urelas | a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528

General

Target

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Size

442KB
MD5

0e97fb91d36776868935265a493c0020
SHA1

f30211f2bcf09fc58dd129f454b38c2fc54e7618
SHA256

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528
SHA512

16f21fabc16f2026793163b07232280f47d620661cbe50661568eff65aa54131b172645e7bcfb4cb0bf731b24a831c74f1b34c9f2dacf7e57773c6565f2ac275
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGM5:rKf1PyKa2H3hOHOHz9JQ6zBA

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1452	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

suveb.exeneebh.exe

pid	Process
1904	suveb.exe
1464	neebh.exe

Loads dropped DLL 2 IoCs

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exesuveb.exe

pid	Process
2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
1904	suveb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exesuveb.execmd.exeneebh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suveb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neebh.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

neebh.exe

pid	Process
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe
1464	neebh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exesuveb.exe

description	pid	Process	procid_target
PID 2324 wrote to memory of 1904	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	31
PID 2324 wrote to memory of 1904	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	31
PID 2324 wrote to memory of 1904	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	31
PID 2324 wrote to memory of 1904	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	31
PID 2324 wrote to memory of 1452	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	32
PID 2324 wrote to memory of 1452	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	32
PID 2324 wrote to memory of 1452	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	32
PID 2324 wrote to memory of 1452	2324	a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe	32
PID 1904 wrote to memory of 1464	1904	suveb.exe	34
PID 1904 wrote to memory of 1464	1904	suveb.exe	34
PID 1904 wrote to memory of 1464	1904	suveb.exe	34
PID 1904 wrote to memory of 1464	1904	suveb.exe	34

C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe
"C:\Users\Admin\AppData\Local\Temp\a347bd0f8f685bde5f365596366d5b2eab7b0548e7eb67721a7cb74228cbe528.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\suveb.exe
  "C:\Users\Admin\AppData\Local\Temp\suveb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\neebh.exe
    "C:\Users\Admin\AppData\Local\Temp\neebh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3a634cc49790e2bc9da2bb9f70159dc2

SHA1
251cd153f8976c0b814612a394a0c5a10d1dff3c

SHA256
52146206755f0b2026399fd33daa8bbb9a41a6d33aa254383c45768dccad637a

SHA512
04d1e50cbf6391023bde91645d657a564e531c8db14051189019874da56fbb647704b95265ee57984800a4099727625549e26b406735b875153232439a2b6392

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
486137d99d24c3ba84346f1e9b75166c

SHA1
b4b337b3063903e90d3e088fb8e0bd47e8b509f4

SHA256
b268136448a79abb5f83d69b4dca9186cb1076630ef471f3071141c30dcdc54e

SHA512
e41704776d6fc2d7ccf25e37ddfa8285f0f754eb9b774a49c447ebf025ba3dc5aabc468fb43fe40c513d674942fc563d8e100d52b24688b7ca5f2161a1dfb34f

Download Submit
\Users\Admin\AppData\Local\Temp\neebh.exe

Filesize
230KB

MD5
64c2e5df704eb5920aa76f81cc412c5e

SHA1
9f4bd68a048e6d7e8829c0e231c4e065eb14acf6

SHA256
c34cad82e257e265ac080a2180826610da2f6f78feb695fde9a61f4489858253

SHA512
71926d52761569252039d5a705c63dd24f234794fb64897957b0d232f50bdeff3412da19b069f682e0059d73406c6827cdc1700305d3ff4128a918dd161e59a6

Download Submit
\Users\Admin\AppData\Local\Temp\suveb.exe

Filesize
442KB

MD5
baeba51452e313bc6d828ed7a0848e7a

SHA1
9c23404fb59260f7c2ffbe05fda3ed0c40b1ceed

SHA256
07c2acd36c0e03cf2d2fbd72e3f4b78a57c27a6491819ecc3bbf483ae0b68c6d

SHA512
e68095cf2fa367175cf58418cfad06311ce6f91b3a02a2e82a3af8f1d62fa858c71781a7cce6c6a7a1108e1cc2cdd24610da114c1fc948d913d1685c0e92c98c

Download Submit
memory/1464-33-0x0000000000C10000-0x0000000000CAE000-memory.dmp

Filesize
632KB

Download
memory/1464-32-0x0000000000C10000-0x0000000000CAE000-memory.dmp

Filesize
632KB

Download
memory/1464-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1904-18-0x0000000000C20000-0x0000000000C8E000-memory.dmp

Filesize
440KB

Download
memory/1904-21-0x0000000000C20000-0x0000000000C8E000-memory.dmp

Filesize
440KB

Download
memory/1904-26-0x0000000003680000-0x000000000371E000-memory.dmp

Filesize
632KB

Download
memory/1904-29-0x0000000000C20000-0x0000000000C8E000-memory.dmp

Filesize
440KB

Download
memory/2324-9-0x0000000000420000-0x000000000048E000-memory.dmp

Filesize
440KB

Download
memory/2324-17-0x0000000000D80000-0x0000000000DEE000-memory.dmp

Filesize
440KB

Download
memory/2324-0-0x0000000000D80000-0x0000000000DEE000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads