574ae160ee94dd3f52463aa10

Download Submit
memory/1716-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1716-0-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/1716-9-0x0000000000EB0000-0x0000000000F31000-memory.dmp

Filesize
516KB

Download
memory/1716-21-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/1932-42-0x0000000000D10000-0x0000000000DA9000-memory.dmp

Filesize
612KB

Download
memory/1932-45-0x0000000000D10000-0x0000000000DA9000-memory.dmp

Filesize
612KB

Download
memory/1932-47-0x0000000000D10000-0x0000000000DA9000-memory.dmp

Filesize
612KB

Download
memory/1932-48-0x0000000000D10000-0x0000000000DA9000-memory.dmp

Filesize
612KB

Download
memory/2324-24-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/2324-11-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download
memory/2324-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2324-40-0x0000000003750000-0x00000000037E9000-memory.dmp

Filesize
612KB

Download
memory/2324-39-0x0000000000C50000-0x0000000000CD1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing