urelas | b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d

General

Target

b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
Size

689KB
MD5

882afb62ea28195617963f64df97091f
SHA1

c2c0b5729bd376f925b5e3a26298e6ffe48d3686
SHA256

b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d
SHA512

34f47a3f4f1899a8d69cf4961d81fabde06dae6e8257c2028cf9e59faf254d009245e311299818364c03673ea52aa321711d8759e4ffccd0b86d51ad7d918102
SSDEEP

12288:LUyI6hJQglQA0IWb8DmPySxEuBZDxywHBlP94jpguwDxXlZ1nh:dVh6gl6Iy8R9+ZdnnP94jpgl9Bnh

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
288	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3000	himac.exe
2596	ijneku.exe
1796	pedog.exe

Loads dropped DLL 5 IoCs

pid	Process
2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
3000	himac.exe
3000	himac.exe
2596	ijneku.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	himac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijneku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pedog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1796	pedog.exe
1796	pedog.exe
1796	pedog.exe
1796	pedog.exe
1796	pedog.exe
1796	pedog.exe
1796	pedog.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3000	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	30
PID 2756 wrote to memory of 3000	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	30
PID 2756 wrote to memory of 3000	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	30
PID 2756 wrote to memory of 3000	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	30
PID 2756 wrote to memory of 288	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	31
PID 2756 wrote to memory of 288	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	31
PID 2756 wrote to memory of 288	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	31
PID 2756 wrote to memory of 288	2756	b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe	31
PID 3000 wrote to memory of 2596	3000	himac.exe	33
PID 3000 wrote to memory of 2596	3000	himac.exe	33
PID 3000 wrote to memory of 2596	3000	himac.exe	33
PID 3000 wrote to memory of 2596	3000	himac.exe	33
PID 2596 wrote to memory of 1796	2596	ijneku.exe	34
PID 2596 wrote to memory of 1796	2596	ijneku.exe	34
PID 2596 wrote to memory of 1796	2596	ijneku.exe	34
PID 2596 wrote to memory of 1796	2596	ijneku.exe	34
PID 2596 wrote to memory of 1072	2596	ijneku.exe	35
PID 2596 wrote to memory of 1072	2596	ijneku.exe	35
PID 2596 wrote to memory of 1072	2596	ijneku.exe	35
PID 2596 wrote to memory of 1072	2596	ijneku.exe	35

C:\Users\Admin\AppData\Local\Temp\b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe
"C:\Users\Admin\AppData\Local\Temp\b9b001fe5fc6b6a4c734d9dc796bef71fb26b9c70f9b30fa7525c9c163da918d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\himac.exe
  "C:\Users\Admin\AppData\Local\Temp\himac.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\ijneku.exe
    "C:\Users\Admin\AppData\Local\Temp\ijneku.exe" OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\pedog.exe
      "C:\Users\Admin\AppData\Local\Temp\pedog.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
340B

MD5
a404cd1e1c5dc4ff7980e95c6ac4fe61

SHA1
885c830c5d069378821c20259ec2f17d31b2d008

SHA256
e04933a8812a003e5d05600fb06d6f071a7e5af5415507c519d3fc5407d096b0

SHA512
64cceb358122187e637508190004eb64c6572fb71c749495c389e4dbaec996525adf8030407d848e32d5545aa49a940e0f48518931c080679776309c75aca944

Download Submit
C:\Users\Admin\AppData\Local\Temp\_vslite.bat

Filesize
224B

MD5
a40cf8be8108346e2bc3ca611909f4cf

SHA1
1824fe6aa0e3a31c47b788af618418c5bdfe13a4

SHA256
215438dc7f2c49a7afd1ba8673899795f68868f4da6f1552bb8372a002d6e6ef

SHA512
f75e9416f8db0f8b41cdcf00de525d65dbef359179ed5d06d308d267093d007c3f9c289211ce5f8048c056571a2d1aa3b1d9cab4437664de3dc8a259ea9a5b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
dbef593bccc2049f860f718cd6fec321

SHA1
e7e9f8235b4eb70aa99dd2c38009f2152575a8d0

SHA256
30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a

SHA512
3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5c1fc45b52425b0eb507ae6013e203eb

SHA1
006b2ee9a08ba8e28d58bf9f86179e7e9942cdee

SHA256
99ea92e13e84d18161106f47d065aa91a5638d5bc8af613c80f6908d7bf33c34

SHA512
97224db99fecb203d8852186caae9d4618df9aec3d96710ac6e001d35dd1121a04b5764202859c7012fe1f2bc2d1368b6f22d962902ad533cbff5e7383eec4d6

Download Submit
\Users\Admin\AppData\Local\Temp\himac.exe

Filesize
690KB

MD5
bc352074354d4dfebd84b9be68868633

SHA1
9581d9249ac3d8db3faa3deb72545ae4918b42cb

SHA256
34ca9d4e1e9bfe650365f7f8a4beeeb2116c38d11fde611f836aee975afc7b12

SHA512
0439c9a35ce280ab3abddb5f8c60e01e2be41b7e6cd793e1ccfc7767c8584473817505ad6165063db638346f190850a5896c5efa22e4ca84f650a0aafcdac97b

Download Submit
\Users\Admin\AppData\Local\Temp\pedog.exe

Filesize
469KB

MD5
5cdd76c63494168232df7be37277dfbb

SHA1
cd3a7b2ae075fc1b6e059cfb714eb61a20fbaae4

SHA256
b26197ca1587b83cd3f0d2a6d088180c9fd20af892f49fdeb45ace2e1a6c9a63

SHA512
951f496dabe623f47f7560669204522999cfd8dc208ef8e4e0e51d83da5471c188b8c878b69adbe6216a7a68bf1b382bf3bd7953b8d8b701e1a74e63091603aa

Download Submit
memory/1796-61-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1796-60-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1796-59-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/1796-55-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/2596-54-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2596-37-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2596-45-0x0000000003D50000-0x0000000003EE6000-memory.dmp

Filesize
1.6MB

Download
memory/2596-35-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2756-2-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2756-18-0x00000000028C0000-0x0000000002973000-memory.dmp

Filesize
716KB

Download
memory/2756-19-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3000-34-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3000-33-0x0000000003700000-0x00000000037B3000-memory.dmp

Filesize
716KB

Download
memory/3000-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download

Analysis

Sharing