urelas | bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4

General

Target

bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
Size

332KB
MD5

140484087100d4c593cb84d26dbb4e20
SHA1

c7d047144a44471dd3bb873f564b1f37ee052d06
SHA256

bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4
SHA512

5bb2e15ba83688ade752563a2225d24518ab41ff909773aef6bafab3a07b8b0e4d346bf7fb2526398e19f12b4741cc913a2125532b123790a107dd2172bd6fa8
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYrg:vHW138/iXWlK885rKlGSekcj66ciV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1472	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2100	oxlyj.exe
2864	zoawj.exe

Loads dropped DLL 2 IoCs

pid	Process
2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
2100	oxlyj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxlyj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoawj.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe
2864	zoawj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2100	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	31
PID 2228 wrote to memory of 2100	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	31
PID 2228 wrote to memory of 2100	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	31
PID 2228 wrote to memory of 2100	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	31
PID 2228 wrote to memory of 1472	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	32
PID 2228 wrote to memory of 1472	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	32
PID 2228 wrote to memory of 1472	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	32
PID 2228 wrote to memory of 1472	2228	bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe	32
PID 2100 wrote to memory of 2864	2100	oxlyj.exe	34
PID 2100 wrote to memory of 2864	2100	oxlyj.exe	34
PID 2100 wrote to memory of 2864	2100	oxlyj.exe	34
PID 2100 wrote to memory of 2864	2100	oxlyj.exe	34

C:\Users\Admin\AppData\Local\Temp\bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe
"C:\Users\Admin\AppData\Local\Temp\bbc4ab135447dc677835f9e45738bf9f70a2fac31c82e864551da43774b5b0a4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\oxlyj.exe
  "C:\Users\Admin\AppData\Local\Temp\oxlyj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\zoawj.exe
    "C:\Users\Admin\AppData\Local\Temp\zoawj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
cf3d053f45f99832089fee10c2b87d0a

SHA1
fc9a94741e636ac7093504633a6e918e0f8bf55c

SHA256
0d130547fba1add262bb8556cc37e81b23a4405ac20b3b09f19d56ea3a3d8c51

SHA512
413d19c8f56fc9b8273120fce6993c2e559dac8a20750dd485ff2a07f37e5970b5fdff4325601e272ef3e3e9c8cfa2ee65801269cea0c37f93f150fb499eb870

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0c5f8d0c7e3ee63a7768fb4e703e1771

SHA1
df419ef9ddab6c0b27a00c9ce2cf2a04c1f33e95

SHA256
aafd7e575f8110730ebc402d85933d842560f4603a059c428ff540bd5c153e66

SHA512
eab2b528e278fd2f80c0867a6ff7ae49fad8ca4f0447b56535971b4868a51e9c824619626a16e25394b67e4050fc1d0078da1cdcf42206c61458727187c1826b

Download Submit
\Users\Admin\AppData\Local\Temp\oxlyj.exe

Filesize
332KB

MD5
70b3e2ff3161e0b82aa5b5ccd6b66fa2

SHA1
251f225e43145db97940b1dd2378630c8bb34b8a

SHA256
5e4570e2904be00131f3044b95fd7d001b5e120d655cda105e998fd65ef6fec3

SHA512
e052e5776728a320302f7a72961880cc3fa8da897443159b0da1f87767552c6f62ef66c5c49d9360b1d5eead8c9dc0846a5aa6c0da2f7bc38816bd8ff477bfcc

Download Submit
\Users\Admin\AppData\Local\Temp\zoawj.exe

Filesize
172KB

MD5
d947042250d3100d64cf571478547051

SHA1
9e5cf3e75b86112c37bec386c26163eab5dbe911

SHA256
12659bb9c3ee46ab74a2cc0f968b2fe8c9dd4b05ba6ec09c2a3f317bd0dc81d7

SHA512
fa823d9ed196d2f62f4cb71579aad19edd33865933a6aeaa4e1fd7d5e53d1e9f1dce144fd5c084790ca09de8bc3f564d37ac94442ebb6ae393c9e762ef30548d

Download Submit
memory/2100-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2100-10-0x00000000008E0000-0x0000000000961000-memory.dmp

Filesize
516KB

Download
memory/2100-23-0x00000000008E0000-0x0000000000961000-memory.dmp

Filesize
516KB

Download
memory/2100-38-0x00000000008E0000-0x0000000000961000-memory.dmp

Filesize
516KB

Download
memory/2228-20-0x00000000012B0000-0x0000000001331000-memory.dmp

Filesize
516KB

Download
memory/2228-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2228-0-0x00000000012B0000-0x0000000001331000-memory.dmp

Filesize
516KB

Download
memory/2864-40-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/2864-41-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/2864-45-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download
memory/2864-46-0x00000000011F0000-0x0000000001289000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing