urelas | 105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2

General

Target

105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
Size

333KB
MD5

6d61e7016b9e79cdbf94a20528deb790
SHA1

72cfd35595e436fc26b396829865860a6033d16e
SHA256

105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2
SHA512

3a4a566107d6fd420ed9a698f15fd7f21b87b7346bbc5bc60418a746cf610e9acd51cedc5967334203ef85b357bbb46fba1382d304ea79aed2dd3ef817474259
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYP1:vHW138/iXWlK885rKlGSekcj66ciU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
3016	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

ceqie.exebucat.exe

pid	Process
2088	ceqie.exe
1588	bucat.exe

Loads dropped DLL 2 IoCs

Processes:

105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.execeqie.exe

pid	Process
2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
2088	ceqie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.execeqie.execmd.exebucat.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ceqie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bucat.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

bucat.exe

pid	Process
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe
1588	bucat.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.execeqie.exe

description	pid	Process	procid_target
PID 2092 wrote to memory of 2088	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	30
PID 2092 wrote to memory of 2088	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	30
PID 2092 wrote to memory of 2088	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	30
PID 2092 wrote to memory of 2088	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	30
PID 2092 wrote to memory of 3016	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	31
PID 2092 wrote to memory of 3016	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	31
PID 2092 wrote to memory of 3016	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	31
PID 2092 wrote to memory of 3016	2092	105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe	31
PID 2088 wrote to memory of 1588	2088	ceqie.exe	34
PID 2088 wrote to memory of 1588	2088	ceqie.exe	34
PID 2088 wrote to memory of 1588	2088	ceqie.exe	34
PID 2088 wrote to memory of 1588	2088	ceqie.exe	34

C:\Users\Admin\AppData\Local\Temp\105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe
"C:\Users\Admin\AppData\Local\Temp\105612a0af7055c61b91501d1242d451e9563138add2c30c46f710c9f90517c2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\ceqie.exe
  "C:\Users\Admin\AppData\Local\Temp\ceqie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\bucat.exe
    "C:\Users\Admin\AppData\Local\Temp\bucat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
441c87551637a84f08ae74cd4c8c9286

SHA1
bff75f032dd3f7a6d5d6be25c133863eddb72160

SHA256
5fced4c18367383971f8c5e943107bb8862067f337b52276d78173c5067506ce

SHA512
0ea48323913dffac9ce728c0461c85388b2a7cd6369aa74be75ededb90b772e6cbd3b5c2f8b49202f8599b206379dd944bec1e26b3c6a1ae59e8f77356793718

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0f19531d6c980b4ca6121ec9146cd7bf

SHA1
40fef1595bf849ed7036490391830ea27686d5eb

SHA256
be24849b6385541f7f29cc7e70f860f68a9f5ba98ac515a70e1fed914b21d74a

SHA512
4c06e75ac1d3f0cdcf926d2a936817ea35ec3eda88e29330ac1f7a37e2e96e72ac06aff1f7df9a6cc4e04d431127ab2804ccbf902e041fa7b117f0bb87a9f72b

Download Submit
\Users\Admin\AppData\Local\Temp\bucat.exe

Filesize
172KB

MD5
dfff292efdd7426d23a610face4d830e

SHA1
48f8d79aee124294d74db67cc6dbc7e203b6a35c

SHA256
dfd1cc13cdb71be26fa27e00005f57fb490a07552f486e26b16e20089fbd9a84

SHA512
77ff34c5e8b9a518be739473fd42b53e1ae5fa4edd10e4a21456facd6929d7a365bce5a03d747ec167f0695f25c2ced0e5bf1e8ebba645cba6846eab0b8e7821

Download Submit
\Users\Admin\AppData\Local\Temp\ceqie.exe

Filesize
333KB

MD5
0477ead4d7b271d2a39880d500d9e8dc

SHA1
2d050d94f66971723d56777e6c4926630ad2dc4c

SHA256
eb495811f09eb20849d65e2d50a70153136d98402789c01a185c17634575ff80

SHA512
c94bb7f52c7880d0bc8f8e502881bb244576b7cab5bc4f87c5f61f718191701ae235343a6c1426719a387570008391e50586834957ea293ab1d9f5939cccd9a8

Download Submit
memory/1588-48-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/1588-47-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/1588-42-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/1588-45-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/2088-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2088-18-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2088-38-0x0000000003290000-0x0000000003329000-memory.dmp

Filesize
612KB

Download
memory/2088-41-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2088-23-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2092-9-0x0000000001090000-0x0000000001111000-memory.dmp

Filesize
516KB

Download
memory/2092-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2092-19-0x00000000013A0000-0x0000000001421000-memory.dmp

Filesize
516KB

Download
memory/2092-30-0x00000000013A0000-0x0000000001421000-memory.dmp

Filesize
516KB

Download
memory/2092-0-0x00000000013A0000-0x0000000001421000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads