urelas | 0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2b

General

Target

0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
Size

328KB
MD5

9f0430ad5afbdfc9393b309e8dcb4600
SHA1

8b267dd9c1942020c384001ac2d78b004a01a7a9
SHA256

0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2b
SHA512

7d2f152b90fae91c1d860843bca9c68adfbd22e90a49ae854d3be24489860941bec9aca5a865bd8731b391d48aee6cd56b391ffa3742c120fcc49760b60edece
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOx:vHW138/iXWlK885rKlGSekcj66ciO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1544	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2364	xociw.exe
2372	viylw.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
2364	xociw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xociw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viylw.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe
2372	viylw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2364	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	31
PID 1968 wrote to memory of 2364	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	31
PID 1968 wrote to memory of 2364	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	31
PID 1968 wrote to memory of 2364	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	31
PID 1968 wrote to memory of 1544	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	32
PID 1968 wrote to memory of 1544	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	32
PID 1968 wrote to memory of 1544	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	32
PID 1968 wrote to memory of 1544	1968	0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe	32
PID 2364 wrote to memory of 2372	2364	xociw.exe	35
PID 2364 wrote to memory of 2372	2364	xociw.exe	35
PID 2364 wrote to memory of 2372	2364	xociw.exe	35
PID 2364 wrote to memory of 2372	2364	xociw.exe	35

C:\Users\Admin\AppData\Local\Temp\0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe
"C:\Users\Admin\AppData\Local\Temp\0490ab2d204fcdd8d0e509ced3e2a107da76134fc61bbb64d3ffea58b901bf2bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\xociw.exe
  "C:\Users\Admin\AppData\Local\Temp\xociw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\viylw.exe
    "C:\Users\Admin\AppData\Local\Temp\viylw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
91dbfb50cd89e689bda0178dea673ee7

SHA1
67c4021d0ae8deeff96b6047ab3b833a0a5800df

SHA256
0d06820b387f55d4c9d241849b19dcce3b10d4250f2f46b07e7284c8b5f5e5a1

SHA512
c8ff079a3cbf0de5a160559c011c43e839aa8f75770de527685318957808566a84f7f085792345945d577b8dd3e695c214b8f47554923a9141cc229d70e10edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
23891763e82b934025fd9ad7fcb1448d

SHA1
50424612d199723fc9f6d3fceeeed2eb8925ae7e

SHA256
75e3b43e49eec32f98d0958aed1b769ce82df57765ad9db7c5b758c0015df588

SHA512
a35a1835ee197008d5517164df33460e3f10308c0d4bd07db204cadfcbbbe1948a3ddf9fffb533da18d3d5bac0014a69443c457683c39f160cafb13e4ea925df

Download Submit
\Users\Admin\AppData\Local\Temp\viylw.exe

Filesize
172KB

MD5
b68a70421e781ea8755cc31a92115baa

SHA1
8116cd488848f980f980b8a92e803a8a1a3fdf68

SHA256
5bc78966004118e1f7fc4b7ca4d4b500fe5d3835f3b252b223f3e1005173935f

SHA512
4027d159d58a63177782c85f335ac5f25ebe4bdef67d0d7fc3dc09084edede64acd19a89d141ce2521c0be53dbf975171e6ad8dbe9a8b635a23d098de2a182a1

Download Submit
\Users\Admin\AppData\Local\Temp\xociw.exe

Filesize
328KB

MD5
230b316008e2a8f1e3c72354ef9850cb

SHA1
302d6e55bc5d7eae999c937c1278a3959e386061

SHA256
7b6fc28dc7504b77a8c1200a28a09aebc097619b0a9fa366a7d1d2bbaf9bdd90

SHA512
c84831cfd58225409ce8d76c521ef20ea59756da9bffb8fd6dcc9dc707bcef5c4c8b42d062b730136273a9bf49cb700d91d7dd50083413bccf1618bd7dfd87d6

Download Submit
memory/1968-0-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/1968-7-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/1968-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1968-21-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2364-13-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2364-24-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2364-12-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2364-39-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2372-41-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2372-44-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2372-46-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download
memory/2372-47-0x0000000000A00000-0x0000000000A99000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing