urelas | b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc

General

Target

b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
Size

332KB
MD5

54225c6e3dee406c2abb7fb9b15fb451
SHA1

ed975009087724d5b4b3c1938cdda16ca15bcd9f
SHA256

b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc
SHA512

b3a129de8f26b79b472123614cada054fac25c7afc89fb70225721ae139b109f98f6cd714ba4b2645288aab3b751b6c53fed70fda1c87622a16bcb1310153d1d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVK:vHW138/iXWlK885rKlGSekcj66ciEK

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	gexoy.exe
2856	edtuw.exe

Loads dropped DLL 2 IoCs

pid	Process
2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
2756	gexoy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gexoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	edtuw.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe
2856	edtuw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2756	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	30
PID 2264 wrote to memory of 2756	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	30
PID 2264 wrote to memory of 2756	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	30
PID 2264 wrote to memory of 2756	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	30
PID 2264 wrote to memory of 2784	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	31
PID 2264 wrote to memory of 2784	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	31
PID 2264 wrote to memory of 2784	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	31
PID 2264 wrote to memory of 2784	2264	b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe	31
PID 2756 wrote to memory of 2856	2756	gexoy.exe	34
PID 2756 wrote to memory of 2856	2756	gexoy.exe	34
PID 2756 wrote to memory of 2856	2756	gexoy.exe	34
PID 2756 wrote to memory of 2856	2756	gexoy.exe	34

C:\Users\Admin\AppData\Local\Temp\b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe
"C:\Users\Admin\AppData\Local\Temp\b4377105ce5906d724ea6827ca727acb011bfe6298b652a9b44ad5e7200d5efc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\gexoy.exe
  "C:\Users\Admin\AppData\Local\Temp\gexoy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\edtuw.exe
    "C:\Users\Admin\AppData\Local\Temp\edtuw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1e4e0669b69a2758ecb8afb86d50cadc

SHA1
671718f937486e37afede9fe37561f17fa33c714

SHA256
a35c3a6f5e9985e5271ec51c3a7f8c15143a64cc8cbcee233af439b237ee4064

SHA512
75afed713535483abc935a621a27e0c8b2fcf9aedf502bbf5158e3c13e5aec57366ce6df019b421d19bbc5facf42ab2292489fdf90a869459f5c9b53ff831b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
35481647fba6bb3a17c8fedfdf846681

SHA1
8f5e730bb618fbb420140c26c4309bb69c926ff3

SHA256
fd562b75f54b56aef5b552bc23133dc6f99828db2eb9624a09f0dcf29dad5539

SHA512
b651c9e08c5f2df5ccadc0811ca680ce6220fde955f4e3ba972fe7e1508542feb81f879f5603c0963c6a5742cd19397ce331117c5e5b4e673272eda63ff40e28

Download Submit
\Users\Admin\AppData\Local\Temp\edtuw.exe

Filesize
172KB

MD5
d5e2be4c770d5b4459b2b95928fb2c7c

SHA1
0d12c1232f942e5e05cdf321226ffc99754184fb

SHA256
e749bf7651f00a6840b0e1cd20352fdd72f72100def2512a6feb258d6f6357b0

SHA512
c6367c8a0e27f5811eaad4d319ad6a59b4ba0be0afa615f4d95ce374aa8ac3e5acfd34dfe77242f120e09db65e15529bd910b324c2055a0f89cf26988bde79c2

Download Submit
\Users\Admin\AppData\Local\Temp\gexoy.exe

Filesize
332KB

MD5
e93dbe193a7589dc24b5dd5b075eaa95

SHA1
805f739e260751f15c3ffa3e6a8a0a0dfa705ffb

SHA256
36bc148c42539f5f797254d260989d7fca9eb63a0fd3cf5a8b8bd300264ee9f2

SHA512
16a99e4500d1deb95ae246cc705c20683e3f11c29c2b122a66b1f35e455c7f0427bc36a996c57d35d13a889381f89c108f4a291f2a5a8091a4a3b4ae92f240b7

Download Submit
memory/2264-0-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/2264-19-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/2264-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2264-15-0x0000000002600000-0x0000000002681000-memory.dmp

Filesize
516KB

Download
memory/2756-20-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/2756-24-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/2756-37-0x0000000002160000-0x00000000021F9000-memory.dmp

Filesize
612KB

Download
memory/2756-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2756-41-0x0000000000A10000-0x0000000000A91000-memory.dmp

Filesize
516KB

Download
memory/2856-42-0x00000000001A0000-0x0000000000239000-memory.dmp

Filesize
612KB

Download
memory/2856-43-0x00000000001A0000-0x0000000000239000-memory.dmp

Filesize
612KB

Download
memory/2856-47-0x00000000001A0000-0x0000000000239000-memory.dmp

Filesize
612KB

Download
memory/2856-48-0x00000000001A0000-0x0000000000239000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing