urelas | ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996

General

Target

ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe
Size

501KB
MD5

0310c3acb1be722cb0b048edf61a5ce0
SHA1

8babab2d4ebd61b02dd6d5f924bfd8ffc0ea53e8
SHA256

ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996
SHA512

992c8a167f92703d713801f16fa663d4c09b7738daa2772c9022b313a2a59cdc78a6c280d1025fc939cd21bc94d7b1c6a442a62ca03d87511cbb49045cfe25da
SSDEEP

12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK5x:PMUv2LAv9AQ1p4dKP

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2900	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	isvue.exe
2992	exhap.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe
2860	isvue.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isvue.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exhap.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe
2992	exhap.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2860	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	30
PID 2772 wrote to memory of 2860	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	30
PID 2772 wrote to memory of 2860	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	30
PID 2772 wrote to memory of 2860	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	30
PID 2772 wrote to memory of 2900	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	31
PID 2772 wrote to memory of 2900	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	31
PID 2772 wrote to memory of 2900	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	31
PID 2772 wrote to memory of 2900	2772	ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe	31
PID 2860 wrote to memory of 2992	2860	isvue.exe	34
PID 2860 wrote to memory of 2992	2860	isvue.exe	34
PID 2860 wrote to memory of 2992	2860	isvue.exe	34
PID 2860 wrote to memory of 2992	2860	isvue.exe	34

C:\Users\Admin\AppData\Local\Temp\ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe
"C:\Users\Admin\AppData\Local\Temp\ce6c31313b8164944cd16a1c9e0cd473f571861dcef444c69885f61138a2f996N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\isvue.exe
  "C:\Users\Admin\AppData\Local\Temp\isvue.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\exhap.exe
    "C:\Users\Admin\AppData\Local\Temp\exhap.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
459e67ab583254efa0f2fd6fcf68aaa2

SHA1
5c67094251985ca81dfd4c8f8d1bc149f031da5d

SHA256
930d7373de8162e8e3efb332b5f71d38b37bce6da2ea3af9dd064987413b7605

SHA512
cc453185a80307325388d2a335e96b8f22cd928b76b841c418190054667838951068508123449c508ec9cb6cdc81ba167f534ce1750539fc0a588b68d26faa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
67f8d4c6a6e4303fee4f334761813b8a

SHA1
d002a09da57acd64c705585a1ad16e07cdc5fdea

SHA256
14c1a3361680db2d8e4ae418caff1916356fce85a01d3d8773e1b42c8b97f27e

SHA512
725795f9e384c68ee6949f9e53fafe81c5091136e217982c35f9b68e4f998366acfe1933879547c382c2694d8d59cca41d4c6499146878503b6896dbe649c5ba

Download Submit
\Users\Admin\AppData\Local\Temp\exhap.exe

Filesize
172KB

MD5
01b8e24a49e0c435d7d93292e8e832fd

SHA1
e4d188749d57ca0669d8d114c8f19cac9f5685e0

SHA256
f07d02bc7717ca5d68d42e06c1f29a7c984d713966e310dd9429e9cf79daaf77

SHA512
b9f9b561fb88b22fe3ca1e54110f2fdb155181ace75c65e61227a5b9057bfb89e82ae3362a5372ddec60247a1d5bea50d34129a8efca0cbeb284150fca8c3437

Download Submit
\Users\Admin\AppData\Local\Temp\isvue.exe

Filesize
501KB

MD5
c43605831b1b88ec17869d52fcc934ad

SHA1
803d57b179a459c96cca35c84e08619b01c1eee9

SHA256
b35697b28f186788f7d529e524b5f0fe9319bcbe3c156337e2b707df0c54e5f8

SHA512
3fac94508a03772a5bb6117e17df04e969231630288a4dbae673e65c9704a6a95293cdce61f14c6d5faeee14abe2d78147ab6f3b1bda0d1cb77b7c97279082c5

Download Submit
memory/2772-8-0x0000000001EC0000-0x0000000001F41000-memory.dmp

Filesize
516KB

Download
memory/2772-18-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/2772-0-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/2860-21-0x0000000000230000-0x00000000002B1000-memory.dmp

Filesize
516KB

Download
memory/2860-16-0x0000000000230000-0x00000000002B1000-memory.dmp

Filesize
516KB

Download
memory/2860-27-0x0000000003320000-0x00000000033B9000-memory.dmp

Filesize
612KB

Download
memory/2860-29-0x0000000000230000-0x00000000002B1000-memory.dmp

Filesize
516KB

Download
memory/2992-32-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/2992-31-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/2992-30-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2992-36-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2992-37-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download
memory/2992-38-0x0000000000F90000-0x0000000001029000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing