urelas | b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1

General

Target

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Size

332KB
MD5

1024d773fc47520c1454b600cdfee860
SHA1

7cb1ce05b8c60995daa64416b925426f139ea134
SHA256

b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1
SHA512

60a3f88d1c6403e58d391bbb9534b06aa5c928b1fea3d62b39927dda85f4186b59b6b3ee709bcc8339ba2309a969fe3ecd281e43877068069c5f5391704e6a7c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYi:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2516	daraq.exe
2812	zoxuh.exe

Loads dropped DLL 2 IoCs

pid	Process
1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
2516	daraq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daraq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoxuh.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe
2812	zoxuh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2516	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	30
PID 1984 wrote to memory of 2516	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	30
PID 1984 wrote to memory of 2516	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	30
PID 1984 wrote to memory of 2516	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	30
PID 1984 wrote to memory of 2524	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 1984 wrote to memory of 2524	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 1984 wrote to memory of 2524	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 1984 wrote to memory of 2524	1984	b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe	31
PID 2516 wrote to memory of 2812	2516	daraq.exe	34
PID 2516 wrote to memory of 2812	2516	daraq.exe	34
PID 2516 wrote to memory of 2812	2516	daraq.exe	34
PID 2516 wrote to memory of 2812	2516	daraq.exe	34

C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe
"C:\Users\Admin\AppData\Local\Temp\b65676947ea69cec6ae7bbd2a4cacef7b9992dcf50e0ffde097928f92486dec1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\daraq.exe
  "C:\Users\Admin\AppData\Local\Temp\daraq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\zoxuh.exe
    "C:\Users\Admin\AppData\Local\Temp\zoxuh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
04a7bfa8eb94ca946e1a890cc85ebfa6

SHA1
f9cd3e2f86e97ac420219e2fba3787684910607f

SHA256
a25689378fb74347ddc425110ed6f13f5a10787ba1913001946839a8953a972d

SHA512
b7fda068921b8ceebc1a74afd9a5e1ca9e3fbc60b9054c92afe9fa88293561894ef67f8e7cbe8abbe86bcef98350a803b9450eb6cf051b57433a4d4b6b67bc7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\daraq.exe

Filesize
332KB

MD5
388550f87f4bc7b04333a19179fb25df

SHA1
568c4a9faff0474af3054fbb860ac2f0a09001c3

SHA256
d519d444ff7f3d4975d6c616a7ef33c4c2ef142410652c8b58b6be16141e785e

SHA512
7ce40a5e1e89495c43f215ec24b8d13ba044db92b6da09414eb9d927b170a7092016ba452cf15fb1868bcd300e98427b9eab11baf1a848a0c433285b0e14bb9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
986addcce8b556d6a169650e51163442

SHA1
c77373ad51cca4aead921f2dfaec3d4ba3edff7b

SHA256
8cdea3645a11be43c0a12e18e2bd1b350ba5db71554fb07b85128717939ecac4

SHA512
233f3bb4fef14dc3628d7765fa2c9cb1e2f05ae690ed9f5fc9d46e772bb49d34d582098c51d2d854686c69fe098d132187be6193f646d389cd1bd4458148c8be

Download Submit
\Users\Admin\AppData\Local\Temp\daraq.exe

Filesize
332KB

MD5
5d52fdbc092a99fa2a227964d8f413da

SHA1
8111439f7880e46c221df69dcac3ec882c831572

SHA256
8471b23a2906c23b4f744941dbe9d084da254a1158024055539c72b90606392f

SHA512
7f605f47f6217534c64141a7771d5f4fcc817c68bf73ffff50f81830c7a110e9ffd7cd592f98239218204b1678190e53b51904b90dadafef27cbfa706b1011d1

Download Submit
\Users\Admin\AppData\Local\Temp\zoxuh.exe

Filesize
172KB

MD5
c9c5116ed867e44ffdf63e581b918065

SHA1
b5ac7f9ef89445fae3df15151fe34f0f069e0c41

SHA256
4659b8f1546992395e1f7ae4c1a0dcf292b057e30d972d3b30fd827dc6dab381

SHA512
0074cd79ee4505ea8739e8663c8149b32b39c24c4f39bc453b47b3f8122ca4ff69f7e49d685b0f0dd04e69285eb09dc4532235250030070fef9f2cfab43d9dd6

Download Submit
memory/1984-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1984-9-0x0000000002570000-0x00000000025F1000-memory.dmp

Filesize
516KB

Download
memory/1984-0-0x00000000000B0000-0x0000000000131000-memory.dmp

Filesize
516KB

Download
memory/1984-20-0x00000000000B0000-0x0000000000131000-memory.dmp

Filesize
516KB

Download
memory/2516-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2516-23-0x00000000009A0000-0x0000000000A21000-memory.dmp

Filesize
516KB

Download
memory/2516-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2516-37-0x0000000003660000-0x00000000036F9000-memory.dmp

Filesize
612KB

Download
memory/2516-41-0x00000000009A0000-0x0000000000A21000-memory.dmp

Filesize
516KB

Download
memory/2516-11-0x00000000009A0000-0x0000000000A21000-memory.dmp

Filesize
516KB

Download
memory/2812-45-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download
memory/2812-42-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download
memory/2812-48-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download
memory/2812-49-0x0000000000C10000-0x0000000000CA9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing