urelas | 3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b

General

Target

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Size

332KB
MD5

0c532605bd6041f0da53a6a9ade4ccc1
SHA1

b94d3dd6f45d0553004adc2672ce539f4ea8d613
SHA256

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b
SHA512

2019433e7f79bac22372cf967745ee5113a19507a523f48cc896e6ca4a769702f448770e11bef8656a9485038bf41eb72c25b203d1897ebc6a128fa0c72f6d87
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY+:vHW138/iXWlK885rKlGSekcj66ciL

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2092 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

nasuw.exejukub.exe

pid process

1376 nasuw.exe
316 jukub.exe
Loads dropped DLL 2 IoCs

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exenasuw.exe

pid process

1908 3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
1376 nasuw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2092	cmd.exe

pid	process
1376	nasuw.exe
316	jukub.exe

pid	process
1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
1376	nasuw.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exenasuw.execmd.exejukub.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nasuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jukub.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

jukub.exe

pid	process
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe
316	jukub.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exenasuw.exe

description	pid	process	target process
PID 1908 wrote to memory of 1376	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nasuw.exe
PID 1908 wrote to memory of 1376	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nasuw.exe
PID 1908 wrote to memory of 1376	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nasuw.exe
PID 1908 wrote to memory of 1376	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	nasuw.exe
PID 1908 wrote to memory of 2092	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 1908 wrote to memory of 2092	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 1908 wrote to memory of 2092	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 1908 wrote to memory of 2092	1908	3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe	cmd.exe
PID 1376 wrote to memory of 316	1376	nasuw.exe	jukub.exe
PID 1376 wrote to memory of 316	1376	nasuw.exe	jukub.exe
PID 1376 wrote to memory of 316	1376	nasuw.exe	jukub.exe
PID 1376 wrote to memory of 316	1376	nasuw.exe	jukub.exe

C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe
"C:\Users\Admin\AppData\Local\Temp\3992c40a3facb1621e3289a8f27de223643c750846bc3df81b9bed3c8312116b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\nasuw.exe
  "C:\Users\Admin\AppData\Local\Temp\nasuw.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\jukub.exe
    "C:\Users\Admin\AppData\Local\Temp\jukub.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8ce8b29932ebadf525fb715e36148a52

SHA1
6ebcdfc2916987af7c6adabbbe3731614a745f6a

SHA256
4daef5587fdbc87677e9b08a1bc616a354407aa3137606ef19dfd5ca52a28093

SHA512
11dd37baa32ae031ebafb3fa5b694f330b6c614cdfd85b0521bc967a8f37296c761858b33e37b86d5c6c38c7cd9a10c65d6e67fa62bb308e71be352ec7c9b80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7a7c509d77d1d9b0a85c0569378d129d

SHA1
49c4c620ea7adaa5a72d5839b8cc613e28fa4c9d

SHA256
a4fd49eb269bd9eb03dc1c6515a8cf2fac197ef79752e04259d951dd5b6e8fb7

SHA512
2595aa67e8e6d3ab46450ffa9865d6989d44424580e2bb176b05462997a255a7314841c6e1a3d9446c68582fe96b93ea7f62ba807f7c340fa8ff606d7c93129c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jukub.exe

Filesize
172KB

MD5
c42252230cc6aa836cf1ec506db4bfb0

SHA1
ca9b6258eb3c1018d17753444d87d2d86f1ba4fc

SHA256
34e3f897f5ccb34b5921a38f1a1a94ce2d5f529b8a13b78c5af19bfdaedb678b

SHA512
bbe26ad0ddf881b371f89f6b4d3152f403b028247cfda2483e7dcdf6aff2641cab55b8d135b15355845a9b93a8edd4c85d0abcd790018cbcad1b1609071c5e24

Download Submit
\Users\Admin\AppData\Local\Temp\nasuw.exe

Filesize
332KB

MD5
3a9423119c955278210b33c7b60a502e

SHA1
06b5a3e77ceab8d19cecc99f56ede208d14394ce

SHA256
d6c9803fa937423455ad72a105b2874d870e04693357002ecac31b8c5ab5fe66

SHA512
69e5135daa656a86217e0f3813a0d6d7f8753585631a61abe0e726f7a59488f1a266840e4ffe4ac4dd7e0317f81a1cc8f194e232ecde2b221088b351145ae135

Download Submit
memory/316-52-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/316-51-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/316-50-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/316-49-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/316-48-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/316-44-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/316-43-0x00000000012B0000-0x0000000001349000-memory.dmp

Filesize
612KB

Download
memory/1376-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1376-39-0x0000000000E80000-0x0000000000F19000-memory.dmp

Filesize
612KB

Download
memory/1376-24-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/1376-42-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/1376-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1376-18-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/1908-20-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/1908-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1908-15-0x00000000025B0000-0x0000000002631000-memory.dmp

Filesize
516KB

Download
memory/1908-0-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads