urelas | 2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851e

General

Target

2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe
Size

334KB
MD5

56ab5b6ddbcd5b119c7ad028db7df480
SHA1

ee8b233b1f7a6cc3cb4b8d06dad01f8ff1a90822
SHA256

2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851e
SHA512

d63d76b5cfe18645213025cff3515827712403808779880758b539fc981450786aa3a3392009e9b8b641a8fa8ba70a03f70f0714f68b4960ba158f0afa326f25
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYw6:vHW138/iXWlK885rKlGSekcj66ciV6

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2736	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2356	zubyw.exe
1800	beavn.exe

Loads dropped DLL 2 IoCs

pid	Process
876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe
2356	zubyw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zubyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	beavn.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe
1800	beavn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2356	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	31
PID 876 wrote to memory of 2356	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	31
PID 876 wrote to memory of 2356	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	31
PID 876 wrote to memory of 2356	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	31
PID 876 wrote to memory of 2736	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	32
PID 876 wrote to memory of 2736	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	32
PID 876 wrote to memory of 2736	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	32
PID 876 wrote to memory of 2736	876	2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe	32
PID 2356 wrote to memory of 1800	2356	zubyw.exe	34
PID 2356 wrote to memory of 1800	2356	zubyw.exe	34
PID 2356 wrote to memory of 1800	2356	zubyw.exe	34
PID 2356 wrote to memory of 1800	2356	zubyw.exe	34

C:\Users\Admin\AppData\Local\Temp\2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe
"C:\Users\Admin\AppData\Local\Temp\2cb3923b42874722c2a3275f0153e973dee3c15b72f51945482a49c1bc9d851eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\zubyw.exe
  "C:\Users\Admin\AppData\Local\Temp\zubyw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\beavn.exe
    "C:\Users\Admin\AppData\Local\Temp\beavn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b166fc0e40859275e71e238917ddc375

SHA1
4c3de091a0e6fee9e2eff052568ab606c7cf8909

SHA256
a60cf0d9ee4e78840c9751dbd43228557d0fa9aad9b012a780b2bcdcccbbf25f

SHA512
27b05706dcebeae451cae77a7f2adfb968a1d79861eec31bb76f6d3b060c977ac59ec931cf928e408680bdffcb336dbd2ecf7eed9f70dc3f6af0b112562b1037

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ff44e5ef3cab2f32eaa75f9a637eced7

SHA1
5327dc3ff2c529469f0bc515e301bd9e487504f4

SHA256
71bd8a62bbc5f5cb19e41f0909167dd1dd79f07d330edc167306de9d6237a937

SHA512
ddeeedde5505e18e3cc81685f0a16d08cee034a597b70fee067a1183b426527fd12bc7b7048cdac2605140574947e4879192e4ffe8dd576e4c9bb0717ee646a9

Download Submit
\Users\Admin\AppData\Local\Temp\beavn.exe

Filesize
172KB

MD5
73b46f91a97866c85cf2f6c9e70eff0e

SHA1
d2f339d1d16c249a71a8fb6ff7bb8ccf0c6a4597

SHA256
a887ba0936733722ef9274644391927d2d61524a2a1251e5dae7b1f4ef44c134

SHA512
30e3efcc4e697147b1bf65f35bc0ac08e5d24dc4fa36277f06f94a0995f1ef5f21033ec4697251d76c87d8426735eb014ce4ce14201fa459abc7ef08a40ad709

Download Submit
\Users\Admin\AppData\Local\Temp\zubyw.exe

Filesize
334KB

MD5
e609e09843dd477fed063f2ee18ca3f9

SHA1
c3e64ba011301dc4421d4437b97349ad57905b74

SHA256
9328dd304d9c7487a1dc3a6bc3ac4be5611fec2602a88e60e17dd5bdc8caed90

SHA512
8e15acbefe1e8ac3b3a8a8b756589a0c484558591e30ba37e43174cb702af242a5a166b454c42be3a83ab99b48d5a5ad596c98011a7adae69f807b1c2c8c3fff

Download Submit
memory/876-0-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/876-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/876-9-0x00000000021A0000-0x0000000002221000-memory.dmp

Filesize
516KB

Download
memory/876-21-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/1800-43-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/1800-48-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/1800-47-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/1800-42-0x0000000000010000-0x00000000000A9000-memory.dmp

Filesize
612KB

Download
memory/2356-18-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2356-40-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2356-41-0x0000000002CD0000-0x0000000002D69000-memory.dmp

Filesize
612KB

Download
memory/2356-24-0x00000000002A0000-0x0000000000321000-memory.dmp

Filesize
516KB

Download
memory/2356-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing