urelas | 97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a

General

Target

97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe
Size

462KB
MD5

4f4f2f0d0ede717fa4c814da6aafc544
SHA1

54d6704a8a3d19d58e7a8353b0ece3111f5642f1
SHA256

97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a
SHA512

9de1197056ad0a78e8441c2d091f14230597b8858f3e95c4a73c80538b891f504fb8b1831e3ad614011ca1d60f81a8498381378f9d57348f887230d8c8225d27
SSDEEP

6144:P8Eoe/IebBVMweZGhHdJBV70FVKLbfW2x8VyMsmD6gzOmjpi+pMJQ8uUm9unpmU:vDdUGhHdJ370FVKmP0Ml+gzzjp+lsuf

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

121.88.5.183

218.54.30.235

121.88.5.181

112.223.217.101

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2420	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1584	sander.exe
2344	ctfmom.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe
1584	sander.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sander.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe
2344	ctfmom.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1584	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	30
PID 2520 wrote to memory of 1584	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	30
PID 2520 wrote to memory of 1584	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	30
PID 2520 wrote to memory of 1584	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	30
PID 2520 wrote to memory of 2420	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	31
PID 2520 wrote to memory of 2420	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	31
PID 2520 wrote to memory of 2420	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	31
PID 2520 wrote to memory of 2420	2520	97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe	31
PID 1584 wrote to memory of 2344	1584	sander.exe	34
PID 1584 wrote to memory of 2344	1584	sander.exe	34
PID 1584 wrote to memory of 2344	1584	sander.exe	34
PID 1584 wrote to memory of 2344	1584	sander.exe	34

C:\Users\Admin\AppData\Local\Temp\97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe
"C:\Users\Admin\AppData\Local\Temp\97eaddf7869249e90318088be565316d75f62ed11bb0785e9f9eb40e36ab7e4a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\sander.exe
  "C:\Users\Admin\AppData\Local\Temp\sander.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\ctfmom.exe
    "C:\Users\Admin\AppData\Local\Temp\ctfmom.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_sannuyex.bat

Filesize
341B

MD5
747b8f8d2d89120747194f63c2aa0c5e

SHA1
c717c574d690af3d6128ed934a64858d8f9d46b2

SHA256
58ee3b3e3838eaba787fda410f9e6161f2e77490358cfaa82f72a79cf4b95ba5

SHA512
5363e2c9f8e8f5aa5c7f8156c872a40780c0f34f5d070ef78d17d2266e96e18b5ad69b49552d18cea8106a8881801be4724771f178c2cd61566eefc91cc23a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04113afab96ff36e7da4cabf336079cf

SHA1
2ab6a01f123c1ef4227cb134612749b67a237bf6

SHA256
8b3cc0c31002ffa60f497966a671ff1c0a23a6efa831bd2be2cfbee7588bac16

SHA512
68358e6ae577e59dd540c31d4cfcf56968d9b84416ffcd527867711165d78a9f351da0bf41afab96107b1dc736467b092f5b79be2b8f7f96f6871e4a0b5472e9

Download Submit
\Users\Admin\AppData\Local\Temp\ctfmom.exe

Filesize
221KB

MD5
db30ca2963dd13a0c1172e8356f4b515

SHA1
a83206a1925495c2e6c46b75fce8dffbae752933

SHA256
7261cde9180539e8b4b164a7e55eb6a647b5344d6464d05432f7a2d57ef16004

SHA512
bdb62e161224449eb0fc79dc4f71645d10690b3724aa4cf72b88e585083098bdee99a808fdd4710e4f64405221e99ad7cda2c481a3c05e309bdec058a379b7e2

Download Submit
\Users\Admin\AppData\Local\Temp\sander.exe

Filesize
462KB

MD5
0febab92022ca6a9e3101d525fe263f1

SHA1
65c8a54f8e042bae175c2a066a0c7e5c0f647fbe

SHA256
89a5785f7a6106e444565a374e1ae519c55fc23b8476838fb7367c28ee6317cd

SHA512
d3ca010cb2a8b230ce9f1ba14cd9f387a3929d0eadc390b6191a5bd09c82953fcb74176bffed47fd5a56f22c4682af3a9e8f6156de8c01c6d59fe219ddadd96b

Download Submit
memory/1584-27-0x0000000001190000-0x0000000001231000-memory.dmp

Filesize
644KB

Download
memory/1584-29-0x00000000013A0000-0x0000000001422000-memory.dmp

Filesize
520KB

Download
memory/1584-17-0x00000000013A0000-0x0000000001422000-memory.dmp

Filesize
520KB

Download
memory/1584-21-0x00000000013A0000-0x0000000001422000-memory.dmp

Filesize
520KB

Download
memory/2344-35-0x0000000000F70000-0x0000000001011000-memory.dmp

Filesize
644KB

Download
memory/2344-30-0x0000000000F70000-0x0000000001011000-memory.dmp

Filesize
644KB

Download
memory/2344-31-0x0000000000F70000-0x0000000001011000-memory.dmp

Filesize
644KB

Download
memory/2344-34-0x0000000000F70000-0x0000000001011000-memory.dmp

Filesize
644KB

Download
memory/2344-36-0x0000000000F70000-0x0000000001011000-memory.dmp

Filesize
644KB

Download
memory/2344-37-0x0000000000F70000-0x0000000001011000-memory.dmp

Filesize
644KB

Download
memory/2344-38-0x0000000000F70000-0x0000000001011000-memory.dmp

Filesize
644KB

Download
memory/2520-14-0x0000000002590000-0x0000000002612000-memory.dmp

Filesize
520KB

Download
memory/2520-0-0x0000000000020000-0x00000000000A2000-memory.dmp

Filesize
520KB

Download
memory/2520-18-0x0000000000020000-0x00000000000A2000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing