urelas | 7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8

General

Target

7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe
Size

332KB
MD5

f6635ac29f607998a4c7725fd5eede20
SHA1

cc6eeea7c353e6010700722b37c7a77eb649ccfb
SHA256

7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8
SHA512

07f5074208431a97fe3844bc21c10e2ccfeb3ca480f9ed4076592715c8d64c01773129a26545585dad671b54f84b57c2b67a6708cfad05dc83353c3ec191d9af
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVr:vHW138/iXWlK885rKlGSekcj66ciEr

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2612	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	huwyp.exe
1920	vuguv.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe
2588	huwyp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huwyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuguv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe
1920	vuguv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2588	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	28
PID 2656 wrote to memory of 2588	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	28
PID 2656 wrote to memory of 2588	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	28
PID 2656 wrote to memory of 2588	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	28
PID 2656 wrote to memory of 2612	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	29
PID 2656 wrote to memory of 2612	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	29
PID 2656 wrote to memory of 2612	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	29
PID 2656 wrote to memory of 2612	2656	7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe	29
PID 2588 wrote to memory of 1920	2588	huwyp.exe	33
PID 2588 wrote to memory of 1920	2588	huwyp.exe	33
PID 2588 wrote to memory of 1920	2588	huwyp.exe	33
PID 2588 wrote to memory of 1920	2588	huwyp.exe	33

C:\Users\Admin\AppData\Local\Temp\7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe
"C:\Users\Admin\AppData\Local\Temp\7d2b119d7cb9ed16f0367f444331cccbae5c5092032887561ff660c95472f2f8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\huwyp.exe
  "C:\Users\Admin\AppData\Local\Temp\huwyp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\vuguv.exe
    "C:\Users\Admin\AppData\Local\Temp\vuguv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
20d0dde02cbbca0903749e4033bae8c5

SHA1
d19da8243bce36f392e29c56aa674b3f01b9fe2d

SHA256
c3c9fcbb0cf750025fb87e4492d8e7766d079096fed6bbbd1971ea202732a3e5

SHA512
0e2070fd38799a0b1d8524604599c22b28327712d18042dced09e41ee176c18bfa16152209ff73c7828149dd6865dffa0504f35c945dae44db6f2fc0b1be2619

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ea0d2158add00405f07ccc5c24da22f6

SHA1
cbffa349a9c004607cbe52db08974ec7df4c5e7b

SHA256
3c904a05d5027613ae506357cc7ff6ee7d62426f35d0635826c0b004b2825185

SHA512
4d8a2fd7183c1314a2f244a5948863bde416c6ebf0fbb338de440474e4e6b163d2db9785d38695ce8a961f7e15f476de6deabac4bbd0e788b38c927f951b37a4

Download Submit
\Users\Admin\AppData\Local\Temp\huwyp.exe

Filesize
332KB

MD5
205ac41d6c495d21f41e9ae54df11eb1

SHA1
34ca41ec62cf6a592e62350fa270e49cb6b4b0ab

SHA256
1b06c98550b7c78da72c0258c7ee75697678538bb815709e9380540f74d319ff

SHA512
512f977c18d614fe0af421e62f56476da31871be867ce3d174dbe08c49f2733811a36afe2d3471da801ea5dd0d81e20732c552e9c9d4c18ee33957134be32628

Download Submit
\Users\Admin\AppData\Local\Temp\vuguv.exe

Filesize
172KB

MD5
26d31975d1cd165b1931551d5547546f

SHA1
d5b87ab00cb07889f94994295ffc24143d78c7fc

SHA256
9977ce693d7f07fae999f8369e3654985970b29f207aea11dacbdf92f7bbc3fa

SHA512
74bfe9920c1dfd21ddbe8e3408e48b2027d5f3485d78f79ee44fad6669732ebdc8896de07cb8cc51e473b886669598d4189387dcc4a313e6376eba800f578d56

Download Submit
memory/1920-48-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/1920-47-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/1920-43-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/1920-41-0x0000000000B60000-0x0000000000BF9000-memory.dmp

Filesize
612KB

Download
memory/2588-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2588-23-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/2588-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2588-42-0x0000000000A00000-0x0000000000A81000-memory.dmp

Filesize
516KB

Download
memory/2588-38-0x0000000003640000-0x00000000036D9000-memory.dmp

Filesize
612KB

Download
memory/2656-20-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2656-0-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2656-7-0x0000000000BC0000-0x0000000000C41000-memory.dmp

Filesize
516KB

Download
memory/2656-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing