urelas | 90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a

General

Target

90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
Size

332KB
MD5

65b4a3aa23c22537f52adee2b0bf5169
SHA1

8434a372b729cde9ee1d032db3306cf813cccb1b
SHA256

90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a
SHA512

8e444fa52bf1dfb7c45499b76dd998c529525f3ebcd970161bbb4e0b3883e1d062d15faec83e30043b27d5f94b3663fc5e63ea5142743739e2df075858af612c
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66ci7

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2984	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2272	pipou.exe
2100	rusik.exe

Loads dropped DLL 2 IoCs

pid	Process
576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
2272	pipou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pipou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rusik.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe
2100	rusik.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2272	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	30
PID 576 wrote to memory of 2272	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	30
PID 576 wrote to memory of 2272	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	30
PID 576 wrote to memory of 2272	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	30
PID 576 wrote to memory of 2984	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	31
PID 576 wrote to memory of 2984	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	31
PID 576 wrote to memory of 2984	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	31
PID 576 wrote to memory of 2984	576	90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe	31
PID 2272 wrote to memory of 2100	2272	pipou.exe	33
PID 2272 wrote to memory of 2100	2272	pipou.exe	33
PID 2272 wrote to memory of 2100	2272	pipou.exe	33
PID 2272 wrote to memory of 2100	2272	pipou.exe	33

C:\Users\Admin\AppData\Local\Temp\90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe
"C:\Users\Admin\AppData\Local\Temp\90c67258d00416ba13ce937c4f4e055688ef225102b8b75c668126646873873a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\pipou.exe
  "C:\Users\Admin\AppData\Local\Temp\pipou.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\rusik.exe
    "C:\Users\Admin\AppData\Local\Temp\rusik.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
4388da8d47d2fad02169eef20bfbf4d3

SHA1
27ee900ad333f616b9e81c3a3e830292c46179b1

SHA256
ae5b756995b31b10b9516775ec855e473a9043630c8461ab11927a65f1f18f4d

SHA512
2b08bdfc1982f70a9868cb6c019247a10c7708cd92b622110bf49e32ea075aae4b3b256de2a640eff1481d0b7fa51cf29330f545a1fdd5d818c150d8c78b1f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
09093315f97413659cdc2854662f92f5

SHA1
773a21b9ee26364ccd4cc377a2653ff12a90d066

SHA256
e169581b75d6a2dffcb4034f7141a00ddfad3360616653e3550cfd92f7a9fdfb

SHA512
4b87aa8a0b58464c20358629e9629e0146e6a7454cf9dfef4383d9d65606518f181ca258ef5a90d94f37b8166ec2b03748fa4a7b0cd8ddc0464ea7cef6d1de6b

Download Submit
\Users\Admin\AppData\Local\Temp\pipou.exe

Filesize
332KB

MD5
04064eacb2f6c81f4c1ab804ec61dca3

SHA1
ecafc46a1809048ea36c0dbc2a6cebb6a9e3bd38

SHA256
86756ad1c69b56fa40c1d8b2153ac0ab2ec38b0aa221518758920f0faa8e6fb3

SHA512
d5113ea9654c6120286f1b3ab0ed325343dafdbcbcd910410bababd03eaa0f511b08699b2bb30c6c12ddcfa0a998c85f48538f745707dea6950d2e7f102b6cb9

Download Submit
\Users\Admin\AppData\Local\Temp\rusik.exe

Filesize
172KB

MD5
1423e03bd4b970aa295fa2159e2ba4c3

SHA1
282468fa050c77eada25f24fbd9fdc6a47656205

SHA256
77642c8574d0b55747491f5a95f2712f93d141f7931c7bb0bea314bbd0a49840

SHA512
818ef6b777c1fe464ceb06cf6bff2a98397db61eb46a3e8808a9cc1e8eadab97b1c4a58d796ef159c228ab76de14cb5ff2c2db0843443d90a849deab592da33d

Download Submit
memory/576-0-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/576-7-0x0000000002600000-0x0000000002681000-memory.dmp

Filesize
516KB

Download
memory/576-20-0x0000000000950000-0x00000000009D1000-memory.dmp

Filesize
516KB

Download
memory/576-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2100-42-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/2100-43-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/2100-47-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/2100-48-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/2272-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2272-23-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download
memory/2272-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2272-41-0x0000000003220000-0x00000000032B9000-memory.dmp

Filesize
612KB

Download
memory/2272-40-0x0000000000C90000-0x0000000000D11000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing