urelas | 3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fc

General

Target

3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe
Size

324KB
MD5

96cbd49ff3683846471981dcab152fc0
SHA1

8bf48d25256ae54a9d1afc01aaa7d99a80a3297f
SHA256

3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fc
SHA512

eef98866db824f707f05d038a6a9381037e9cba538fa3954306377a26e61c80438b62a29205c30f4c42e4c52637f3f70b5dadedbe717a184e0ece843b1e28230
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYX:vHW138/iXWlK885rKlGSekcj66cim

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2092	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
484	zudia.exe
1808	jeqyr.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe
484	zudia.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jeqyr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zudia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe
1808	jeqyr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 484	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	31
PID 2492 wrote to memory of 484	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	31
PID 2492 wrote to memory of 484	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	31
PID 2492 wrote to memory of 484	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	31
PID 2492 wrote to memory of 2092	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	32
PID 2492 wrote to memory of 2092	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	32
PID 2492 wrote to memory of 2092	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	32
PID 2492 wrote to memory of 2092	2492	3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe	32
PID 484 wrote to memory of 1808	484	zudia.exe	35
PID 484 wrote to memory of 1808	484	zudia.exe	35
PID 484 wrote to memory of 1808	484	zudia.exe	35
PID 484 wrote to memory of 1808	484	zudia.exe	35

C:\Users\Admin\AppData\Local\Temp\3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe
"C:\Users\Admin\AppData\Local\Temp\3683a5e661ebd9bc007fe9fa34179f944af75796dbd23fd2421400cd643dd2fcN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\zudia.exe
  "C:\Users\Admin\AppData\Local\Temp\zudia.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Users\Admin\AppData\Local\Temp\jeqyr.exe
    "C:\Users\Admin\AppData\Local\Temp\jeqyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
bc08f8ac91d6612094694b5f3a19c5f5

SHA1
62273a0c7275a4191890a7d034a6b176ba17f63c

SHA256
6d9c1b28c359197345b80edb5bcc7fb24f4c2658d345428d0dbd2870cde89343

SHA512
4ce12e5bfc2e5a3f0e100149f6ba9245d0c7bc452fa847ce6064288a9221de9279a21bcd25fe355cbf9c5fd39a18710d74a9cdab86210bdeebb2966c8425965f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
80c8ff01a47ee3a4e6b7d12b5b9913ec

SHA1
f7c71bc3edab29a7cd17ad43238146b4ccd51ff6

SHA256
f15e31ac2898076e998a1631445adeb68d549112e5687f77b97c752371f47d1d

SHA512
ae56006719e5745ea39a1dfa52af9e7c78ded32817f247837669c66ccff29de0231deda2e5b9960847949567dfbc34868e08692fa12ac51c2a18d59d7e133bfd

Download Submit
\Users\Admin\AppData\Local\Temp\jeqyr.exe

Filesize
172KB

MD5
13cd021f5116be776e1089c251769570

SHA1
acdebeb37b3c38fb32ce3356425f00f4fe1d0d88

SHA256
ad35d2f486424489f5d86611d391377ce83546688a776728a654cdc35d7c9fad

SHA512
b547593e14c9e2b5c6d47311febfe023790c1e193114cf0904e9f94bd3ccc2a8a8dd8a1ff729f1a88a90f74652054917faa875f38990a0de2a68107d05e08346

Download Submit
\Users\Admin\AppData\Local\Temp\zudia.exe

Filesize
324KB

MD5
4d9221cdb8a9a1d2ce07a095a6f25053

SHA1
0071dc95567e0f625c1431526b8f11b4624374a2

SHA256
5fecd3b49920ba9ac932300d5b635d23043382455201f96606058d52d7c443a1

SHA512
500744b8671361b32e9300e022c83166ced0ef213e434ab47afdee542a346c57e24c1534fccb1672ce1ce7d46c8201742f2c94aa13b3e3dab15b8ea8415c455a

Download Submit
memory/484-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/484-18-0x00000000011C0000-0x0000000001241000-memory.dmp

Filesize
516KB

Download
memory/484-24-0x00000000011C0000-0x0000000001241000-memory.dmp

Filesize
516KB

Download
memory/484-37-0x0000000004120000-0x00000000041B9000-memory.dmp

Filesize
612KB

Download
memory/484-40-0x00000000011C0000-0x0000000001241000-memory.dmp

Filesize
516KB

Download
memory/1808-45-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/1808-42-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/1808-47-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/1808-48-0x0000000001320000-0x00000000013B9000-memory.dmp

Filesize
612KB

Download
memory/2492-9-0x0000000000550000-0x00000000005D1000-memory.dmp

Filesize
516KB

Download
memory/2492-21-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/2492-0-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/2492-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing