urelas | e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9

General

Target

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
Size

334KB
MD5

3234cf4c81bfcee023e8b2f5a4912775
SHA1

3fb4ee1ba10cd6670b2c301c376d59ee634a8259
SHA256

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9
SHA512

e8a8651bf6f2a34d9b3cf1471cf417704e40cda4d61a14e21eeb441f0a0ebe5a8553c96e1265e76ffc87b8365f210f1d91a1c96dbe020a6aff06cb9271cb581e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYl:vHW138/iXWlK885rKlGSekcj66ci8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2876 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

uvdak.exefonoq.exe

pid process

2928 uvdak.exe
3020 fonoq.exe
Loads dropped DLL 2 IoCs

Processes:

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exeuvdak.exe

pid process

2768 e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
2928 uvdak.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2876	cmd.exe

pid	process
2928	uvdak.exe
3020	fonoq.exe

pid	process
2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
2928	uvdak.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fonoq.exee49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exeuvdak.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fonoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvdak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

fonoq.exe

pid	process
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe
3020	fonoq.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exeuvdak.exe

description	pid	process	target process
PID 2768 wrote to memory of 2928	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	uvdak.exe
PID 2768 wrote to memory of 2928	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	uvdak.exe
PID 2768 wrote to memory of 2928	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	uvdak.exe
PID 2768 wrote to memory of 2928	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	uvdak.exe
PID 2768 wrote to memory of 2876	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	cmd.exe
PID 2768 wrote to memory of 2876	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	cmd.exe
PID 2768 wrote to memory of 2876	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	cmd.exe
PID 2768 wrote to memory of 2876	2768	e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe	cmd.exe
PID 2928 wrote to memory of 3020	2928	uvdak.exe	fonoq.exe
PID 2928 wrote to memory of 3020	2928	uvdak.exe	fonoq.exe
PID 2928 wrote to memory of 3020	2928	uvdak.exe	fonoq.exe
PID 2928 wrote to memory of 3020	2928	uvdak.exe	fonoq.exe

C:\Users\Admin\AppData\Local\Temp\e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe
"C:\Users\Admin\AppData\Local\Temp\e49f2e9313e5d29d6b76640a50272a9ac7da9d573db26849954ad91fee0324a9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\uvdak.exe
  "C:\Users\Admin\AppData\Local\Temp\uvdak.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Temp\fonoq.exe
    "C:\Users\Admin\AppData\Local\Temp\fonoq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2499982d596b1d61beff3ab3af9566a2

SHA1
3ebde4128cbdfbfbfc31997c237b4ed443460477

SHA256
c297fd57b2ccd31d8489db15fd9dbc22e09976fd0ae254aba0d0b1d381e1e2b9

SHA512
0d0ff75cd0cefff027dc06c97919d2951813929ae35573659be335ec8cfa52473fcf384d2d3e53e7f76c5f895aaeb28c95555913631f3775ba3e996822d2f4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
c57654e760d92165a4f48fbe619e0383

SHA1
d800dfedf7e586107d05f17f67bb594ecab8e00a

SHA256
8b43d62607b0d09569fd3fee940621c45d3ef9253eeec212354f49671bd823a8

SHA512
cde5389deeda8d05c4218f333193ba15f0ded6ec305f276eefc130199447ae5c3e14a4894b9a821ff14465f22b7ceb6d895b7d51316b362339b80a42bedaa2da

Download Submit
\Users\Admin\AppData\Local\Temp\fonoq.exe

Filesize
172KB

MD5
cca8c1b6a3a9358d0afd37c35b1efdd3

SHA1
ed7b45983a72261a7381a616ba36117d2d0757d2

SHA256
6ee29e54dde66cb0b7c6ec967e292271260a91f478f8ff39ee06a31fa4457be7

SHA512
74316101c6c18479b7717e5dd5ac9345c4830a84fb382edde0e71c0cf9386936a734474f5c9389f46447fe96f33dce69561cc507c1dd35b5dd71bd12e213846c

Download Submit
\Users\Admin\AppData\Local\Temp\uvdak.exe

Filesize
334KB

MD5
810db5c04c152ea8ccce1f4e1321347a

SHA1
7e1b8e39fab5e9a2143b067e9c819b8526cfa35d

SHA256
cd82e8f8032a2912272d0b10f99f4afe7055378daefe7307cf96f048d7eba1ce

SHA512
5cbe4f3d0146ece0d6754bcc2849a7282b0439175d71f36a6fdcec3397cb4aefbe18ae812006b3d3f5110c5579d85e0e0286525483788a57244367fafd4db751

Download Submit
memory/2768-0-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/2768-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2768-10-0x00000000006B0000-0x0000000000731000-memory.dmp

Filesize
516KB

Download
memory/2768-21-0x00000000002B0000-0x0000000000331000-memory.dmp

Filesize
516KB

Download
memory/2928-11-0x0000000001260000-0x00000000012E1000-memory.dmp

Filesize
516KB

Download
memory/2928-24-0x0000000001260000-0x00000000012E1000-memory.dmp

Filesize
516KB

Download
memory/2928-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2928-38-0x0000000003860000-0x00000000038F9000-memory.dmp

Filesize
612KB

Download
memory/2928-41-0x0000000001260000-0x00000000012E1000-memory.dmp

Filesize
516KB

Download
memory/3020-45-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/3020-42-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/3020-47-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/3020-48-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/3020-49-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/3020-50-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download
memory/3020-51-0x0000000001200000-0x0000000001299000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads