urelas | 8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472

General

Target

8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
Size

332KB
MD5

80c40844ce7c96763356bc8f55442a60
SHA1

f2b0bc7ff2c7803dee7c975f8ddc67f80ed59eba
SHA256

8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472
SHA512

490bb52421406db27c3b12add8876edefbece2aacb87fac488fcb9535aba787025f18776be54d3b26d36e79ef40c8bfa25b5e3b351241cac850c550d9eb600b2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYh:vHW138/iXWlK885rKlGSekcj66cik

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2740	eppux.exe
2140	ovycu.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
2740	eppux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eppux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovycu.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe
2140	ovycu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2740	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	30
PID 2880 wrote to memory of 2740	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	30
PID 2880 wrote to memory of 2740	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	30
PID 2880 wrote to memory of 2740	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	30
PID 2880 wrote to memory of 2796	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	31
PID 2880 wrote to memory of 2796	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	31
PID 2880 wrote to memory of 2796	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	31
PID 2880 wrote to memory of 2796	2880	8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe	31
PID 2740 wrote to memory of 2140	2740	eppux.exe	34
PID 2740 wrote to memory of 2140	2740	eppux.exe	34
PID 2740 wrote to memory of 2140	2740	eppux.exe	34
PID 2740 wrote to memory of 2140	2740	eppux.exe	34

C:\Users\Admin\AppData\Local\Temp\8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe
"C:\Users\Admin\AppData\Local\Temp\8e42be2989a9b30e16a67eb16e4dc34bd3032e4f5d65c3762b05c7d70fab3472N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\eppux.exe
  "C:\Users\Admin\AppData\Local\Temp\eppux.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\ovycu.exe
    "C:\Users\Admin\AppData\Local\Temp\ovycu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
71eb4b9da5a2bedfb95309abd47afa79

SHA1
26d120c4c4a958c747ce7da21d20e7d04f1d0427

SHA256
235fd21006190231308a396c57ddf9c2e7484667665d628a83ebe1a57d0446e3

SHA512
1988d422c392d43b674ca64c76c1e541d16bf6634c036cc7709884169f07c4969ad043e4028a83bb412c983e423570108ca6307c5311d55f57dc23827c12cc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\eppux.exe

Filesize
332KB

MD5
46418d379a94b317822f42d277cef375

SHA1
1873bf0496fe2548140e7c68b34bf5a0a9b22351

SHA256
6599d67b181d8eb205029cebb22fb0709de48b6418b592e32ef3fe9cfb9906e6

SHA512
97c639c8451a0fe1fff5cf75b6aebf736a2be3a72418c1799d68612e2579e5d60a1b3573f516fcd30b7e6cd083d1f2a1718ed90fa37b82107bd50d0d0dfcd761

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a5bce29220dd536b47ee3b8e87c9dbda

SHA1
7f0b4c66fe56f898dd4b67fcd0460be7dc9c5c52

SHA256
bbe3d1bd4d8551c2745f53ec99657efb5cfac92c91252aa876e895a094a59c23

SHA512
bdcbae46b0aedd5b69a875b91a7b455c317aa7bbeecb8cbd37c1b057bb34f46a52ac453197ebdd25199b72f8692c9eab091007b4e8eb7eccf5969c1d347557b3

Download Submit
\Users\Admin\AppData\Local\Temp\eppux.exe

Filesize
332KB

MD5
a1ba9a0249c468de0a7d81ad60df06ab

SHA1
09185ac6448a904c466c83e24c65a020fe8ad810

SHA256
9b806e26e6c6f89f018592359d6a5d9475f8e9ce428079c7f217611b3bbb1338

SHA512
33f3627bd8af072fb450067af049a401f82e56746294d45d9a7a84d76c5b976252dd87cddfc809c154c235730f5197edd258244e056dfbdda988a24729d4b429

Download Submit
\Users\Admin\AppData\Local\Temp\ovycu.exe

Filesize
172KB

MD5
4024ad96ca35fa39afb268778809e81e

SHA1
2cf3630db469817df884dd2792f68ffff07ce9c7

SHA256
9991ed4cdae95fd190fca684c64ca71568a0e6e6a9de5453732358422df093b0

SHA512
6c6693bbad6e2b57b096174869a1586b90390bac997973f1fbb07708322eb5174ecee48826de8c5c3168f6495e4329a29ed820604ec18fa2d55037e03e9256a6

Download Submit
memory/2140-49-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download
memory/2140-48-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download
memory/2140-43-0x0000000001380000-0x0000000001419000-memory.dmp

Filesize
612KB

Download
memory/2740-42-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2740-24-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2740-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2740-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2740-38-0x0000000003AC0000-0x0000000003B59000-memory.dmp

Filesize
612KB

Download
memory/2740-11-0x0000000000140000-0x00000000001C1000-memory.dmp

Filesize
516KB

Download
memory/2880-21-0x0000000001210000-0x0000000001291000-memory.dmp

Filesize
516KB

Download
memory/2880-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2880-9-0x00000000027E0000-0x0000000002861000-memory.dmp

Filesize
516KB

Download
memory/2880-0-0x0000000001210000-0x0000000001291000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing