urelas | 2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04

General

Target

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Size

334KB
MD5

a52fd571b858e759fa3d71055f6eb4da
SHA1

244a27d85ea646e78cf4172f48c5dfb4ce19f676
SHA256

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04
SHA512

873b6207d64514e918c78b58d8aa287cc04253ac7304d7684f7d5a6972fd8ecce4ed14c8d07c09660b50e3599564ee7280116ba5dd3ee9d14b686c56f2e69fb6
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9:vHW138/iXWlK885rKlGSekcj66ciw

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2636 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

reqyz.exegacis.exe

pid process

2912 reqyz.exe
1688 gacis.exe
Loads dropped DLL 2 IoCs

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exereqyz.exe

pid process

2136 2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
2912 reqyz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2636	cmd.exe

pid	process
2912	reqyz.exe
1688	gacis.exe

pid	process
2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
2912	reqyz.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exereqyz.execmd.exegacis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reqyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gacis.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

gacis.exe

pid	process
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe
1688	gacis.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exereqyz.exe

description	pid	process	target process
PID 2136 wrote to memory of 2912	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	reqyz.exe
PID 2136 wrote to memory of 2912	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	reqyz.exe
PID 2136 wrote to memory of 2912	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	reqyz.exe
PID 2136 wrote to memory of 2912	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	reqyz.exe
PID 2136 wrote to memory of 2636	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2136 wrote to memory of 2636	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2136 wrote to memory of 2636	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2136 wrote to memory of 2636	2136	2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe	cmd.exe
PID 2912 wrote to memory of 1688	2912	reqyz.exe	gacis.exe
PID 2912 wrote to memory of 1688	2912	reqyz.exe	gacis.exe
PID 2912 wrote to memory of 1688	2912	reqyz.exe	gacis.exe
PID 2912 wrote to memory of 1688	2912	reqyz.exe	gacis.exe

C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe
"C:\Users\Admin\AppData\Local\Temp\2ebc74c9c9ff4424780e08b61dd4d19408dfb850d1046f2fa1b9a157fc4b0b04.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\reqyz.exe
  "C:\Users\Admin\AppData\Local\Temp\reqyz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\gacis.exe
    "C:\Users\Admin\AppData\Local\Temp\gacis.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
20c83f80a5acec8c249db950cfc1da70

SHA1
7011eccce8a8f5f75bb918352da262a7ceedecf3

SHA256
7c238aeb10ae6f42e26b1d93b45a248da7d82b4a7f2a921497d88a224ed00d7c

SHA512
d465772a1a83ed1dce57a079966dee04e7c249d77bb53c0b9bf8b663920e8c4167da90d29f4b5d1009193f9efcda9c62f8909d90010df2d159912d19378e4de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e859505595a3c5282ad499904f202637

SHA1
10432464bf6f4dc62a1ad8e7e6334812a715f704

SHA256
316d3c1822bf5e5820aff3a254281395ac8febf169c36c23975777bb48d5f0dd

SHA512
554c71a8f0dc6a8a7988fbdeaf8bfd7f5cd58d870160e4a5c967b600bbb8cf57e3304a0705870924bfa264e2f9f6d15ad6920aa7e7aa931b145bcdaa8c08f08d

Download Submit
\Users\Admin\AppData\Local\Temp\gacis.exe

Filesize
172KB

MD5
986ba94743abd6e2f488d5affe9e89b8

SHA1
4e85b100f76ce4545dbd16f3b93bfd606ecc2bad

SHA256
cf02140984c475df79e846410ae7f51f169853ec48a23374731c89cbb061707f

SHA512
1e5127712ae4adf5aa854286bac7245dff680dd529f2c2711ee24ff370e6d9c0dff52e503b8c2687dd39c3c6baac5eacdb5d2e7fd24a45f740a3b487659760a9

Download Submit
\Users\Admin\AppData\Local\Temp\reqyz.exe

Filesize
334KB

MD5
709fe3fccbd9077f7743af511a5da0de

SHA1
fca6885967441b1dff3959f66f2df46840171068

SHA256
3e5c754a5993795671edd15fce48ac3b9d831e5cb4f013752499701c0341877d

SHA512
47ccebeb708c3b2c5b531ad5c53b607315917e8299ee6c68754721eb0982b1fc19bebc0bf8b43d0bff8ee9eac09fbc51fefaf022393b88a2450bd54cef31c2cb

Download Submit
memory/1688-46-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1688-39-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1688-50-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1688-49-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1688-48-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1688-47-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/1688-44-0x0000000000FB0000-0x0000000001049000-memory.dmp

Filesize
612KB

Download
memory/2136-7-0x0000000002060000-0x00000000020E1000-memory.dmp

Filesize
516KB

Download
memory/2136-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2136-0-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/2136-20-0x0000000000AD0000-0x0000000000B51000-memory.dmp

Filesize
516KB

Download
memory/2912-43-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/2912-37-0x00000000033A0000-0x0000000003439000-memory.dmp

Filesize
612KB

Download
memory/2912-23-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download
memory/2912-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2912-11-0x0000000000DC0000-0x0000000000E41000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads