urelas | 4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f

General

Target

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
Size

333KB
MD5

af649e88296ceb9e1d695358491cc750
SHA1

830da14bc248fa18205b5a0cbdb812734ca69b58
SHA256

4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703f
SHA512

95bf144918ca6ccbfb7d9598f8f35e466cc92231c2cdf83675fc95ef5c75a56024f3148801850e4acf64ba7e00d361db3edf0aece87dcb27c3e57e623e57190a
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYPy:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	guaxm.exe
2852	obrip.exe

Loads dropped DLL 2 IoCs

pid	Process
2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
2820	guaxm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guaxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obrip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe
2852	obrip.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2820	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 2484 wrote to memory of 2820	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 2484 wrote to memory of 2820	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 2484 wrote to memory of 2820	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	30
PID 2484 wrote to memory of 2908	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	31
PID 2484 wrote to memory of 2908	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	31
PID 2484 wrote to memory of 2908	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	31
PID 2484 wrote to memory of 2908	2484	4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe	31
PID 2820 wrote to memory of 2852	2820	guaxm.exe	34
PID 2820 wrote to memory of 2852	2820	guaxm.exe	34
PID 2820 wrote to memory of 2852	2820	guaxm.exe	34
PID 2820 wrote to memory of 2852	2820	guaxm.exe	34

C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe
"C:\Users\Admin\AppData\Local\Temp\4fa8b7e45fd010a9bd8c8492484828e257d22012af34db7da5331446f322703fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\guaxm.exe
  "C:\Users\Admin\AppData\Local\Temp\guaxm.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\obrip.exe
    "C:\Users\Admin\AppData\Local\Temp\obrip.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
51eb60591001633f51a3690f0d69b21c

SHA1
2c5ab7a2e840ff3b4a81c85dd668ff6908dd31b3

SHA256
00b3935a5e5c00cc5640df9e92aa90903353835e2e1371adcd507be48aa3bdf7

SHA512
de8273739713c511957d81e151d4109d17a9d7d6f5322bf166869ad8a8f90d38b96586523009d6bcf425c257709131de69a0fbbb99209b533eb330c73836a217

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1c182b0fd10822ea2714da8694e4a836

SHA1
7e2f092502673f7b92632d9cde5d292ac6942ef1

SHA256
3596d6005a6b347364c1a98c37498e7c15bddf7dcb4d65874a8769df5dbfe239

SHA512
7dd815cd459a1df0c54436a36c92ad2b90fd151a910543c89989cb1f5295a29b071408729e6e3d3777754c669b2576a360296f8ccd6bd4527a965735b180f6d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\guaxm.exe

Filesize
333KB

MD5
658c81e402309be09c15b1b02d115da6

SHA1
a70da3aa5b2c3b5ea8199c891141aef6d20eb991

SHA256
183daa1c43f14db0b8191543109f80a47b3c08ae98689639444e2322ec2f150d

SHA512
d3e875d4ad07198af045112e6c87ea537497c4e46b0d9c7095c11e6093652b106c8056d920ea08748cb21f2ae126260f641120052b2af15761d8211c8f7234ec

Download Submit
\Users\Admin\AppData\Local\Temp\obrip.exe

Filesize
172KB

MD5
daabb6427bf0c0a3915b9a4448db9630

SHA1
107cd997f8beaabe2b7808bbef2af59c7a09929f

SHA256
6b7e554a765af5e02a5008b3730e3fcf7a8258a96ddf8b055a9f53e283145402

SHA512
ff1628f914c1f8ea692a9a7bd17e460073a0c00b4a71fe83066b1c99810a7366b3bb2061aa20128da4cf909bbef7603308a3e327d1f088ee567a4fd5c59657ad

Download Submit
memory/2484-0-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2484-21-0x0000000000C30000-0x0000000000CB1000-memory.dmp

Filesize
516KB

Download
memory/2484-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2484-10-0x0000000002AB0000-0x0000000002B31000-memory.dmp

Filesize
516KB

Download
memory/2820-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2820-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2820-24-0x0000000001370000-0x00000000013F1000-memory.dmp

Filesize
516KB

Download
memory/2820-11-0x0000000001370000-0x00000000013F1000-memory.dmp

Filesize
516KB

Download
memory/2820-38-0x0000000003CA0000-0x0000000003D39000-memory.dmp

Filesize
612KB

Download
memory/2820-42-0x0000000001370000-0x00000000013F1000-memory.dmp

Filesize
516KB

Download
memory/2852-43-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/2852-47-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download
memory/2852-48-0x0000000000F10000-0x0000000000FA9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing