urelas | fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53

General

Target

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe
Size

444KB
MD5

dc78472cd99e4ac4e4cec9da36003550
SHA1

280d157f9be93a5100249ecc8b83877b8d9a13c6
SHA256

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53
SHA512

c1f9168a62ec3516be52f3d8f923b2f9154169b7dfe3dafb44fb11483cdeddd744302b04b4f1895f9a4b5db78eafa38b0dadd2fc00b29a7311bf32f9c56bf0d0
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMC:rKf1PyKa2H3hOHOHz9JQ6zBj

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2676	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

zihoi.exeneijk.exe

pid	Process
2760	zihoi.exe
768	neijk.exe

Loads dropped DLL 2 IoCs

Processes:

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exezihoi.exe

pid	Process
2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe
2760	zihoi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exezihoi.execmd.exeneijk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zihoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neijk.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

neijk.exe

pid	Process
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe
768	neijk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exezihoi.exe

description	pid	Process	procid_target
PID 2644 wrote to memory of 2760	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	30
PID 2644 wrote to memory of 2760	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	30
PID 2644 wrote to memory of 2760	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	30
PID 2644 wrote to memory of 2760	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	30
PID 2644 wrote to memory of 2676	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	31
PID 2644 wrote to memory of 2676	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	31
PID 2644 wrote to memory of 2676	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	31
PID 2644 wrote to memory of 2676	2644	fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe	31
PID 2760 wrote to memory of 768	2760	zihoi.exe	34
PID 2760 wrote to memory of 768	2760	zihoi.exe	34
PID 2760 wrote to memory of 768	2760	zihoi.exe	34
PID 2760 wrote to memory of 768	2760	zihoi.exe	34

C:\Users\Admin\AppData\Local\Temp\fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe
"C:\Users\Admin\AppData\Local\Temp\fe0a217ee13495f3a1afbe29988ebe2babd55e0c10866eb138b2ec17bf9f1b53.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\zihoi.exe
  "C:\Users\Admin\AppData\Local\Temp\zihoi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\neijk.exe
    "C:\Users\Admin\AppData\Local\Temp\neijk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7c3357302c850bfddef32fb4db2a2146

SHA1
93ea0dbf6476cead861d1f977c4420967e3f85cc

SHA256
ca43ce734faee601448fe551733ad782b0ea119e8834e45a8a2883e5ec3566cc

SHA512
c9aaf8e04634b5610019649f3fffdffd045b01e3aa3bff046d45a224eb4ab78c248f43ab9b736490fd761ad174482297407e70c5fecc71b1a4dd0528696c52d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
44c108f52809571209e490f98e206516

SHA1
14adcb6ee4c1cf783bf2027ae089e6f452f16460

SHA256
fdda226f6054d70b202bc31c7e36a60e2979858f772724a10467b65144eff9b0

SHA512
6249b787426456760d6ebe3c661004eb8e24b40eed5a2c75c050940f86888ec3a88572c3d888b922ac8d6b04d67ec0024104e1cd68372af0117bd392a6d8116a

Download Submit
\Users\Admin\AppData\Local\Temp\neijk.exe

Filesize
230KB

MD5
e6259686170025374341651e910439b6

SHA1
d1a59409842e979c47e131ad45a69a9aa0dd1dc7

SHA256
d2093e2338e31249d12812861a038bd2a45b288450dcfe5867e201c8e3d6f6e9

SHA512
ee8de470e6790354a9b725ba3d9f6382e2daddbc8b795f1832a3a8fe3a4501b23a86eb6ea6c58da5ccdea52977dae2794e17f18a339054835fc557ae89390bfd

Download Submit
\Users\Admin\AppData\Local\Temp\zihoi.exe

Filesize
444KB

MD5
a29701d3ab968f3e96682af2df514777

SHA1
56a57607bcc71af0ccf3f41efb7492453f7d2671

SHA256
3cdac9189cffba0ecba38219378995e9a67a97f41704293248fe8adcf86c3d8c

SHA512
38ebc3fb719c6c1b2a6fd7f459cd5c1d0cd14be4cd1e0d8b39f4f282c8ffba134762f078c34a3772992cef7339d091830ff89d71a0c5c20e1c34816dd9413305

Download Submit
memory/768-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/768-33-0x00000000003E0000-0x000000000047E000-memory.dmp

Filesize
632KB

Download
memory/768-34-0x00000000003E0000-0x000000000047E000-memory.dmp

Filesize
632KB

Download
memory/2644-17-0x0000000002450000-0x00000000024BE000-memory.dmp

Filesize
440KB

Download
memory/2644-16-0x0000000000CA0000-0x0000000000D0E000-memory.dmp

Filesize
440KB

Download
memory/2644-21-0x0000000002450000-0x00000000024BE000-memory.dmp

Filesize
440KB

Download
memory/2644-0-0x0000000000CA0000-0x0000000000D0E000-memory.dmp

Filesize
440KB

Download
memory/2760-18-0x0000000000F40000-0x0000000000FAE000-memory.dmp

Filesize
440KB

Download
memory/2760-22-0x0000000000F40000-0x0000000000FAE000-memory.dmp

Filesize
440KB

Download
memory/2760-27-0x0000000003370000-0x000000000340E000-memory.dmp

Filesize
632KB

Download
memory/2760-29-0x0000000000F40000-0x0000000000FAE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads