urelas | 97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52

General

Target

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Size

332KB
MD5

efb9d248a446a3a7434267d9b4d123c0
SHA1

3fe98e4298e590b5cc2ee56260b39c34a6790832
SHA256

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52
SHA512

c88b18d6833b3dd913e67028926cb297866c2b1af65dc9c2e264860365004b525eda2b005d8bf9d3f7a330a4e259a7a44301ad82bf3c58d0ed4f3e0574fc36ee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYK:vHW138/iXWlK885rKlGSekcj66cij

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2520 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

ibpuj.exerujoq.exe

pid process

2532 ibpuj.exe
1232 rujoq.exe
Loads dropped DLL 2 IoCs

Processes:

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exeibpuj.exe

pid process

2252 97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
2532 ibpuj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2520	cmd.exe

pid	process
2532	ibpuj.exe
1232	rujoq.exe

pid	process
2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
2532	ibpuj.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rujoq.exe97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exeibpuj.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rujoq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibpuj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

rujoq.exe

pid	process
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe
1232	rujoq.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exeibpuj.exe

description	pid	process	target process
PID 2252 wrote to memory of 2532	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	ibpuj.exe
PID 2252 wrote to memory of 2532	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	ibpuj.exe
PID 2252 wrote to memory of 2532	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	ibpuj.exe
PID 2252 wrote to memory of 2532	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	ibpuj.exe
PID 2252 wrote to memory of 2520	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2252 wrote to memory of 2520	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2252 wrote to memory of 2520	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2252 wrote to memory of 2520	2252	97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe	cmd.exe
PID 2532 wrote to memory of 1232	2532	ibpuj.exe	rujoq.exe
PID 2532 wrote to memory of 1232	2532	ibpuj.exe	rujoq.exe
PID 2532 wrote to memory of 1232	2532	ibpuj.exe	rujoq.exe
PID 2532 wrote to memory of 1232	2532	ibpuj.exe	rujoq.exe

C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe
"C:\Users\Admin\AppData\Local\Temp\97d3d9f04d53a2703a44610545e09ad2f75d8d432ee7513667711988360c3b52N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\ibpuj.exe
  "C:\Users\Admin\AppData\Local\Temp\ibpuj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\rujoq.exe
    "C:\Users\Admin\AppData\Local\Temp\rujoq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8ea4423a847b146a107fe9decf920b20

SHA1
3f20f309fe0c8f7f982820a018655276a6dba841

SHA256
9f07da084a4e9d8fb2716988a84f4f2f7e5e9f3068e5399503baaa8780517374

SHA512
afcbf286839811a850271ea186df37b0b8f6c342d832f856af07ca0f17b0dcd5546e99fe91800bb661a5a1bee904139d44a384ed771678a9566a5b4b50bd4b4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d42cb7c598e89e4fab414059ffa24c6a

SHA1
433d633d15088f8a4fdb9193dacae782b81a653e

SHA256
e6470ebc1309a4e4e160f4e6ca431167ff19fff893992879950fd5b599169143

SHA512
80a5c2443b6e5fca1941bf54fb034a5747ef0d8e52269114b5422b92e1653e33dcb2c1481984b547f18c05528728a52b77392c5b152c61fe22c9ba170dd96e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibpuj.exe

Filesize
332KB

MD5
4aa1437fbfaba53fda7f4d720518a179

SHA1
e1d212af674fe239432da896dc49cbe5299d42a2

SHA256
016a0b75a6b5de677434a475cffa7269db4f7aa56e04e132eab7e8a861954e9b

SHA512
a3775b69350647874243063594c0fd8d3fe9fad70fbb39d85c752157d3e79d266024ab1fe214898f06c48c66ff12b1f7fb64e03c28343944873f48c108fa992b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibpuj.exe

Filesize
332KB

MD5
e0fd7e1a284d32faa2c4a2734b2ba73c

SHA1
80a8a40a4395048820dec6cb91509916d456bbfc

SHA256
3062f2ab91ba0f2542a3389690687d4b4e9fdbd66616e100347f3c5f078f8978

SHA512
0db048d5e435303e970365d3f41e510cff4dc78e02727465a27a37ccbdb660d798a4ace5536473699f78e4ea205307551959c089bc40b9da0c1d8ea1a0c1f0f6

Download Submit
\Users\Admin\AppData\Local\Temp\rujoq.exe

Filesize
172KB

MD5
f481f6a2500b09560b7580b2bf8a83eb

SHA1
687703c92c597b6e9c175f3ad198e42179e9952c

SHA256
700a2a385bbe10917d6a8a0ec7ba740acbff8499ca275e67d683f09b6e659f42

SHA512
1f93b4673286952ef846feb46c5d409502f2541efbf2282916c7b698b30fe42b143846302f934d759cef67f0f137f553b38afe2e52109a747d04ff5d7684cfc5

Download Submit
memory/1232-52-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/1232-53-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/1232-51-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/1232-50-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/1232-43-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/1232-49-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/1232-44-0x0000000000EE0000-0x0000000000F79000-memory.dmp

Filesize
612KB

Download
memory/2252-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2252-0-0x0000000000D90000-0x0000000000E11000-memory.dmp

Filesize
516KB

Download
memory/2252-19-0x0000000000D90000-0x0000000000E11000-memory.dmp

Filesize
516KB

Download
memory/2252-16-0x00000000005C0000-0x0000000000641000-memory.dmp

Filesize
516KB

Download
memory/2532-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2532-40-0x0000000003250000-0x00000000032E9000-memory.dmp

Filesize
612KB

Download
memory/2532-42-0x00000000003B0000-0x0000000000431000-memory.dmp

Filesize
516KB

Download
memory/2532-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2532-24-0x00000000003B0000-0x0000000000431000-memory.dmp

Filesize
516KB

Download
memory/2532-20-0x00000000003B0000-0x0000000000431000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads