urelas | ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc

General

Target

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
Size

332KB
MD5

c667e50123f002e1f2c03e2b39241a5d
SHA1

d88af9b44a3edae04e48b4fdb0aa271bc5a1f6cd
SHA256

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc
SHA512

fc7702185feb529d21af9a14c6b451a807087e838b73a4970d4bd5258d496bd952d95d73373f5836737937a41888f8781f77e0a0a0eb11835054984980fc1218
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV5:vHW138/iXWlK885rKlGSekcj66ciE5

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1592	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

dapam.exefeuvx.exe

pid	Process
2924	dapam.exe
1420	feuvx.exe

Loads dropped DLL 2 IoCs

Processes:

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exedapam.exe

pid	Process
2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
2924	dapam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.execmd.exedapam.exefeuvx.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dapam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feuvx.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

feuvx.exe

pid	Process
1420	feuvx.exe
1420	feuvx.exe
1420	feuvx.exe
1420	feuvx.exe
1420	feuvx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exedapam.exe

description	pid	Process	procid_target
PID 2236 wrote to memory of 2924	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	31
PID 2236 wrote to memory of 2924	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	31
PID 2236 wrote to memory of 2924	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	31
PID 2236 wrote to memory of 2924	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	31
PID 2236 wrote to memory of 1592	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	32
PID 2236 wrote to memory of 1592	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	32
PID 2236 wrote to memory of 1592	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	32
PID 2236 wrote to memory of 1592	2236	ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe	32
PID 2924 wrote to memory of 1420	2924	dapam.exe	34
PID 2924 wrote to memory of 1420	2924	dapam.exe	34
PID 2924 wrote to memory of 1420	2924	dapam.exe	34
PID 2924 wrote to memory of 1420	2924	dapam.exe	34

C:\Users\Admin\AppData\Local\Temp\ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe
"C:\Users\Admin\AppData\Local\Temp\ebe83d0abe176b9172a4002a4bed73a1a059ac2b177b5c9254576fcf4f2668cc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\dapam.exe
  "C:\Users\Admin\AppData\Local\Temp\dapam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\feuvx.exe
    "C:\Users\Admin\AppData\Local\Temp\feuvx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
71023c4d9f4215e45953dd8cf1ba9bc6

SHA1
aa3f1afd2cbb8e6e9de5e3f0e8d904218ef13e30

SHA256
ce4c6fa6aa1429997de8ca2aa09345ea49c6ba9ea057a4d00a1c64ece8f52813

SHA512
acd6d4657e6d3a2e5b145c8f82d5b1e704fbfffd458e08e9024acd171dc554452261952b6c8faa4abf4de1af49b6471f73df149cb3aa092e48b81ca431efd1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ab57b5063f58d411fa61f06be20d2355

SHA1
7e8daf0417fd5b3075f2aad279fac8ea0ee7a209

SHA256
5302b6894ea0824bd182c34866d6759b647472cebae7ac0c7eaa7f8d3d1bfd30

SHA512
1b1a9d8a92a5854e6c6973ba59d08dca45a86efdb1f1eea7b4ce3a10ee398ad770187f922e8279050d83fe6c8b8d237529fadcdf059d723973f1bc9c3beb0607

Download Submit
\Users\Admin\AppData\Local\Temp\dapam.exe

Filesize
332KB

MD5
d35fc4fcb7f00447bfd7c7f13c8584ce

SHA1
0ee017fb4951012284fb447df62877cb62bb9009

SHA256
79628a671031481ad50a4b4571a8232f91f850d4c9cb540db9023cd636d5c020

SHA512
123f88f704d75b111579821ba950c2f5c6cf582e292b6493ef1eb70065db7f5171d9e0a2d4efd7131eb6e918cd6de9810f6f6f572cdc4464ddc00cdff2ad59da

Download Submit
\Users\Admin\AppData\Local\Temp\feuvx.exe

Filesize
172KB

MD5
d10698194afdd3964299cc2268b57823

SHA1
8c53fcb0d8a53abd65553b850eca8a0557d313bf

SHA256
2eeb1969b41e0a8fe230498ad758a4bc27543f398c0eb17a486a006de770c429

SHA512
a15d69c3b04afb4ec39a7ed25ceeb149f9ec88c603a9785c7d92eb9e7c1c99b04fd5c39e1691492310580fedbb0f3a8579b47a3fc8d2f6bab56d130382c7e3c9

Download Submit
memory/1420-50-0x0000000000D50000-0x0000000000DE9000-memory.dmp

Filesize
612KB

Download
memory/1420-51-0x0000000000D50000-0x0000000000DE9000-memory.dmp

Filesize
612KB

Download
memory/1420-47-0x0000000000D50000-0x0000000000DE9000-memory.dmp

Filesize
612KB

Download
memory/1420-49-0x0000000000D50000-0x0000000000DE9000-memory.dmp

Filesize
612KB

Download
memory/1420-48-0x0000000000D50000-0x0000000000DE9000-memory.dmp

Filesize
612KB

Download
memory/1420-43-0x0000000000D50000-0x0000000000DE9000-memory.dmp

Filesize
612KB

Download
memory/2236-0-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2236-10-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2236-21-0x0000000001310000-0x0000000001391000-memory.dmp

Filesize
516KB

Download
memory/2236-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2924-11-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2924-42-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2924-38-0x00000000032F0000-0x0000000003389000-memory.dmp

Filesize
612KB

Download
memory/2924-24-0x00000000000A0000-0x0000000000121000-memory.dmp

Filesize
516KB

Download
memory/2924-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2924-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads