urelas | 083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0e

General

Target

083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
Size

535KB
MD5

a9a26bab1a8605aadb5e6cc177df9300
SHA1

90256a8a70cb8b4d48bce16e9ccd93349f206d8f
SHA256

083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0e
SHA512

614485e8750052eefe509971fa2e0b9a426c88b231d1322fe84048fb211148282f713d83e6edc140ef25cd69f8b88c692c72ed7ab463d2a19726b470f3fc63b8
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPK:q0P/k4lb2wKatK

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2176	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1900	nugai.exe
1452	epyqe.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
1900	nugai.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epyqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nugai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe
1452	epyqe.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1900	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	28
PID 1656 wrote to memory of 1900	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	28
PID 1656 wrote to memory of 1900	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	28
PID 1656 wrote to memory of 1900	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	28
PID 1656 wrote to memory of 2176	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	29
PID 1656 wrote to memory of 2176	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	29
PID 1656 wrote to memory of 2176	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	29
PID 1656 wrote to memory of 2176	1656	083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe	29
PID 1900 wrote to memory of 1452	1900	nugai.exe	33
PID 1900 wrote to memory of 1452	1900	nugai.exe	33
PID 1900 wrote to memory of 1452	1900	nugai.exe	33
PID 1900 wrote to memory of 1452	1900	nugai.exe	33

C:\Users\Admin\AppData\Local\Temp\083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe
"C:\Users\Admin\AppData\Local\Temp\083f1d8c2a1a7ff69600c5a60d23bc2b66bb4853384a3b13a4ddd1ef863aeb0eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\nugai.exe
  "C:\Users\Admin\AppData\Local\Temp\nugai.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\epyqe.exe
    "C:\Users\Admin\AppData\Local\Temp\epyqe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
e225c057d30eada45a10d1267c39f94a

SHA1
b63bfbde9a619357cff7bb27b16622c32e6f4981

SHA256
81c1b3dc48af46abf39174c16d338a87f249345362d9253324c54eba2ea4515d

SHA512
8b51a227341a8ab5e5756acbdb1214dbcced44d906bed0f1256784ab2c7e6362a8b850437f4e7b202ffda6f549afa7c29b11aa8019e30935756f074bcf849366

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
19f5d9bac126d4da0fdfe81e413101b1

SHA1
87bfefacdc81ead3d6cd72131b7a79d29a61bba2

SHA256
e24a904abb8e36100b674e4935078862c9840cd72290f320c1068650010eb11e

SHA512
47d5a24d5d60b34c7cac17ba18cd5153f970cc3dadbdb959bf000a1d178576476d11105473eeb21ee33c907925ad9a239a1da157408fb69c7995d9162d77a750

Download Submit
\Users\Admin\AppData\Local\Temp\epyqe.exe

Filesize
236KB

MD5
75604b037222e0304b6f2b9c281f768e

SHA1
8499687dab0a641b7aee2803c2cac4e4c2be0120

SHA256
84f5bbbbd147be0855026eb858a9e7c7c4fa624908cb6d0c8b5af47070dcf6ae

SHA512
211c2e6761bce560e78afe72cffcdaa9a1fcbbd4f8cb26104439005f438716453ae8aa369795627056cb2d13c4ad85291e94525a1ff26dc86aca142353bc054e

Download Submit
\Users\Admin\AppData\Local\Temp\nugai.exe

Filesize
535KB

MD5
f47ecf6df7f09199c9287ce3d226e373

SHA1
907660a45f9edac241a36484e6b80c3a1d3f324d

SHA256
772bf0bfb442d534e2b6501984cbc43dac781a4dd9e091b277a470c265f79ac2

SHA512
e7874a6b0e95a69e9c1ad5fa5df776801f5ab8d93e01b533c4521368c24856329fe26c02558d7e06ff6cc1bede390928400a9757bfa2dea7363db354585049d9

Download Submit
memory/1452-30-0x0000000000200000-0x00000000002A3000-memory.dmp

Filesize
652KB

Download
memory/1452-32-0x0000000000200000-0x00000000002A3000-memory.dmp

Filesize
652KB

Download
memory/1452-33-0x0000000000200000-0x00000000002A3000-memory.dmp

Filesize
652KB

Download
memory/1656-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1656-15-0x0000000002720000-0x00000000027AC000-memory.dmp

Filesize
560KB

Download
memory/1656-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1900-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1900-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1900-29-0x0000000003BC0000-0x0000000003C63000-memory.dmp

Filesize
652KB

Download
memory/1900-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing