urelas | 93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068ad

General

Target

93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe
Size

326KB
MD5

2a974e548bcee92a9f49c8d04a12ab60
SHA1

20713d1c848b27e1f9edd9effe440b7910702d03
SHA256

93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068ad
SHA512

1140158ff78108353f15b2d3f1cca525b5b754aacf09cceb613b0e53ba663420e22b35a78819f680638df073f6556ec2a4ff9c2dfba1b8ff1911965bc09f6720
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66ciH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2876	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2724	hifip.exe
1132	ryujy.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe
2724	hifip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hifip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ryujy.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe
1132	ryujy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2724	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	31
PID 2764 wrote to memory of 2724	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	31
PID 2764 wrote to memory of 2724	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	31
PID 2764 wrote to memory of 2724	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	31
PID 2764 wrote to memory of 2876	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	32
PID 2764 wrote to memory of 2876	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	32
PID 2764 wrote to memory of 2876	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	32
PID 2764 wrote to memory of 2876	2764	93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe	32
PID 2724 wrote to memory of 1132	2724	hifip.exe	35
PID 2724 wrote to memory of 1132	2724	hifip.exe	35
PID 2724 wrote to memory of 1132	2724	hifip.exe	35
PID 2724 wrote to memory of 1132	2724	hifip.exe	35

C:\Users\Admin\AppData\Local\Temp\93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe
"C:\Users\Admin\AppData\Local\Temp\93b33f4c17b607dbe484cc81d53d005df8ba64680a4e9a42d43fe8fe7a8068adN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\hifip.exe
  "C:\Users\Admin\AppData\Local\Temp\hifip.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\ryujy.exe
    "C:\Users\Admin\AppData\Local\Temp\ryujy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
bfa43d8043c41cfebcaf375ae695d794

SHA1
b4bc85b33b22a84c56f5b23c6f6e0b444e762876

SHA256
d401c9a10f195ee6ca92979ec6f7329f1ad46191b1b7d5c42e24582238822690

SHA512
321fe457866dd89e361527cbe94a97e6c9dcd0f56d60ba748efb6c7e1e81f9474caaee39d8ee72e33c7d82327ded7d42a4be3caf01e868052add431dceb414cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b14d2bb3d5a4385d40c60e88da1a4a81

SHA1
d7146cd60dd87519e48f11aa0b45c87101dd427d

SHA256
23c75568c05c5949604eb501462ca7fc5840f14581dd3305a7eed19871350a73

SHA512
9463778efb1c3f407344e6c0d6e953f04095685e3a7d47586ca81f383320043fefe03480ef2572563b2e1bc0b5ee36a19b08925633f954eeddf2beab6614e3a6

Download Submit
\Users\Admin\AppData\Local\Temp\hifip.exe

Filesize
326KB

MD5
e718a212ebf28d16be3b8812f8e0b930

SHA1
96cfa670376ae15a8ca2bd70d280d7728567df61

SHA256
11efbcc5e360993efbf0165a2115522f5d892e64d9809b440dddfc875e7cbe73

SHA512
5be743a7d87d87185de5c8dfdc31571cbda87ba5371c700d1c41a26f19640786d48dc63372c6f46ed978b5456a5bdc215c0a26e1931f492bf702a1e0ef38d003

Download Submit
\Users\Admin\AppData\Local\Temp\ryujy.exe

Filesize
172KB

MD5
942b57a8681724ddbaa8bfdce26ac8aa

SHA1
d6e68e91d47fcc67731bb7cae7e16009f05d7819

SHA256
c9de1046a66a2508730d2586a671835c563233f4a466551094a7bb88c002adcc

SHA512
49db1925e9e99de9e760ec5d97c173a3166ac2862a6d9d977ed3260c52d11c7e2c180827c01411173f4437f3bf63f72a6883b4e0835f4d09e0f6d1a9f752edf6

Download Submit
memory/1132-43-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/1132-46-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/1132-49-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/1132-48-0x0000000000310000-0x00000000003A9000-memory.dmp

Filesize
612KB

Download
memory/2724-42-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/2724-24-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/2724-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2724-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2724-11-0x0000000000BD0000-0x0000000000C51000-memory.dmp

Filesize
516KB

Download
memory/2724-40-0x0000000003520000-0x00000000035B9000-memory.dmp

Filesize
612KB

Download
memory/2764-0-0x00000000002F0000-0x0000000000371000-memory.dmp

Filesize
516KB

Download
memory/2764-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2764-21-0x00000000002F0000-0x0000000000371000-memory.dmp

Filesize
516KB

Download
memory/2764-9-0x0000000002C00000-0x0000000002C81000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing