urelas | c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c

General

Target

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Size

597KB
MD5

8fd85ee4b09ceab66733ac13dbf09e1d
SHA1

0bf74e1ba4927b718ae922b89f149fb75236efd0
SHA256

c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c
SHA512

3ba8695775b981fe2ad4a8ee025dea547d58789213849b2b681448452b2921fe43876dfa7a2aece26aaee3aed10366761c159c1b829ffb5022c997d0fe4dc3bc
SSDEEP

6144:KzU7blKaPcbhj+bB7ktZeRnVDJm0oNjOPdInpB8:MU7MLb4BQkntwNjqdx

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2812	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2592	coboj.exe
2128	fuybn.exe

Loads dropped DLL 3 IoCs

pid	Process
2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
2592	coboj.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fuybn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coboj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe
2128	fuybn.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2592	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	30
PID 2852 wrote to memory of 2592	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	30
PID 2852 wrote to memory of 2592	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	30
PID 2852 wrote to memory of 2592	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	30
PID 2852 wrote to memory of 2812	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	31
PID 2852 wrote to memory of 2812	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	31
PID 2852 wrote to memory of 2812	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	31
PID 2852 wrote to memory of 2812	2852	c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe	31
PID 2592 wrote to memory of 2128	2592	coboj.exe	34
PID 2592 wrote to memory of 2128	2592	coboj.exe	34
PID 2592 wrote to memory of 2128	2592	coboj.exe	34
PID 2592 wrote to memory of 2128	2592	coboj.exe	34

C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe
"C:\Users\Admin\AppData\Local\Temp\c1964d400b55481e956d77346f7ad040e09b272bad96127365fb3e7281d3767c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\coboj.exe
  "C:\Users\Admin\AppData\Local\Temp\coboj.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\fuybn.exe
    "C:\Users\Admin\AppData\Local\Temp\fuybn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b45e2f663f7f9bc2d10eb8e125539218

SHA1
01e788019befaf86df514a2b888ee8041406c745

SHA256
e29e4674cb422acbffadff5f79d7f611cd78322d03913757cea07401bcfd2405

SHA512
25d818b7fbe97c858a6aa61424e553fc5056cc9f1c22759e107a40d3d6d6b5a099e488dad6e15c5cbe11ef0750e6d3c80aaa47b99bed89e79da451a4729b96e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\coboj.exe

Filesize
597KB

MD5
0011abf3f052a7a4c2b30aceb2d6fcc8

SHA1
7258641ad018379421c866bec0ca53427d96d3e7

SHA256
483342c4a37d3b3bf1e885dc9b5028459068a3f61d17bc3cb6dd4bb0dd892352

SHA512
0f2721f977a07eb737ad180a0ad6d0bf0c420f0846ce1149f5f946aecbdb77dee9f888190730d7d6362e97a4f04baa54790e288fc6ec5112dfeb916050b43969

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fb0b13bb62577d443451838994798057

SHA1
bc30336f99a40203a08ae374b21fcbcbc1dc5881

SHA256
170935a5d6e54ec0cbfcd8d963d7e306bbbd402dbd4c84914262d7a5abe8c120

SHA512
c1d1421fed73f44dba87f47096622671b32bf1c1c9480c3975fb180d3bd547c87b7d6fc2d3e62699b9ef347d9f138aa796eec4a4ea7a67d16fcc0783cc040465

Download Submit
\Users\Admin\AppData\Local\Temp\fuybn.exe

Filesize
211KB

MD5
7cf6213f6eed975c89d67fd4db7e48f3

SHA1
026e23195210748d14fa4e373e654a8ea409732b

SHA256
8c43410ea5e622adcd05e9d79e343019b5c2365ee3bfa646b4355dff7d87bd7f

SHA512
1058f35b63fd6482f160a8b449f9e6b2dbe75a35b52e8ba8d6dd8effd53692a1f7a0659710f954f201213afb0cb85e869228a7f15a2257075d09e813814bf04b

Download Submit
memory/2128-40-0x0000000000140000-0x00000000001F1000-memory.dmp

Filesize
708KB

Download
memory/2128-38-0x0000000000140000-0x00000000001F1000-memory.dmp

Filesize
708KB

Download
memory/2128-39-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2128-35-0x0000000000140000-0x00000000001F1000-memory.dmp

Filesize
708KB

Download
memory/2128-36-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2592-22-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2592-26-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2592-32-0x0000000003AD0000-0x0000000003B81000-memory.dmp

Filesize
708KB

Download
memory/2592-34-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2852-12-0x0000000002480000-0x0000000002515000-memory.dmp

Filesize
596KB

Download
memory/2852-25-0x0000000002480000-0x0000000002515000-memory.dmp

Filesize
596KB

Download
memory/2852-19-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2852-0-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2852-20-0x0000000002480000-0x0000000002515000-memory.dmp

Filesize
596KB

Download

Analysis

Sharing