urelas | 41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72

General

Target

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
Size

326KB
MD5

50a3d5650fd5b53e793e526147985840
SHA1

8e7bc7907a5f24c7bd3331ee3d7ac8b32617b042
SHA256

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72
SHA512

79b3208a137098624c847a42cf8fc3370428cafb350b91532ac592b239ebaac55811ff60a2fba5e022097510429b6b2505b7b063786e4dff8650841123636548
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY5:vHW138/iXWlK885rKlGSekcj66ci0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3036	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ryude.exeakajt.exe

pid	Process
604	ryude.exe
1656	akajt.exe

Loads dropped DLL 2 IoCs

Processes:

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exeryude.exe

pid	Process
2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
604	ryude.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

akajt.exe41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exeryude.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	akajt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryude.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

akajt.exe

pid	Process
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe
1656	akajt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exeryude.exe

description	pid	Process	procid_target
PID 2488 wrote to memory of 604	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2488 wrote to memory of 604	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2488 wrote to memory of 604	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2488 wrote to memory of 604	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	30
PID 2488 wrote to memory of 3036	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 2488 wrote to memory of 3036	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 2488 wrote to memory of 3036	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 2488 wrote to memory of 3036	2488	41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe	31
PID 604 wrote to memory of 1656	604	ryude.exe	33
PID 604 wrote to memory of 1656	604	ryude.exe	33
PID 604 wrote to memory of 1656	604	ryude.exe	33
PID 604 wrote to memory of 1656	604	ryude.exe	33

C:\Users\Admin\AppData\Local\Temp\41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe
"C:\Users\Admin\AppData\Local\Temp\41c30ab8d57535ff7528e65ede130a88d3bf5a5cf75586d3ec33ea38f084cf72N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\ryude.exe
  "C:\Users\Admin\AppData\Local\Temp\ryude.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Users\Admin\AppData\Local\Temp\akajt.exe
    "C:\Users\Admin\AppData\Local\Temp\akajt.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b65c0e5c9635e3d150f505115b7a84c1

SHA1
348b499ff301db54c4b54cf32ba8af5a8274532b

SHA256
139f15f77361de23c657a4d6be0499b23fdafb0277b255f357080f2c891e0f05

SHA512
3fbed4aa47e2ba8102e0bfa172cfe306997d1f6f443e73292725c68677546f05fd8d6efeba0409606a00eea4c2c70cd5ad112530f657288c208fd5ae038bfd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1d641ea9ef15ef1cbf0cb08d85bbe88f

SHA1
c62b62ae1ae113efcc6f30997728fa1ae2b1dc9b

SHA256
a12546e93f9bf5a369b4027ab74cfa9542ea2bcd95d825db3b703e599c54bc88

SHA512
a7adc2a5cee9f00a8a0f04aa19634a14e58905fac4b637403d0f6e5638fcb99658396c54531284786d56fe7b8b9d51e6067c0d04520dbab5d35b1d07a0a9fc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryude.exe

Filesize
326KB

MD5
dc280abd92b67a7231c602de069bd290

SHA1
7540e637f5814d9260146f9efad576ff71e88fd0

SHA256
d8abf55bbf521aea10870ccc98782a39a23c123dfd1282ace06db16d1b9bdd10

SHA512
eecbe2c4cc14e567d15cc146905198e98c9cd3aba0e5a1295cdb858f5327108f32e9aa6a57f4b9ca7080f83adf64577e4f2dcaf32360e056f8bb24cd626529f0

Download Submit
\Users\Admin\AppData\Local\Temp\akajt.exe

Filesize
172KB

MD5
233a32ded049f534fa0baa1940391c28

SHA1
2d1613ea697f9691ef068e8ee4f2d06b663d96be

SHA256
8eab51b51ecf2bebc365852ec1c2c3a89920a601dc451fe28b184a873f993b34

SHA512
0033e6e8e8ef2ecd6cf80240fc0eeccb2d5d46c226dede2988bafdfa1b0c5c5cacaf996678c89610dab34b03160e81fea4abe3d6ab67897770b9f6a5d63fed68

Download Submit
memory/604-23-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/604-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/604-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/604-42-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/604-39-0x0000000003560000-0x00000000035F9000-memory.dmp

Filesize
612KB

Download
memory/1656-40-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1656-44-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1656-47-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/1656-48-0x0000000000E70000-0x0000000000F09000-memory.dmp

Filesize
612KB

Download
memory/2488-20-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2488-8-0x0000000002810000-0x0000000002891000-memory.dmp

Filesize
516KB

Download
memory/2488-0-0x00000000002D0000-0x0000000000351000-memory.dmp

Filesize
516KB

Download
memory/2488-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads