urelas | fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40

General

Target

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
Size

330KB
MD5

43e55807dae4d469554634d521bb51f0
SHA1

cd78a7587dc2931f3ad025fd5e369bfbf6c54878
SHA256

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40
SHA512

81230acc56d16dc626b4847ee168f5cadd701793be92f275cb4b6a8acb4f10470e1c927ee790fb02f403ee9428b7ab5c56383c093108086f327d5c86b6009f87
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVt:vHW138/iXWlK885rKlGSekcj66ciEt

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2476	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

efmih.exevorej.exe

pid	Process
2428	efmih.exe
2028	vorej.exe

Loads dropped DLL 2 IoCs

Processes:

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exeefmih.exe

pid	Process
1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
2428	efmih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vorej.exefe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exeefmih.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vorej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efmih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

vorej.exe

pid	Process
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe
2028	vorej.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exeefmih.exe

description	pid	Process	procid_target
PID 1964 wrote to memory of 2428	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	30
PID 1964 wrote to memory of 2428	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	30
PID 1964 wrote to memory of 2428	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	30
PID 1964 wrote to memory of 2428	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	30
PID 1964 wrote to memory of 2476	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	31
PID 1964 wrote to memory of 2476	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	31
PID 1964 wrote to memory of 2476	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	31
PID 1964 wrote to memory of 2476	1964	fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe	31
PID 2428 wrote to memory of 2028	2428	efmih.exe	34
PID 2428 wrote to memory of 2028	2428	efmih.exe	34
PID 2428 wrote to memory of 2028	2428	efmih.exe	34
PID 2428 wrote to memory of 2028	2428	efmih.exe	34

C:\Users\Admin\AppData\Local\Temp\fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe
"C:\Users\Admin\AppData\Local\Temp\fe92121f12f123053156d935af03d7334ecef6587cfe4fa709e5dd99d7b52f40N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\efmih.exe
  "C:\Users\Admin\AppData\Local\Temp\efmih.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\vorej.exe
    "C:\Users\Admin\AppData\Local\Temp\vorej.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6963e781731c44b4603e976d68b34d16

SHA1
610d6c8fe21974500a7c5cae1fb2e0f66ce0ba6a

SHA256
26d4e480f403deb561e51a66ac74935f3b62ff48eea3ce41db69e2c7a96db75c

SHA512
0111e482caf7687b3e9ef9e365a483602d31135e6410dc481c67d2b83826f43203c3d5d8066858d781affa545ee12cf04e9c3aa0a6c5ecca275e86ec6a9a6921

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8d0509fdebd289ee20426024d2364582

SHA1
4db7df5ccdc4233da4ac967e214b959d444f71c1

SHA256
f2336602e3cc904c232b7af6bff3232d1a8ed200ee543d63ad420a9a48f65946

SHA512
bdf52bcc8b68c22cc2f2ee89a52d7c3f877ab6078459d1ea9722179288aac7b2eb4ae0621ac11b38b6058f53520e270ed7c1b7cf2e6defed94042a53e62404bf

Download Submit
\Users\Admin\AppData\Local\Temp\efmih.exe

Filesize
330KB

MD5
45917214cc5b00e4b745d21624a05236

SHA1
ccc842faa0b5d017ccf8609b6a9b3bf403063a15

SHA256
e25e3b3632807a2d3518f1c6974de396067a32f251bd8fb534790b2f1e29c62b

SHA512
444b0b5a0fe8cff3c66a37324982696198ad5b90b819da6887bcf42d0066d76a6001a7b4b5759e82aa3019c477465899bed864b63caf42dff6d4cf8ffc36de4c

Download Submit
\Users\Admin\AppData\Local\Temp\vorej.exe

Filesize
172KB

MD5
506f6b67cb036cfdeb670fdb5d12ec14

SHA1
5148671db9f2782dba315aaa660b87550e28b451

SHA256
1d0f3e0117807eb3d1d9c8c9334035f3e5a3b0146f30282c7bcc7bc19bb5c8f2

SHA512
da68aeabf443d8b0ae332ddb45ff0699bdeeedbe9d025f853806951b71feb85fcc0d2d78f591ed32285da5c7e69c5cf35b9893db7586a89597316840d1a8e567

Download Submit
memory/1964-0-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/1964-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1964-15-0x0000000002630000-0x00000000026B1000-memory.dmp

Filesize
516KB

Download
memory/1964-19-0x0000000000270000-0x00000000002F1000-memory.dmp

Filesize
516KB

Download
memory/2028-42-0x0000000001040000-0x00000000010D9000-memory.dmp

Filesize
612KB

Download
memory/2028-47-0x0000000001040000-0x00000000010D9000-memory.dmp

Filesize
612KB

Download
memory/2028-46-0x0000000001040000-0x00000000010D9000-memory.dmp

Filesize
612KB

Download
memory/2028-40-0x0000000001040000-0x00000000010D9000-memory.dmp

Filesize
612KB

Download
memory/2428-17-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/2428-41-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/2428-38-0x00000000034A0000-0x0000000003539000-memory.dmp

Filesize
612KB

Download
memory/2428-23-0x0000000000110000-0x0000000000191000-memory.dmp

Filesize
516KB

Download
memory/2428-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads