urelas | abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4f

General

Target

abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
Size

499KB
MD5

c1498744807f0a299dbb91bb33023760
SHA1

6ac36ff619b2c01bf689d54047fff4e47acdbd2d
SHA256

abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4f
SHA512

b81e5cef86d970056659021727990f85fa976fd64215174a8b4fc0348162d8ed727ba52d0a8981aadbaf3958b6ff518639c46b1a031f418cdeedba5da01dc043
SSDEEP

12288:Po7CGWcQSyYI2VrFKH5RBv9AQ1pEDdK5U:PMUv2LAv9AQ1p4dKW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2380	epris.exe
756	hymyc.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
2380	epris.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epris.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hymyc.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe
756	hymyc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2380	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	30
PID 2528 wrote to memory of 2380	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	30
PID 2528 wrote to memory of 2380	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	30
PID 2528 wrote to memory of 2380	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	30
PID 2528 wrote to memory of 2348	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	31
PID 2528 wrote to memory of 2348	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	31
PID 2528 wrote to memory of 2348	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	31
PID 2528 wrote to memory of 2348	2528	abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe	31
PID 2380 wrote to memory of 756	2380	epris.exe	34
PID 2380 wrote to memory of 756	2380	epris.exe	34
PID 2380 wrote to memory of 756	2380	epris.exe	34
PID 2380 wrote to memory of 756	2380	epris.exe	34

C:\Users\Admin\AppData\Local\Temp\abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe
"C:\Users\Admin\AppData\Local\Temp\abcb810a0a10b864d14fc65aaea605d03b64cdad8b49caa8e13602c463f15c4fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\epris.exe
  "C:\Users\Admin\AppData\Local\Temp\epris.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\hymyc.exe
    "C:\Users\Admin\AppData\Local\Temp\hymyc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2907b35883f81cb335494649eabca267

SHA1
5327534c2fea9d67373de385b666c727ff1944ca

SHA256
d13d5390103a2ecd0e9b40e1fb9335e2dd5b69f14231055a706a7a823c7472d2

SHA512
c40e09b69b62f4b72d5c4b846c4331dfe9a5349839019e6a0ea5a2ef6f69bf19f074cc4812487ece38865c4c721c77ea249d007a275d555d61382472e97fac71

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5702e6b8181a4eff322cc0fb90c6d334

SHA1
dcfe52e57c3b7e264c93312a98426579df483ae3

SHA256
79dfdaea55f18e144082670f983c4b1de8354554f12abdc187cee322d1887919

SHA512
fc899c7098eeb93d09ef03cb84e737acd844bb45ab284bdf3e9609e4a05fd3b37424c0c9df6918f9824bcca60c38954c8a3f148435aed1612448092b551e4646

Download Submit
\Users\Admin\AppData\Local\Temp\epris.exe

Filesize
499KB

MD5
ced7ab1acb0a0f6a81951b8830f6f05a

SHA1
4f5c94cbf15c79b8927c6d7c2e045fb8da2c6f05

SHA256
ad11451a61e54658767b76e697bf809e4a08aeb122eeb644029ea11ef09d46a7

SHA512
b32872b1c4b92b2409f9719a2953e478809f962736f83dfe23594a467fd20f23508068dc4ac88b3689a038d82095713008740004f2895df5ec77ce7845b91027

Download Submit
\Users\Admin\AppData\Local\Temp\hymyc.exe

Filesize
172KB

MD5
1774d97570c6cc1febc9d42baf563f87

SHA1
fd35523e63e0347cb4d6570ade4bfb13638824c9

SHA256
0620b168ccc0a2c9a08a607b82e3a66d7f4594e916e1f546fa01a159947bff51

SHA512
d2e1c745bf1e56112d45a660a31d18bf0c208f38343e063088f58c61b45d8c8fe0f0dee2cea7cbd84c35bcc7592273e2a0cd569d9fbf31b023e035f514cee9ad

Download Submit
memory/756-30-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/756-38-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/756-37-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/756-36-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/756-32-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/756-31-0x0000000000BB0000-0x0000000000C49000-memory.dmp

Filesize
612KB

Download
memory/2380-27-0x0000000003300000-0x0000000003399000-memory.dmp

Filesize
612KB

Download
memory/2380-29-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/2380-21-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/2380-16-0x00000000002E0000-0x0000000000361000-memory.dmp

Filesize
516KB

Download
memory/2528-0-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2528-18-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2528-9-0x0000000002B10000-0x0000000002B91000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing