urelas | 6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212

General

Target

6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe
Size

328KB
MD5

7646c1e5540b53630c342928851a28c0
SHA1

9b239e2e0d68cfe01f5e21d20f6d7d41bf41ef2e
SHA256

6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212
SHA512

95a237a843b8872cccbb10054d12e890dadd2d9d282986591626bc3be4eb5ede3e21dd2518c88891328ed99ac9fab1e22bc5659d4ccc142df84c91616059e1ba
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOj:vHW138/iXWlK885rKlGSekcj66cis

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
848	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	qypyu.exe
2756	rikux.exe

Loads dropped DLL 2 IoCs

pid	Process
2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe
2364	qypyu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qypyu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rikux.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe
2756	rikux.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2364	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	31
PID 2080 wrote to memory of 2364	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	31
PID 2080 wrote to memory of 2364	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	31
PID 2080 wrote to memory of 2364	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	31
PID 2080 wrote to memory of 848	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	32
PID 2080 wrote to memory of 848	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	32
PID 2080 wrote to memory of 848	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	32
PID 2080 wrote to memory of 848	2080	6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe	32
PID 2364 wrote to memory of 2756	2364	qypyu.exe	35
PID 2364 wrote to memory of 2756	2364	qypyu.exe	35
PID 2364 wrote to memory of 2756	2364	qypyu.exe	35
PID 2364 wrote to memory of 2756	2364	qypyu.exe	35

C:\Users\Admin\AppData\Local\Temp\6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe
"C:\Users\Admin\AppData\Local\Temp\6c11808e9d31364c67d2e83f0a8ae811af9215080eacc55a5a46e80452bf3212N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\qypyu.exe
  "C:\Users\Admin\AppData\Local\Temp\qypyu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\rikux.exe
    "C:\Users\Admin\AppData\Local\Temp\rikux.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b3de8c3cbc5365cca538e677c4951db5

SHA1
088067f953683a8de15d76251021c4bea47a14b7

SHA256
6fdff3846b767e3e609cd86f595522b7be7c6477a55c482a83a8b8560e895bab

SHA512
7f8d66df21ac9fe781243a9d58f14a732cdb995aa2e1734e81fa018fbe9e374de6d56b473a3e4f67a14ccdefbd79c57fdd6292599346bcd70942e22fa667f0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
18b667927503dab3e0e867adb565eb6d

SHA1
3c367b27cdcea77aea295080bc78e35c1b9dc53b

SHA256
b3f76f396b5ef36a97d0ca747fa0b01584edbaf28f48a5882b287dbd35457fd2

SHA512
963d7355ae3b55d90b38cf403759342b10197d9bc924b2997d7ebbfac6ea739eef894788f5433ee19de16013f222c0618e46d15e0357e37fbe7ad5b576793f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\qypyu.exe

Filesize
328KB

MD5
5753fcf734d7752683de409950dbda8c

SHA1
90b66ca853efb9033a013884c2528f8b02ffcb00

SHA256
07fedc02fe92b7869da51fa047e58c33cb8b59a40f1d90ee8fe9b82eaf0c2005

SHA512
338f1b427294e5476d4d4f99177f9aaa3de6efde8963b6717354535061fec834974ab559a8fc777f5dc868fcc9221c0a40f81ca45e2886bcc62fe36236911bf4

Download Submit
\Users\Admin\AppData\Local\Temp\rikux.exe

Filesize
172KB

MD5
4aa413bb1ae670f7a95c6a94932c8111

SHA1
545aa39e8d438ecff541c1383946a4e263355bdf

SHA256
bfa86f91f12b3ab4530253da0a5dc792feee3506922ebd12c49771d4aca85dea

SHA512
e5911a8cfcb71e1692e8ea7ac9d50275613e8c99c2bc951c2667572a0b87351f737ea96dc70c840b82eaebbbe4d177193759b2a146cb65d9a942be2792d4bcbc

Download Submit
memory/2080-20-0x0000000000C00000-0x0000000000C81000-memory.dmp

Filesize
516KB

Download
memory/2080-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2080-0-0x0000000000C00000-0x0000000000C81000-memory.dmp

Filesize
516KB

Download
memory/2080-9-0x0000000002BF0000-0x0000000002C71000-memory.dmp

Filesize
516KB

Download
memory/2364-23-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/2364-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2364-17-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/2364-38-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/2364-39-0x00000000035B0000-0x0000000003649000-memory.dmp

Filesize
612KB

Download
memory/2756-44-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/2756-41-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/2756-46-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download
memory/2756-47-0x0000000000E50000-0x0000000000EE9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing