urelas | c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884

General

Target

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
Size

332KB
MD5

dd283e263e2b0339bf8bb6a19a7ef990
SHA1

b91c87e5ca1573739a501f8bd91b041a1adbe82f
SHA256

c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884
SHA512

198932fada52cf3b8b908c634251a252a14e8118950222c490a3249004d6fca78acfdb1e789fbfbfca2425a0365561d7637c4307e1ec201d9bf72c65d0436b3b
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVb:vHW138/iXWlK885rKlGSekcj66ciEb

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2992	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	huwyp.exe
340	vuguv.exe

Loads dropped DLL 2 IoCs

pid	Process
1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
2936	huwyp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	huwyp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuguv.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe
340	vuguv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2936	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	28
PID 1852 wrote to memory of 2936	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	28
PID 1852 wrote to memory of 2936	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	28
PID 1852 wrote to memory of 2936	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	28
PID 1852 wrote to memory of 2992	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	29
PID 1852 wrote to memory of 2992	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	29
PID 1852 wrote to memory of 2992	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	29
PID 1852 wrote to memory of 2992	1852	c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe	29
PID 2936 wrote to memory of 340	2936	huwyp.exe	33
PID 2936 wrote to memory of 340	2936	huwyp.exe	33
PID 2936 wrote to memory of 340	2936	huwyp.exe	33
PID 2936 wrote to memory of 340	2936	huwyp.exe	33

C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe
"C:\Users\Admin\AppData\Local\Temp\c7ab6e6a15d869dadef52ff822aa8fee52a071fa7b1c98dd1bae8f8ea7018884N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\huwyp.exe
  "C:\Users\Admin\AppData\Local\Temp\huwyp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\vuguv.exe
    "C:\Users\Admin\AppData\Local\Temp\vuguv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:340
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
12cc31e42f61ba51d1ef42b3dfd7dcad

SHA1
feec1c4dd538f7e2a03b9a9edcb2ae38db9b9275

SHA256
640d2e011c0789c0c436c6bd990adc5042a65341afd0d6c14ed099ba24de54ee

SHA512
9c2fa7c203fdf61f1757462a612e45fdc975b651bb3a2c9d7d218400e6f087c01d86ed82b5dc446ec44644de06aad9dc54158695332393463bb7f86eaee8d8ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ea0d2158add00405f07ccc5c24da22f6

SHA1
cbffa349a9c004607cbe52db08974ec7df4c5e7b

SHA256
3c904a05d5027613ae506357cc7ff6ee7d62426f35d0635826c0b004b2825185

SHA512
4d8a2fd7183c1314a2f244a5948863bde416c6ebf0fbb338de440474e4e6b163d2db9785d38695ce8a961f7e15f476de6deabac4bbd0e788b38c927f951b37a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuguv.exe

Filesize
172KB

MD5
6c4a0ab6adf2bf383dc93e32844f3a6c

SHA1
b563a0dcade79847a3227bd3525194f551d4821d

SHA256
e393d8fbe1b6342b06aaa3d9e1195835e73a63800c64dc7dc9130a0e8e528a70

SHA512
346fd0f2e2ec69d2f2ff6765fb1dc22c3432ba8e16c828ba03c7358c8ea60818fbc3e1a2a593c2675dd44960290c7f5999283e12b1b392df19d10da13010be90

Download Submit
\Users\Admin\AppData\Local\Temp\huwyp.exe

Filesize
332KB

MD5
51eed1ab0f7858d508ed63816b25835e

SHA1
0bdbf0f8b6a5e09c10eddf2ddbfb3462671a4a7d

SHA256
a74cf7dcfa120bf76f2738e92fddc2e3522464271b7ea7d5371fbc30d230fbf1

SHA512
c1635d12c5681142bfaa57397008160ef6ffe111822beac352c4f5b141fb21576260dd0a1cab22f450ea9354f292ba400edffc4bb498f5a979aa4a2e1fdee9dc

Download Submit
memory/340-42-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/340-48-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/340-47-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/340-43-0x0000000000820000-0x00000000008B9000-memory.dmp

Filesize
612KB

Download
memory/1852-21-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/1852-0-0x0000000000DB0000-0x0000000000E31000-memory.dmp

Filesize
516KB

Download
memory/1852-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1852-7-0x0000000002510000-0x0000000002591000-memory.dmp

Filesize
516KB

Download
memory/2936-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2936-18-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/2936-40-0x0000000003280000-0x0000000003319000-memory.dmp

Filesize
612KB

Download
memory/2936-39-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/2936-24-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing