urelas | 0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6

General

Target

0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe
Size

507KB
MD5

08be228d25d342d7d76e3bb621843201
SHA1

717d3fd3706ba34fe32f8e1fb356148b065d37bb
SHA256

0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6
SHA512

8f8d3ee48233f3a5c1f5ac6fb2d788e5968767b5a5f9cf01a78283c32e8f9197fb8531f6f615bb9e104c4d008b14874160f1a0f8e5786086eaf8c8c58bb3ebff
SSDEEP

12288:kdBNKTCqqwXCcdgT89+MvA+BisqYpxHte:kLjQC+fs0M

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2424	tuavu.exe
2840	ziheq.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe
2424	tuavu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tuavu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziheq.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe
2840	ziheq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2424	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	30
PID 2420 wrote to memory of 2424	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	30
PID 2420 wrote to memory of 2424	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	30
PID 2420 wrote to memory of 2424	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	30
PID 2420 wrote to memory of 2212	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	31
PID 2420 wrote to memory of 2212	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	31
PID 2420 wrote to memory of 2212	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	31
PID 2420 wrote to memory of 2212	2420	0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe	31
PID 2424 wrote to memory of 2840	2424	tuavu.exe	34
PID 2424 wrote to memory of 2840	2424	tuavu.exe	34
PID 2424 wrote to memory of 2840	2424	tuavu.exe	34
PID 2424 wrote to memory of 2840	2424	tuavu.exe	34

C:\Users\Admin\AppData\Local\Temp\0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe
"C:\Users\Admin\AppData\Local\Temp\0eb781de51bf989edd869692c26b6ab17863ff3c93aa733cb0d6637c81ae02c6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\tuavu.exe
  "C:\Users\Admin\AppData\Local\Temp\tuavu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\ziheq.exe
    "C:\Users\Admin\AppData\Local\Temp\ziheq.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
254912bb78910d0fbbc70995e6f392b4

SHA1
c33299a8d59e0f741e38c87badff83fd00e1c146

SHA256
317f363bb7a7c0b4cbd31a05085e1e712d7b6159509f3c0d0119ad8b383a5318

SHA512
717629c1c7915cddd57d6059eb03fc0a8b1844044fa829cd03ad24ef1e113a234b2d8efe70d07718a9ddd853ca264e27192e5331670f308e6401341f48e071c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1683f471ccf16366c5673e578c63b0bb

SHA1
be17d301c41b9b49804f662348b769f7146b4cc7

SHA256
7b16ef23dbc0df93da7ae8b5bedfb79b4df6179f8e07505992ac36744a8396a1

SHA512
d0762168eb647f95760ed7b70c57edc34a1907f64b1992614558cc2efcf5f3382cf50179179135532e75662ec1b435efd96d22cc2941fc709412eecbc159469e

Download Submit
\Users\Admin\AppData\Local\Temp\tuavu.exe

Filesize
507KB

MD5
058b49730c6d1a1f6c83ef0c0f2fdf1b

SHA1
c7eacd0b8fe3988385fd7f92ece9b78f3aeeeca0

SHA256
4bc990bf09cf71729181f48ef47201d00ffed8429d8c8fe9360688d4420376f7

SHA512
4f7d29094553f673998a1732bd410cae5ba8bec2e34d01832570d05e19684abc45879d7effc333c3fabf78e7b7849fb468dce5850cf7fae90f91ba3973bfae15

Download Submit
\Users\Admin\AppData\Local\Temp\ziheq.exe

Filesize
241KB

MD5
6801209f931a65954eca22a479dd2b25

SHA1
b2d4347aa913cda7d714a3523207fb3edea16b82

SHA256
0a9a3b7012e97016506ee8c5009a1d15ea79c05c6b345786cbeb2dec4398e157

SHA512
cadedf7ed614db7be3961d52928b99d5aa0378e9063b34d009c20b0ba8720907a9fc9f8fee2d154b9664b686754dad71480675e8a2f73a636dcaee149d1f56a1

Download Submit
memory/2420-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2424-25-0x00000000030C0000-0x0000000003176000-memory.dmp

Filesize
728KB

Download
memory/2840-26-0x00000000003C0000-0x0000000000476000-memory.dmp

Filesize
728KB

Download
memory/2840-28-0x00000000003C0000-0x0000000000476000-memory.dmp

Filesize
728KB

Download
memory/2840-29-0x00000000003C0000-0x0000000000476000-memory.dmp

Filesize
728KB

Download

Analysis

Sharing