urelas | 16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662

General

Target

16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
Size

332KB
MD5

c5105fd9f1ab2ad22f450fff55d33143
SHA1

e68a07e75bff28a4bf27567dfdef8bd519fb8a5a
SHA256

16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662
SHA512

de98bee6a670b9b7e787e50786c75feecd647b3cde1dea6d01105f32b3271c61c4fbc881e7609f4ba33d0e36156117e430ab6f532e030c4550eb2147095f1670
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY6:vHW138/iXWlK885rKlGSekcj66cib

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1632	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2052	koyxf.exe
2660	hyorh.exe

Loads dropped DLL 2 IoCs

pid	Process
2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
2052	koyxf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyorh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koyxf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe
2660	hyorh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2052	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 2644 wrote to memory of 2052	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 2644 wrote to memory of 2052	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 2644 wrote to memory of 2052	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	31
PID 2644 wrote to memory of 1632	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	32
PID 2644 wrote to memory of 1632	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	32
PID 2644 wrote to memory of 1632	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	32
PID 2644 wrote to memory of 1632	2644	16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe	32
PID 2052 wrote to memory of 2660	2052	koyxf.exe	35
PID 2052 wrote to memory of 2660	2052	koyxf.exe	35
PID 2052 wrote to memory of 2660	2052	koyxf.exe	35
PID 2052 wrote to memory of 2660	2052	koyxf.exe	35

C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe
"C:\Users\Admin\AppData\Local\Temp\16261fb3a703ef33965fc35d7230b5f0ca970b9e02377f20faabf7be3f5f3662.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\koyxf.exe
  "C:\Users\Admin\AppData\Local\Temp\koyxf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\hyorh.exe
    "C:\Users\Admin\AppData\Local\Temp\hyorh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
f82b5e46ecc7199a4d77265ab29e761f

SHA1
471dc7642de247841861ef0047e6e73fe6e0509c

SHA256
8a106558acbed72ae6114bc0d074af4570578010fffa14854c5f703466ebd300

SHA512
bec787feeb03ebb2cc4477ffa405f3f39cdb02a85c134462f4907128c7fa82532c5a83ddd39f7a26a9b9a8084fb65ed2d7ee7d63e42ec779c7c63a3a89fc13b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a7ea4ca1cb2d853248d2c346d53c1a89

SHA1
7094950c19151cf7e9c9769a3fcf94e28577612b

SHA256
10617ca586e80e1a77500845c0cae1c2cf2d48c767d837bce978dab7ed9fe8d0

SHA512
ffc54b8e38580cb7b112619329e70622a8096ea8f7708b8182ea6cf732b1efdf39874760bdaa6534af14d8f25fa8375ff37e8f198f080c1b5c2a0bb87643ddd7

Download Submit
\Users\Admin\AppData\Local\Temp\hyorh.exe

Filesize
172KB

MD5
6e9d5067562701bd3a52e6454a580fac

SHA1
49f036d2837b0d8a4b5c9da34e31f1d75bb42c23

SHA256
9463a11a0c81587cebd78ea9a60b4ca7e2f329a1744eaaf42be33eef02ec9d54

SHA512
6f8af7caebdff2b1d525d63049b67143cfb460cea6bb591db3e22dd5c192a8db169526f39e25bbc8accef13582330e699b21c72f4c6375cb42604faf4afa9ae3

Download Submit
\Users\Admin\AppData\Local\Temp\koyxf.exe

Filesize
332KB

MD5
cb8d302f0c612b41308253e9bce779d3

SHA1
890ed024492c8ef8512b6c6383d5fe7e9fc512e1

SHA256
ccd3a8d2aab90d17b36172d32976f231cb4d5e4d987a6698341b1f79b8820043

SHA512
7ace1ab09033454b98392dc4e7a7ebb8d3080985a73b41866b314b94363364f2fdcdb3d452b28c8100285685a5dec31e7e629cd00f907c67b2372ad858e4fe18

Download Submit
memory/2052-11-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2052-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2052-42-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2052-39-0x00000000034B0000-0x0000000003549000-memory.dmp

Filesize
612KB

Download
memory/2052-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2052-24-0x0000000000260000-0x00000000002E1000-memory.dmp

Filesize
516KB

Download
memory/2644-0-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2644-9-0x00000000020F0000-0x0000000002171000-memory.dmp

Filesize
516KB

Download
memory/2644-21-0x0000000000070000-0x00000000000F1000-memory.dmp

Filesize
516KB

Download
memory/2644-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2660-43-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download
memory/2660-44-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download
memory/2660-48-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download
memory/2660-49-0x0000000001260000-0x00000000012F9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing