urelas | cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098c

General

Target

cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe
Size

592KB
MD5

ede527e53c6cc312aaa1a1737452c520
SHA1

accd4d8966a21cabde31941b3fe6d71f62d3a745
SHA256

cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098c
SHA512

16301ec885cc2353451c15d6b8f86d0e8cb5445c7deedc1a62e4ed2c36be92aaa5e6f94d406f39dc6312999f5b020b34e4f0faff3840474b0be617178af1b799
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZR0:C4jm0Sat7Az/gZvTIq2WKkw0Fe

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2308	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	gehis.exe
1328	qyjox.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe
1956	gehis.exe
1956	gehis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gehis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyjox.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe
1328	qyjox.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1956	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	30
PID 2348 wrote to memory of 1956	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	30
PID 2348 wrote to memory of 1956	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	30
PID 2348 wrote to memory of 1956	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	30
PID 2348 wrote to memory of 2308	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	31
PID 2348 wrote to memory of 2308	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	31
PID 2348 wrote to memory of 2308	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	31
PID 2348 wrote to memory of 2308	2348	cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe	31
PID 1956 wrote to memory of 1328	1956	gehis.exe	34
PID 1956 wrote to memory of 1328	1956	gehis.exe	34
PID 1956 wrote to memory of 1328	1956	gehis.exe	34
PID 1956 wrote to memory of 1328	1956	gehis.exe	34

C:\Users\Admin\AppData\Local\Temp\cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe
"C:\Users\Admin\AppData\Local\Temp\cb214c322d63fe9c02f1e4be50cdf84a56c9f89765c86417e29ad6adb9fc098cN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\gehis.exe
  "C:\Users\Admin\AppData\Local\Temp\gehis.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\qyjox.exe
    "C:\Users\Admin\AppData\Local\Temp\qyjox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0a24be36d4272a2da52e0b5d618e5682

SHA1
a0679ad9cfd00754381182d344b0a09af00a225a

SHA256
9a92ff8d26de32da382c514c68acc982d5ac67ae53e026d15664e36bb97de129

SHA512
75e22d7d1268191335ca4b6f61843fd9c99a4f16173bb407860f546cd6cd6b1672555725f8a372c3cf77e4b91b6c69ba0b429ae589788a99b2a2ec0e7d9de460

Download Submit
C:\Users\Admin\AppData\Local\Temp\gehis.exe

Filesize
592KB

MD5
272a8d570a30fbe38043b38a07312a91

SHA1
217c66bf6b88d2b2cf2e17b9f6ef8cefbe19a672

SHA256
ac77632e33b2bd813510098dfeb8a861885b8c4eac1ac43099e818474c279c68

SHA512
63ec245b99625b46c4b4a5df221632bee63c8f550b8e2df3dd7cbc12f786fd6df168f235346647683b2eb614159572969f1591721c4c6377e303a4b6aa2e9280

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
925a6e3040e679b415552eb550cb440d

SHA1
2af7a001a730d1810726338537befa0c78ad6c6e

SHA256
9f1573ce71ec66c287a20c860e908bd77a275f18cbee79e44441603c376e02a1

SHA512
24a9a21d58e645acbfefc7e0d3a78b4c679b9f1e50b3258ab0c80fd6c2efd818bc272c39fbcdbc07cab239b3ab5de88635795cbf395f8ea8613db1227c2949b7

Download Submit
\Users\Admin\AppData\Local\Temp\gehis.exe

Filesize
592KB

MD5
2784b97c98189b5d70ff8937fb0836b2

SHA1
01ead27f3c3322b2d50b78e6c2c000a29bd58b2a

SHA256
52e1c6435e2425504ef6de56f56e86b3e360517183a526a6b1021071baa78071

SHA512
104a8c46e3a4c325f1730353e88b3d8e7b305b709e360194654f56e18c8a1e223d886758d1ab55701815ed312c3146be76b8a797c07d6e1c656c572ef4d50cdd

Download Submit
\Users\Admin\AppData\Local\Temp\qyjox.exe

Filesize
323KB

MD5
d691ec7b595e4ab79620ac5b2f60975b

SHA1
e31d34b038780b9563e01c2505aaceb890436786

SHA256
2e7e8c0a90d50a05fa07299c9316a62c1491d9af33221f34054ca2279fcd5bf1

SHA512
300558967d885a151f6148ff7aa21ce1a505b034cba41d30679d250e2cb444fc30a5e77704e5ae78e57b1ac6187add6a6ba337acde4520c4b68dc69cf5a6905d

Download Submit
memory/1328-32-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1328-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1328-35-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1328-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1328-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1956-29-0x0000000003BA0000-0x0000000003C37000-memory.dmp

Filesize
604KB

Download
memory/1956-28-0x0000000003BA0000-0x0000000003C37000-memory.dmp

Filesize
604KB

Download
memory/2348-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing