urelas | 2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804

General

Target

2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
Size

331KB
MD5

84affb81f44aa2c83eb85713533b18c0
SHA1

e1127087f960860fc7343bf44e3af267ae2bfaaa
SHA256

2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804
SHA512

053984cda524ed05bea35de15e362deab1f26875768c33e7cf9ce8b863318f01113e87354b597ab2848db93583e5b7a813c6dd86487c550a73930463aabd449c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYB:vHW138/iXWlK885rKlGSekcj66cic

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2840	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

totoh.exeevqyj.exe

pid	Process
2860	totoh.exe
3036	evqyj.exe

Loads dropped DLL 2 IoCs

Processes:

2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exetotoh.exe

pid	Process
2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
2860	totoh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exetotoh.execmd.exeevqyj.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	totoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evqyj.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

evqyj.exe

pid	Process
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe
3036	evqyj.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exetotoh.exe

description	pid	Process	procid_target
PID 2904 wrote to memory of 2860	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	29
PID 2904 wrote to memory of 2860	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	29
PID 2904 wrote to memory of 2860	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	29
PID 2904 wrote to memory of 2860	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	29
PID 2904 wrote to memory of 2840	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	30
PID 2904 wrote to memory of 2840	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	30
PID 2904 wrote to memory of 2840	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	30
PID 2904 wrote to memory of 2840	2904	2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe	30
PID 2860 wrote to memory of 3036	2860	totoh.exe	32
PID 2860 wrote to memory of 3036	2860	totoh.exe	32
PID 2860 wrote to memory of 3036	2860	totoh.exe	32
PID 2860 wrote to memory of 3036	2860	totoh.exe	32

C:\Users\Admin\AppData\Local\Temp\2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe
"C:\Users\Admin\AppData\Local\Temp\2f6da5dba9eb5bf6eaade283ff9cb3d52b637cfe30596c75f56dfb99374eb804N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Admin\AppData\Local\Temp\totoh.exe
  "C:\Users\Admin\AppData\Local\Temp\totoh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\evqyj.exe
    "C:\Users\Admin\AppData\Local\Temp\evqyj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f24ded1a2bb52c6e9e786a1357714701

SHA1
af694bb8cb69e290fc5f342d62d290faf8833a9b

SHA256
c1b8be4bdf4d67408af727c55f8100d8f31f9483c6978103746ab6b77086333b

SHA512
95e86d451d3cfcb73a533186935b3b85a25b020861e4d3056de950faa9378576adc93775802db2177b6fdbb324f1e0ad8f337e7641505b91a24819feb17d918a

Download Submit
C:\Users\Admin\AppData\Local\Temp\evqyj.exe

Filesize
172KB

MD5
e8f14d37aa136a7d3c4dc641eb212871

SHA1
0b2cf373d5a946ff9ff8da95e8acbd950d2eb609

SHA256
d6c1dd5cb80a1ea575a756d9042c51dd3447710c3ff1e407b8ecf896be2cafa2

SHA512
4dd783e2479bc29d20b28c786310f353fdcc070bfbd3a0a4b5a5595d188bda88b4973c4fde54868a75e06b3ec0f4db34a3bfb67fe4941acf7a9674b79deac06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8a27c14414c4ccc018bbdd603eaf6590

SHA1
2e57da60ea76f9074e45176c736ae0ae0ae91b30

SHA256
7ccf03488612ea69839403d36d6e8e54b9aad7e9fffbc49cfa143d3551db6cf4

SHA512
25eadd549524d9da146a3db73807bdc9d4e97b4b220b9cbdb2318ad59b6e8fa49255da44b179754ecf4bf34b6113dc4f5196894ce49e45a199adb046d0286913

Download Submit
\Users\Admin\AppData\Local\Temp\totoh.exe

Filesize
331KB

MD5
875502f8df7f74d9214a5bf830836a01

SHA1
fbed8a7f7231fc826bb6f702ea5de622d1312b9f

SHA256
daf7f92984acbd80f77b19efab6cf9ca56e17523d67a2e0782366170f26807be

SHA512
a8f9fd883e6ab38c15e2492d0a4eb5650dba84bc43ef671ba5d401c465575839923647e9c131f49fcd827a52a3a3e5103d0d0e66f41c6584bf5c58cdcc966b1e

Download Submit
memory/2860-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2860-11-0x0000000000AA0000-0x0000000000B21000-memory.dmp

Filesize
516KB

Download
memory/2860-24-0x0000000000AA0000-0x0000000000B21000-memory.dmp

Filesize
516KB

Download
memory/2860-40-0x0000000000AA0000-0x0000000000B21000-memory.dmp

Filesize
516KB

Download
memory/2904-0-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/2904-21-0x0000000000310000-0x0000000000391000-memory.dmp

Filesize
516KB

Download
memory/2904-7-0x0000000002550000-0x00000000025D1000-memory.dmp

Filesize
516KB

Download
memory/2904-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3036-41-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/3036-42-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/3036-46-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download
memory/3036-47-0x0000000000BF0000-0x0000000000C89000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads