urelas | 6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3

General

Target

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
Size

332KB
MD5

9005adf6dc2001ebe4b8b45ccae3c8b0
SHA1

1338d6153061783232f99e6944b6144a4835a2e6
SHA256

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3
SHA512

933431cf66acc4155c510ecd6b2603aecf4f757da8335edacf0c4e8812c72e52387479c645e6bd6b4d69c786f5903fe18e6b0f807edf9321669525ae704620e7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYq:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2856 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

maguo.exeberim.exe

pid process

2180 maguo.exe
1176 berim.exe
Loads dropped DLL 2 IoCs

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exemaguo.exe

pid process

2304 6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
2180 maguo.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2856	cmd.exe

pid	process
2180	maguo.exe
1176	berim.exe

pid	process
2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
2180	maguo.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exemaguo.execmd.exeberim.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maguo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	berim.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

berim.exe

pid	process
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe
1176	berim.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exemaguo.exe

description	pid	process	target process
PID 2304 wrote to memory of 2180	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	maguo.exe
PID 2304 wrote to memory of 2180	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	maguo.exe
PID 2304 wrote to memory of 2180	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	maguo.exe
PID 2304 wrote to memory of 2180	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	maguo.exe
PID 2304 wrote to memory of 2856	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2304 wrote to memory of 2856	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2304 wrote to memory of 2856	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2304 wrote to memory of 2856	2304	6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe	cmd.exe
PID 2180 wrote to memory of 1176	2180	maguo.exe	berim.exe
PID 2180 wrote to memory of 1176	2180	maguo.exe	berim.exe
PID 2180 wrote to memory of 1176	2180	maguo.exe	berim.exe
PID 2180 wrote to memory of 1176	2180	maguo.exe	berim.exe

C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe
"C:\Users\Admin\AppData\Local\Temp\6958ec8ceeb95cc9d407c1c665bb2cac0659caefc7447ed19aa4d99abb8238c3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\maguo.exe
  "C:\Users\Admin\AppData\Local\Temp\maguo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Admin\AppData\Local\Temp\berim.exe
    "C:\Users\Admin\AppData\Local\Temp\berim.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
710943b4bc4cb3508979b0ff0dec9782

SHA1
bcffaf0cc3dc993ab846ec5de6f880721fb8f2d5

SHA256
d8b9e49cc44f652a3daebde2f6d26059cae4706e59d53500dbf5074cfcc4ce04

SHA512
13622271bf849268c7c24a56ddd17ad91a5ce8085f32a1b01c8ee324b642880066a03dfbc04c4c44bb94fb22ff22af0e1765d87fe8f8322a8bd54f6d51051b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
bd8fea0f54b381c75e5d44bdb409b70c

SHA1
52bbe0b62865880cb01545edc95390f7402ad608

SHA256
07af242d03fc1e300ab0ee1a140dd0bfa5cfb93562930a86999a11590137172c

SHA512
49bc3fbb78a03c0b1a63ca614513ea5f2d1f0a2d81e469e629dc33e08ccea7cc3d87f8f63b37fb9c3115494ed023313f2e58dbaa52a9dff76bb0799cc9b3c22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\maguo.exe

Filesize
332KB

MD5
cf14cca47003f5593899c047aedd58be

SHA1
94b6d91df426ced168f6955f351aa610ee5575b7

SHA256
f6224c85e6064033c069c2cb5983638ef0e787a8a861a739e3e12b1512aff1a7

SHA512
141e1cd0583c1508e5f6ae6e6802a468d38a975ed465cf7770caae65e8b85bec527a40ba952a500c3b829aae2d3d2e677ae0d0abf8302e0e6e8c606ef205d521

Download Submit
\Users\Admin\AppData\Local\Temp\berim.exe

Filesize
172KB

MD5
7b81f98c9aae6f21f63021cc1d2e7378

SHA1
0e90ee14388e05e05334f06cae2d0dc4da5de359

SHA256
22ace7845dabe4175ca98162047efb6eb88da9a9fd75fb50570dde60dc2fa2e5

SHA512
a215e4ad97f0cda956c217d3cc1d53a7f2efbf2b4bd8fdb1fb8fef106074d3fd0c37d948dfcc7342eda54c114229ad79eab35dab3a94a334fba60567fadf492d

Download Submit
memory/1176-42-0x0000000000030000-0x00000000000C9000-memory.dmp

Filesize
612KB

Download
memory/1176-45-0x0000000000030000-0x00000000000C9000-memory.dmp

Filesize
612KB

Download
memory/1176-47-0x0000000000030000-0x00000000000C9000-memory.dmp

Filesize
612KB

Download
memory/1176-48-0x0000000000030000-0x00000000000C9000-memory.dmp

Filesize
612KB

Download
memory/2180-18-0x00000000008B0000-0x0000000000931000-memory.dmp

Filesize
516KB

Download
memory/2180-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2180-24-0x00000000008B0000-0x0000000000931000-memory.dmp

Filesize
516KB

Download
memory/2180-37-0x0000000003290000-0x0000000003329000-memory.dmp

Filesize
612KB

Download
memory/2180-41-0x00000000008B0000-0x0000000000931000-memory.dmp

Filesize
516KB

Download
memory/2304-17-0x0000000001EE0000-0x0000000001F61000-memory.dmp

Filesize
516KB

Download
memory/2304-21-0x0000000000130000-0x00000000001B1000-memory.dmp

Filesize
516KB

Download
memory/2304-0-0x0000000000130000-0x00000000001B1000-memory.dmp

Filesize
516KB

Download
memory/2304-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads