urelas | 6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917

General

Target

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe
Size

537KB
MD5

19da4be68c766a22e7e2a3bbbd408176
SHA1

f7c6da09241d7b456a90a605e992d2b9ee8ce809
SHA256

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917
SHA512

0191cc54def6eab7f2d0afd80cf4706bde7e3c28ead0e5c4ad764e27b44954565e8809419f02d6b6c65e1d29afbbd2c832269801f57faefcbd79db5f1206ae8b
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPt:q0P/k4lb2wKatt

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2824	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

unzul.exerebuc.exe

pid	Process
2692	unzul.exe
1884	rebuc.exe

Loads dropped DLL 2 IoCs

Processes:

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exeunzul.exe

pid	Process
2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe
2692	unzul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

unzul.execmd.exerebuc.exe6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rebuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

rebuc.exe

pid	Process
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe
1884	rebuc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exeunzul.exe

description	pid	Process	procid_target
PID 2112 wrote to memory of 2692	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	31
PID 2112 wrote to memory of 2692	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	31
PID 2112 wrote to memory of 2692	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	31
PID 2112 wrote to memory of 2692	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	31
PID 2112 wrote to memory of 2824	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	32
PID 2112 wrote to memory of 2824	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	32
PID 2112 wrote to memory of 2824	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	32
PID 2112 wrote to memory of 2824	2112	6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe	32
PID 2692 wrote to memory of 1884	2692	unzul.exe	35
PID 2692 wrote to memory of 1884	2692	unzul.exe	35
PID 2692 wrote to memory of 1884	2692	unzul.exe	35
PID 2692 wrote to memory of 1884	2692	unzul.exe	35

C:\Users\Admin\AppData\Local\Temp\6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe
"C:\Users\Admin\AppData\Local\Temp\6fe7084a408f6e386566cb448c72cb028fbfc520bf6a4559a7e8628881bdd917.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\unzul.exe
  "C:\Users\Admin\AppData\Local\Temp\unzul.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\rebuc.exe
    "C:\Users\Admin\AppData\Local\Temp\rebuc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
7344ad83ddb78044aa86aedb03cbbcba

SHA1
5bdd6d2bcf153c607408f54fc3cae4a60faea231

SHA256
8f5df0c8bfc4473ecf7718d4784bdd7c5e1c47b9803779781f49a877bfe5b683

SHA512
2c73fa30e537a12dd1287a347a9b8dc0862aab4876400f3a55c48a2438992d1e370ed866d0211c768e8fbdc2b0e63ed1c02129324200eda7457b4070fd336d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a78683ad03732c8f8cb92b7ba613a6e4

SHA1
e3f1319d4350446fa4b40a0c50c21f6a2b362536

SHA256
d7740149fbe40f87eb5887d4511800718bcd72b287b16cf17bbed7bd6c5bfaf7

SHA512
559c47607cfe67c856d43b3c984d327937ef24165ace648ee40abdd96b21e44e1a19e40a39996a26c003998a7c5d0c445d4ee2b4e8ca0362e9c5708ae593bc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\rebuc.exe

Filesize
236KB

MD5
48237fdbcef268b54efc66f5d48ee62f

SHA1
0bc8bfb58e1c368698813380ed323745bf3760fa

SHA256
535e24ed7d7b7887e12dd460cc97eeb72e8f15eaed8674e2c1c6e15881ba8f45

SHA512
c52e58bbdfbc4f11acc5d848809a88db6a62931deebb42a08d1f91d160725dcddff95449c9700a0b07686d853ab7cae3993df4ac50624ef164820a75ada402a6

Download Submit
\Users\Admin\AppData\Local\Temp\unzul.exe

Filesize
537KB

MD5
db11047200638c98cb9740064797e7db

SHA1
f17566144cbffe0c88c378cdf8f9275bc95e8545

SHA256
86d3469f3e7565d333ea75051a202639b82e44ad30537fbf73605dbdc2470a99

SHA512
ef5b0d92230a47e304eee7d8c215da8bed759d8d8072cf911dc9773e7585a84a250be1abdf85db6cf9c54a4899fd7ac1fe7504b75933ccae3c9b0f72a87b2128

Download Submit
memory/1884-29-0x00000000012E0000-0x0000000001383000-memory.dmp

Filesize
652KB

Download
memory/1884-31-0x00000000012E0000-0x0000000001383000-memory.dmp

Filesize
652KB

Download
memory/1884-32-0x00000000012E0000-0x0000000001383000-memory.dmp

Filesize
652KB

Download
memory/2112-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2112-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2692-16-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2692-20-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2692-26-0x0000000003510000-0x00000000035B3000-memory.dmp

Filesize
652KB

Download
memory/2692-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads