urelas | 349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783

General

Target

349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe
Size

331KB
MD5

5c8f53a6cbf5f696d09431aa725ad33c
SHA1

c16759563ac9e025648653316ee2c356c1fd668d
SHA256

349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783
SHA512

38a6d55e5c8c5f1238e55b1e32d0280c8a736e785f42b10952e3549fe6888bc62b44b81d6d0436ba04be1af93ebade7aff499b7ef454e99637b62769071a9c99
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVb:vHW138/iXWlK885rKlGSekcj66ciEb

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2936	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	opfuz.exe
1160	woter.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe
2884	opfuz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opfuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	woter.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe
1160	woter.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2884	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	31
PID 2464 wrote to memory of 2884	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	31
PID 2464 wrote to memory of 2884	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	31
PID 2464 wrote to memory of 2884	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	31
PID 2464 wrote to memory of 2936	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	32
PID 2464 wrote to memory of 2936	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	32
PID 2464 wrote to memory of 2936	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	32
PID 2464 wrote to memory of 2936	2464	349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe	32
PID 2884 wrote to memory of 1160	2884	opfuz.exe	35
PID 2884 wrote to memory of 1160	2884	opfuz.exe	35
PID 2884 wrote to memory of 1160	2884	opfuz.exe	35
PID 2884 wrote to memory of 1160	2884	opfuz.exe	35

C:\Users\Admin\AppData\Local\Temp\349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe
"C:\Users\Admin\AppData\Local\Temp\349551096df6d424a40ec764bdaab63800ca2f6053762106518105de8727d783.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\opfuz.exe
  "C:\Users\Admin\AppData\Local\Temp\opfuz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\woter.exe
    "C:\Users\Admin\AppData\Local\Temp\woter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
ee71000ee7133a48a98464524c678e35

SHA1
224e371014a4d533e354d6f6b6b15fa55d057348

SHA256
0b30f3847580675b0e7dc3b66bc0d5df53da94b4380b998cb72dcccacc7617fe

SHA512
6760e481c2f9021735e12ebb9d08bc9fe29ba4a6794e40a396b657c80c28bbf47cc001757344f936db7dfed317bca3013f93bb031f923d85f7f054a8b3c254a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
8e46c41fed6cf54e6b8fc65b9db4acbf

SHA1
012725538a029a2c44d5a558a299d4102e6b0c5b

SHA256
a9883db3fab40bd47a68b570b78d0c8c8f1cf67f142f6ac78d68e8733f84b88b

SHA512
24baf6b863d28621f6abb7baa73e09433f45761d83c59f2029b7871de6ecbf4281814c4b41ae97575e9c1901e5d1b6b2a9b6d3bbb8c22f1ba7fdc06236c18d3d

Download Submit
\Users\Admin\AppData\Local\Temp\opfuz.exe

Filesize
331KB

MD5
90b4ef566322e103c413b8fa7716f365

SHA1
1c7fda37538b10ee83ef642293aa102ceedb0da1

SHA256
7f8128bdec6599832917037a7e9d012e088fa6accd6eb751a850b07b69b8036c

SHA512
2827857cb1be89d372bd11a555e62222ddda9d14d60d2fd4c7cd89e0e5e75c2ecd60ec6c4171fd5f7cb949d499751e84bd9a822c3d4de384cd95b569f1a7f764

Download Submit
\Users\Admin\AppData\Local\Temp\woter.exe

Filesize
172KB

MD5
7770006672c58f79085d3f8425ab72c3

SHA1
aeed7755bf2cd0498d5777d088312713b806b1fe

SHA256
942eb89371a3f2095e3410224a911f7fae89e78d563fa9628d5545f88f321d0c

SHA512
a6d13398105337346595af0fbd8e5274df7fc57689280779987eb66832aedec819fa3df643a4a52e45d34415c6cc3fe41c2e69ed6eda27a775695647677971f5

Download Submit
memory/1160-43-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/1160-49-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/1160-48-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/1160-46-0x00000000003C0000-0x0000000000459000-memory.dmp

Filesize
612KB

Download
memory/2464-0-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/2464-10-0x0000000002630000-0x00000000026B1000-memory.dmp

Filesize
516KB

Download
memory/2464-21-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/2464-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2884-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2884-42-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2884-37-0x0000000003D70000-0x0000000003E09000-memory.dmp

Filesize
612KB

Download
memory/2884-12-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2884-25-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2884-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing