urelas | be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb

General

Target

be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe
Size

333KB
MD5

23c77673328452fe83e7f4c9ffe44b48
SHA1

450b06237336098386446a853cd2d97477318acc
SHA256

be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb
SHA512

006f02d5ab0415f58223d9d4de20f11ad871df47ba5a552b5b9d8ce888f46bc0dcb39bb14a867f82cbb69f7e79819b27ea3f59fa3bf324284ec2a09c6ef8d8f9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVp:vHW138/iXWlK885rKlGSekcj66ciEp

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1680 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

biypb.exerarot.exe

pid process

2044 biypb.exe
384 rarot.exe
Loads dropped DLL 2 IoCs

Processes:

be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exebiypb.exe

pid process

2556 be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe
2044 biypb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1680	cmd.exe

pid	process
2044	biypb.exe
384	rarot.exe

pid	process
2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe
2044	biypb.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exebiypb.execmd.exerarot.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	biypb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rarot.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

rarot.exe

pid	process
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe
384	rarot.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exebiypb.exe

description	pid	process	target process
PID 2556 wrote to memory of 2044	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	biypb.exe
PID 2556 wrote to memory of 2044	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	biypb.exe
PID 2556 wrote to memory of 2044	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	biypb.exe
PID 2556 wrote to memory of 2044	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	biypb.exe
PID 2556 wrote to memory of 1680	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	cmd.exe
PID 2556 wrote to memory of 1680	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	cmd.exe
PID 2556 wrote to memory of 1680	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	cmd.exe
PID 2556 wrote to memory of 1680	2556	be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe	cmd.exe
PID 2044 wrote to memory of 384	2044	biypb.exe	rarot.exe
PID 2044 wrote to memory of 384	2044	biypb.exe	rarot.exe
PID 2044 wrote to memory of 384	2044	biypb.exe	rarot.exe
PID 2044 wrote to memory of 384	2044	biypb.exe	rarot.exe

C:\Users\Admin\AppData\Local\Temp\be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe
"C:\Users\Admin\AppData\Local\Temp\be4e7d36a957f6effb39ee6e4c8fd1723de7cb3718685ad57755825466e204bb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\biypb.exe
  "C:\Users\Admin\AppData\Local\Temp\biypb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\rarot.exe
    "C:\Users\Admin\AppData\Local\Temp\rarot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
63132647d862949de071464259a80592

SHA1
194a536fe3d16b8c5c7c6b07880e63a334e15e1d

SHA256
7421a8902a7ae484621e09766d63f157bcaaf48effee9a67812b547a38e006e9

SHA512
70d711de6db7b36c11e1b1cb35ba95e18e1df799b431da1e03d244b3b0a6045e10c565daa965c87ca393222c68eb7bee74281f3ae12d5f3f7016d8fae81d76a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
01e0288fa51aba4ea11797042516e6d3

SHA1
af4f694d45cc5e3d9a9700f37e8ea934c6513d4c

SHA256
b11824b26f98474c2a00ea49050ab823b2e033111f434cc4b7aabbaed3326752

SHA512
3ee8b031563ebdbff9da0bbeab942da09f02d7a2576dbcde779b06b98df702332906e53883f1a80319a3f01115b9af918c91452928dea9eb22b7038c4d479fd7

Download Submit
\Users\Admin\AppData\Local\Temp\biypb.exe

Filesize
333KB

MD5
594fc06857d7d0a4322c77d7e99431cb

SHA1
06edcb7f586adff072d98ed2b7ff363632aa4561

SHA256
bef6654a020cbce76be67bfc5de5b22f1f898e6746244139a270f971fd1ec4d5

SHA512
4c0a55cc7b07a6c3bd7c65bc01d18e28385e9b38cb47a7a2a387a152fb0eaaa5a0066bfae60ee3e59375113a68c2d1dbc5518bfc41e207c1e696534900f66e05

Download Submit
\Users\Admin\AppData\Local\Temp\rarot.exe

Filesize
172KB

MD5
434c8019aa504452bbcb2e5d3c714208

SHA1
bced0ad06ed6dfc9ba7e87a56dcc06835623af63

SHA256
1ff7b11b4a27068f323c0dd87a0ce247940567e42a1bcf964d3dd6fbf4a88efc

SHA512
668aac8c3878a98df7920b56af4f53e8050f0d98ba7b2c9688113b2220c38b75b0bf5082f0069151e473ef3306942e63cafc29a34a89954ee656b7312cc7b0b1

Download Submit
memory/384-41-0x0000000001270000-0x0000000001309000-memory.dmp

Filesize
612KB

Download
memory/384-42-0x0000000001270000-0x0000000001309000-memory.dmp

Filesize
612KB

Download
memory/384-46-0x0000000001270000-0x0000000001309000-memory.dmp

Filesize
612KB

Download
memory/384-47-0x0000000001270000-0x0000000001309000-memory.dmp

Filesize
612KB

Download
memory/2044-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2044-22-0x0000000000D40000-0x0000000000DC1000-memory.dmp

Filesize
516KB

Download
memory/2044-23-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2044-36-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/2044-40-0x0000000000D40000-0x0000000000DC1000-memory.dmp

Filesize
516KB

Download
memory/2556-19-0x0000000000DA0000-0x0000000000E21000-memory.dmp

Filesize
516KB

Download
memory/2556-7-0x0000000002B10000-0x0000000002B91000-memory.dmp

Filesize
516KB

Download
memory/2556-0-0x0000000000DA0000-0x0000000000E21000-memory.dmp

Filesize
516KB

Download
memory/2556-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads