urelas | b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12

General

Target

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Size

332KB
MD5

64ac1bc4ca221ef927c0f5b570dd2b80
SHA1

157f3607b64b7a69cc3b85ae3e6fb0855dfb9185
SHA256

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12
SHA512

9a329ce8c12e83cf96aa821bc0d68ee107e388d99e8dc9eaca8d55bf9f62e54d48fbcba4619999925917a62372d3d931fb1a4dc4872c7e94ac516b88830f023b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYU:vHW138/iXWlK885rKlGSekcj66ciN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2656	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

houbb.exemepyo.exe

pid	Process
2716	houbb.exe
1044	mepyo.exe

Loads dropped DLL 2 IoCs

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exehoubb.exe

pid	Process
1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
2716	houbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exehoubb.execmd.exemepyo.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	houbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mepyo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

mepyo.exe

pid	Process
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe
1044	mepyo.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exehoubb.exe

description	pid	Process	procid_target
PID 1900 wrote to memory of 2716	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	30
PID 1900 wrote to memory of 2716	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	30
PID 1900 wrote to memory of 2716	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	30
PID 1900 wrote to memory of 2716	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	30
PID 1900 wrote to memory of 2656	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	31
PID 1900 wrote to memory of 2656	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	31
PID 1900 wrote to memory of 2656	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	31
PID 1900 wrote to memory of 2656	1900	b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe	31
PID 2716 wrote to memory of 1044	2716	houbb.exe	33
PID 2716 wrote to memory of 1044	2716	houbb.exe	33
PID 2716 wrote to memory of 1044	2716	houbb.exe	33
PID 2716 wrote to memory of 1044	2716	houbb.exe	33

C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe
"C:\Users\Admin\AppData\Local\Temp\b40fea8e1f6295c78958cd82244cef80d11ffa9b55ad88520fa83243b708bb12N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\houbb.exe
  "C:\Users\Admin\AppData\Local\Temp\houbb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\mepyo.exe
    "C:\Users\Admin\AppData\Local\Temp\mepyo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8a72da537d856fe39cf196e33d506de4

SHA1
b3fe8a6999f910b62a54af43f93dd9387b3fdc03

SHA256
91eb2480d34d1e3f221e5a8f319619ce6d11b48561cc12a3a543ea352d5885b3

SHA512
f0324a89c320b64025d33d904bd7de35e04ea761360d5fd79d3319d3872c001c4c743ee621b2aca5494a1f4f1428de026029d046fdcba395dc5fc724b06a3cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3aa539832aa8c5832cf860baf9c83bba

SHA1
696049783dc59a13c65c9c00e0f563354351436b

SHA256
532081be5e3e75643df051b5213be4b9460831b27b9eb47d41bd444beb827516

SHA512
7f7c156bc9705be0150172902528a15780f8c77d1626429f6372d1e4fb8f902f96167c5ad243364cdd0efc2cd697dff87d6e424bb662931740b7f737dc080505

Download Submit
\Users\Admin\AppData\Local\Temp\houbb.exe

Filesize
332KB

MD5
c9e7a4769b606091bc0be76442cc185c

SHA1
4668709ecfd9c75d4c93e1de471bc42a16218f1a

SHA256
e58a6b4f33aaea57d93b1960b6d060644cc319d33fd784a9eae830d73868eb52

SHA512
b55e98053dd5f29333a2df80fa886cea3e5ba933563bd77c64e80d5ab59ea862f580ea0530d56ec4bcc52941e3e8b7bf61c13a83a9991c652941dfaf0c3978eb

Download Submit
\Users\Admin\AppData\Local\Temp\mepyo.exe

Filesize
172KB

MD5
bdb82a0aec383f5cdef289459cb3c4a1

SHA1
35be0fa47b7a7a301d5c2f8eff49632fa4933803

SHA256
fdd9b80bee1f3d82067de2c9f09242974c1cfe2ef4a67f8e9b734fd7ceb9de51

SHA512
b70c4da41f8674f49a0ccabaff65a1064c096ea84b0d84e058f1c5fef205c8dbe4b8f9c637f1d39a43c2ce8fd6ab5d4f5a9f118b36881da705f4528586bc37ab

Download Submit
memory/1044-44-0x0000000000C20000-0x0000000000CB9000-memory.dmp

Filesize
612KB

Download
memory/1044-49-0x0000000000C20000-0x0000000000CB9000-memory.dmp

Filesize
612KB

Download
memory/1044-48-0x0000000000C20000-0x0000000000CB9000-memory.dmp

Filesize
612KB

Download
memory/1044-43-0x0000000000C20000-0x0000000000CB9000-memory.dmp

Filesize
612KB

Download
memory/1900-0-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/1900-9-0x00000000025A0000-0x0000000002621000-memory.dmp

Filesize
516KB

Download
memory/1900-21-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/1900-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2716-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2716-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2716-42-0x0000000001360000-0x00000000013E1000-memory.dmp

Filesize
516KB

Download
memory/2716-38-0x00000000036F0000-0x0000000003789000-memory.dmp

Filesize
612KB

Download
memory/2716-24-0x0000000001360000-0x00000000013E1000-memory.dmp

Filesize
516KB

Download
memory/2716-11-0x0000000001360000-0x00000000013E1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads