urelas | 177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9

General

Target

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Size

553KB
MD5

d6c7c30a81e11dc1c86a310a1ae80961
SHA1

7c363777198b30a0f8e90df768f51396eb3d78a1
SHA256

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9
SHA512

d85a4cef7b216f99e0da92b8b147659ec18e3e5ae17dcb4014aca1d599464e44bc0ca7d78bc2ac3f7f345e2270416f7a35693aa325df50690275924b2f7b2caf
SSDEEP

12288:++GtVfjTQSaoINAHT1VQ1i3SyQEW85gzlee:+rt4/NArwjs5olB

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2752 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

nuhys.exeunawa.exe

pid process

2740 nuhys.exe
2096 unawa.exe
Loads dropped DLL 2 IoCs

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exenuhys.exe

pid process

2860 177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
2740 nuhys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2752	cmd.exe

pid	process
2740	nuhys.exe
2096	unawa.exe

pid	process
2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
2740	nuhys.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exenuhys.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nuhys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exenuhys.exe

description	pid	process	target process
PID 2860 wrote to memory of 2740	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	nuhys.exe
PID 2860 wrote to memory of 2740	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	nuhys.exe
PID 2860 wrote to memory of 2740	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	nuhys.exe
PID 2860 wrote to memory of 2740	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	nuhys.exe
PID 2860 wrote to memory of 2752	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	cmd.exe
PID 2860 wrote to memory of 2752	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	cmd.exe
PID 2860 wrote to memory of 2752	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	cmd.exe
PID 2860 wrote to memory of 2752	2860	177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe	cmd.exe
PID 2740 wrote to memory of 2096	2740	nuhys.exe	unawa.exe
PID 2740 wrote to memory of 2096	2740	nuhys.exe	unawa.exe
PID 2740 wrote to memory of 2096	2740	nuhys.exe	unawa.exe
PID 2740 wrote to memory of 2096	2740	nuhys.exe	unawa.exe

C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe
"C:\Users\Admin\AppData\Local\Temp\177bf16b1f55ba10c701e1af03e331fb11dfa9f935f5ffc6779feb0638796bb9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\nuhys.exe
  "C:\Users\Admin\AppData\Local\Temp\nuhys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\unawa.exe
    "C:\Users\Admin\AppData\Local\Temp\unawa.exe"
    3⤵
    - Executes dropped EXE
    PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
0f8b90ae5876106b0173d2f6bb3c96c3

SHA1
44ae65b3871372c78bc3a6ac75e146a2e010026b

SHA256
e342bf119c88732bbedd6943e31f01255614c34f20079e5958da30a96e802910

SHA512
ebcc4af2c96e6c919594316d1317e3b2cd471774f030bd645ada4d8a3c6010a36b582df29c4e8b83a39ffd779373ac8411931c77931052ddcfa9e0b5f5bdebf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
3210a530f8ee745bae1b27f26e2c21a0

SHA1
1729bc58969d10f3a6069608aa8622942e065fa0

SHA256
df23b811f52647be1fcbb8664f766844c09123d5d3d6b9ec08eae19f1219b668

SHA512
90911fbd9f786d93b6312e66738a9d0b49020b666f229b3ec522c6e8787fe13f0071feaf7f964d18220f0356239f5649b9e4c982c3ff6bbb50662704b9235ae7

Download Submit
\Users\Admin\AppData\Local\Temp\nuhys.exe

Filesize
553KB

MD5
8298c00a598fdce8169bdd35bea3fe33

SHA1
ec17c251f12566e1b241d45dcd4227596ea753bd

SHA256
ba4538e5c915959e5471d046d8a9dee03c08e98e2fdb3ea49b32cf3ce536452e

SHA512
b4b4a8ddf71fc79bef7b939fbda6ac9f3ac8ccfa903c882f8df9917706bcb77597419af987defcc490766328297f1f85d1676f262ec6f6dc6e8f64f8427fbc3f

Download Submit
\Users\Admin\AppData\Local\Temp\unawa.exe

Filesize
231KB

MD5
3b4dd02bb00f76e3dd6446316359c46e

SHA1
9c324ad654263ba41c56c50543783b1c80661ece

SHA256
fdfec62393caab0e7cda7c03a41fab5a2945f34043f66757933145ede519bd47

SHA512
cd15dd2f48ea5d63f022a0282a1b66ac663fbe6f08964d54a34a221ad57cbd859d37aca0dff7598a0cf7f64a4a0ad2ef81827c8f8a6ceec30c5ce9b779038e1e

Download Submit
memory/2096-30-0x0000000001050000-0x0000000001103000-memory.dmp

Filesize
716KB

Download
memory/2740-10-0x0000000000020000-0x00000000000AF000-memory.dmp

Filesize
572KB

Download
memory/2740-21-0x0000000000020000-0x00000000000AF000-memory.dmp

Filesize
572KB

Download
memory/2740-28-0x0000000000020000-0x00000000000AF000-memory.dmp

Filesize
572KB

Download
memory/2740-26-0x0000000003470000-0x0000000003523000-memory.dmp

Filesize
716KB

Download
memory/2860-0-0x0000000000C80000-0x0000000000D0F000-memory.dmp

Filesize
572KB

Download
memory/2860-8-0x0000000000BD0000-0x0000000000C5F000-memory.dmp

Filesize
572KB

Download
memory/2860-18-0x0000000000C80000-0x0000000000D0F000-memory.dmp

Filesize
572KB

Download

Analysis

Sharing