urelas | 07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca

General

Target

07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
Size

330KB
MD5

0287a47c2cd95341f1ab1b29438eac59
SHA1

228e48db10142555d09e612015cc860603df4aed
SHA256

07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca
SHA512

c3e45428955053a8529237f908b711cc2ece3487f284ea92824036ce1080f2071447829040dfae389e6ccf15deddf220ba92998ec60ad95370c33562c567dbdb
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOF+:vHW138/iXWlK885rKlGSekcj66ciq+

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1856	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2280	zoofe.exe
860	otlur.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
2280	zoofe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zoofe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otlur.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe
860	otlur.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2280	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	30
PID 3052 wrote to memory of 2280	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	30
PID 3052 wrote to memory of 2280	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	30
PID 3052 wrote to memory of 2280	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	30
PID 3052 wrote to memory of 1856	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	31
PID 3052 wrote to memory of 1856	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	31
PID 3052 wrote to memory of 1856	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	31
PID 3052 wrote to memory of 1856	3052	07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe	31
PID 2280 wrote to memory of 860	2280	zoofe.exe	34
PID 2280 wrote to memory of 860	2280	zoofe.exe	34
PID 2280 wrote to memory of 860	2280	zoofe.exe	34
PID 2280 wrote to memory of 860	2280	zoofe.exe	34

C:\Users\Admin\AppData\Local\Temp\07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe
"C:\Users\Admin\AppData\Local\Temp\07fc5dee5d8f828ce366aafc33f0a66df73876b8a4a350cabd1a52ae540c6bca.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\zoofe.exe
  "C:\Users\Admin\AppData\Local\Temp\zoofe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\otlur.exe
    "C:\Users\Admin\AppData\Local\Temp\otlur.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
771fa4d03ae459e185d1571c142745bd

SHA1
b767e9597db7cf75b4d012762fbd9f53d99bf862

SHA256
417291890d62c7ae0804026988b90379fdc1c5d05c8d04bafe89a2b32dfd4c30

SHA512
3865ff0477f1d8679fa0e71ae76ff31a9512e23b10513bd0cc58bb58d81d60a1c1c35c26aa68673a74b0fd76052fdf797935bfd30f8f9590a83adc82e42f475c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a818a50adefbc98692a06cd667f98bf3

SHA1
3e520ab21efdb0fc89b6c377894a06f6f8d4cfa9

SHA256
f6be4bd745ab17d7bd22d246935d680a2346d5b0eeda766d5af9d86ac4439fb4

SHA512
9a1dd0f701a5a114535035e17ab9de63a47b76fe63f706054503b0f70fb5fac6de07eef5927288ce6378491bd7fa057383dbdc2281e033e342473553e2bbde42

Download Submit
\Users\Admin\AppData\Local\Temp\otlur.exe

Filesize
172KB

MD5
a2091515de21f71a10714c19d8238ea7

SHA1
21072514b2d1b3f1b753840225bef1a17ef8f5f5

SHA256
d2499de315e7b5d71fb3fb017acbdb807da546ae859edce1b7f2d16f4bc8a457

SHA512
226f637a329bb5aa070c2c68789afce222fd21fd2692407ead4a4140f5c85f55f2d850a791d033617b35e58230d3eaa11feb016cdaee62141b21812db678ccfb

Download Submit
\Users\Admin\AppData\Local\Temp\zoofe.exe

Filesize
330KB

MD5
02a937098bf23c01638e0ec9b30cd132

SHA1
ff0feeb03ddf508f49ae0397e9c28d758b62aa43

SHA256
35e8d8be8f6b4bb6ed579d415a71558ec71635bdb3426e828620516d4ec77385

SHA512
4cbd661cfc177e5cbb7de141197953fc0a49c34d95a68f00daa3896f4e9362ca33188b7b381522186b6cae5f5f56a792a308bb301b0198e093df115fb1471e5d

Download Submit
memory/860-47-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/860-46-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/860-42-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/860-41-0x0000000000B10000-0x0000000000BA9000-memory.dmp

Filesize
612KB

Download
memory/2280-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2280-24-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/2280-11-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/2280-39-0x0000000000100000-0x0000000000181000-memory.dmp

Filesize
516KB

Download
memory/3052-9-0x0000000002730000-0x00000000027B1000-memory.dmp

Filesize
516KB

Download
memory/3052-0-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download
memory/3052-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3052-21-0x0000000000200000-0x0000000000281000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing