urelas | 2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f

General

Target

2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
Size

333KB
MD5

8dd4853010e7db531898aa198b116300
SHA1

839c24033a06b4f9ff2abd065f12cbdec61d83e0
SHA256

2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5f
SHA512

1be5cbce7454acf89b94ec27ef1f9c74c3a8ef53bb6a93dc3ca9243ef9a5d612b1400d7215a4107e95512f7f073c65e3ba7d90f735db74c990830acf0444b5f6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9W:vHW138/iXWlK885rKlGSekcj66ciWW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2752	xicev.exe
680	igyvm.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
2752	xicev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igyvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xicev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe
680	igyvm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2752	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	30
PID 2188 wrote to memory of 2752	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	30
PID 2188 wrote to memory of 2752	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	30
PID 2188 wrote to memory of 2752	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	30
PID 2188 wrote to memory of 2768	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	31
PID 2188 wrote to memory of 2768	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	31
PID 2188 wrote to memory of 2768	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	31
PID 2188 wrote to memory of 2768	2188	2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe	31
PID 2752 wrote to memory of 680	2752	xicev.exe	34
PID 2752 wrote to memory of 680	2752	xicev.exe	34
PID 2752 wrote to memory of 680	2752	xicev.exe	34
PID 2752 wrote to memory of 680	2752	xicev.exe	34

C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe
"C:\Users\Admin\AppData\Local\Temp\2231e8328816958134c34b95effd63b6e36ba402c0c41d21eaf226c21f222c5fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\xicev.exe
  "C:\Users\Admin\AppData\Local\Temp\xicev.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\igyvm.exe
    "C:\Users\Admin\AppData\Local\Temp\igyvm.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e5991d6a36d31e5178c54f63402b6940

SHA1
1e433727b4d58f6b33c378dd127977e304b51d0f

SHA256
7c0d0958b7fb9cacf1f670f1ad84511da0a6f2f0a53a3b4b0e97537c2ea62965

SHA512
6653b0569e69da972d1c6222df92064dc665cf0aa1da18dfd3496c1aa4bae56c94df271c46e5d7fdacabb15e0a64075a8c01ed6211c5efc60a47b8d7b39ab89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
49c2cee682d5171922fcff7f522785e0

SHA1
ed220ca29dbe61bc17e87f8086927c0c0359794f

SHA256
11d88acc13e9820ea001cd1f6b72d320341c6665ca4cff36c410fc593cdeb3ff

SHA512
47902c5932dbdd0527de6da77343a14cb3a5d76a490d0e45458caa6959d41944cd7fdcff5e426548bb74d732c2f8d3d2d65c98707b176cca59870450db5a1d91

Download Submit
\Users\Admin\AppData\Local\Temp\igyvm.exe

Filesize
172KB

MD5
633bb3c8b81143db50dde7ed271ea18c

SHA1
56da9d8a1f5de2e89c8b1867c1523bdbddac2f39

SHA256
11e4ffe07cc475f847d88f3be03644675d487c52612940b552cf324fad7d9b48

SHA512
e3a759641d8b83bc3ebabe12bb5dd9c383e7a7a46c088edeeea528f9d67a1f6570cf2987e6579e24e88170ad2d266eff1b454120442c6f7084d4b70b8ba29bf3

Download Submit
\Users\Admin\AppData\Local\Temp\xicev.exe

Filesize
333KB

MD5
59ce0d0c38b5b65d0f2a21f218fb9f5a

SHA1
54063b60697c57101261bc5565766fb5d6768748

SHA256
ebf9e53b5bd78344380f8a0fdab65ef688c46c7e934c470ce9dc3954831b3b5b

SHA512
481b5dbbf0ef2f95cd1d5dd644bc3b01d3657ea5b9e1bfce6d7bed6dbb84caddab1765a2ec0e83e9ae11704d34b03bbe4cfba7ae70d239cdeadba1a3f36b66e5

Download Submit
memory/680-42-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/680-47-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/680-46-0x0000000000210000-0x00000000002A9000-memory.dmp

Filesize
612KB

Download
memory/2188-0-0x0000000000910000-0x0000000000991000-memory.dmp

Filesize
516KB

Download
memory/2188-9-0x0000000002180000-0x0000000002201000-memory.dmp

Filesize
516KB

Download
memory/2188-20-0x0000000000910000-0x0000000000991000-memory.dmp

Filesize
516KB

Download
memory/2188-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2752-23-0x00000000010A0000-0x0000000001121000-memory.dmp

Filesize
516KB

Download
memory/2752-41-0x00000000010A0000-0x0000000001121000-memory.dmp

Filesize
516KB

Download
memory/2752-37-0x00000000035E0000-0x0000000003679000-memory.dmp

Filesize
612KB

Download
memory/2752-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2752-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing