urelas | 2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7

General

Target

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
Size

327KB
MD5

8683596a79ee62e258067bbadaa4e0b0
SHA1

2804b7a54623958f9feae3720d47cf43d190301c
SHA256

2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7
SHA512

776cf6027bfa30d32fb61e54cbed0e9a34a9e20e6645f83cf2e434952a7b9c641410b81ddd816570c41449ce30e90b33b21041d34ba43419526b9ff664fbc97d
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYQ:vHW138/iXWlK885rKlGSekcj66ciR

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2964	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2968	qoams.exe
536	liduz.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
2968	qoams.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liduz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoams.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe
536	liduz.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2968	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	30
PID 3024 wrote to memory of 2968	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	30
PID 3024 wrote to memory of 2968	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	30
PID 3024 wrote to memory of 2968	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	30
PID 3024 wrote to memory of 2964	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	31
PID 3024 wrote to memory of 2964	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	31
PID 3024 wrote to memory of 2964	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	31
PID 3024 wrote to memory of 2964	3024	2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe	31
PID 2968 wrote to memory of 536	2968	qoams.exe	34
PID 2968 wrote to memory of 536	2968	qoams.exe	34
PID 2968 wrote to memory of 536	2968	qoams.exe	34
PID 2968 wrote to memory of 536	2968	qoams.exe	34

C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe
"C:\Users\Admin\AppData\Local\Temp\2a7b234f1ba3a62f0ff1b2c5a0ff8ae792e503fe487d689fa50f3bd1576628f7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\qoams.exe
  "C:\Users\Admin\AppData\Local\Temp\qoams.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\liduz.exe
    "C:\Users\Admin\AppData\Local\Temp\liduz.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
2692d637d7f78045fac9c30c287958a8

SHA1
844e93e562fc43a9dd54f33dbbda9a45c563a822

SHA256
92a03c86295ab5505d930e81c1e20f12a980f6d7b35072df17e6ade92a27c06c

SHA512
697903d1820b0303b98af5a95cba388670e7bddaa83670260f5e21cafe534beb54e042ae265c9d03c82c5bda3bd5995b8e31e35193da7a1b62c97a07bc61e0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
f675fc6df2bff84785b4ddd27d6de3fa

SHA1
c4a7a8d256dc7385cf924ba38c75e352adf67fe6

SHA256
91fba69fb29afdd86812c6595f364fe34564b2186b86bbd6c061a8835186ccf7

SHA512
c3d5c3faba392fe302834339b08b75410c8c6c940a2c9c25143d564dd80c1fce872c89f67028773cafdcb1ef4ed7ec9ce94a6633daebed09a2c877004ea55b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\liduz.exe

Filesize
172KB

MD5
ddbb7726c3b6f8614e4ffa9e3cd93dd5

SHA1
c26f955f61c23e04bf2318986cd26dbe3ef4ed01

SHA256
5167361c647e4115ad5a7ae1d6fd81a56e069209b445e7f0a4b19ede0cfcecdd

SHA512
c26fa117686d0d53bc12981a7011102c902b8d08f41229c29a17eceba1efeb638d984f293a167743706cb6e61e4ed8c657d57eaa13948f3e584e1ad5aeaf333e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoams.exe

Filesize
327KB

MD5
7c978e23d2d8f99d12e498e2da50e62f

SHA1
b183ffc13c5ec1059ec6a56d1416b5e1cf672f1c

SHA256
180e7afc98bc616ce069cff0c576fbae68fb7bfe536e87855fe348082489ddd1

SHA512
6db579d1cec790ece2c0122054492d113a33500d5db720b37a9b5bc8f700c5162565bfa6eaa7e709e6bd29976e7fc4fc8d9d24c45fc0f18e88fd972028e1d78d

Download Submit
memory/536-43-0x00000000011E0000-0x0000000001279000-memory.dmp

Filesize
612KB

Download
memory/536-49-0x00000000011E0000-0x0000000001279000-memory.dmp

Filesize
612KB

Download
memory/536-48-0x00000000011E0000-0x0000000001279000-memory.dmp

Filesize
612KB

Download
memory/536-46-0x00000000011E0000-0x0000000001279000-memory.dmp

Filesize
612KB

Download
memory/2968-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2968-18-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2968-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2968-24-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/2968-39-0x0000000003D80000-0x0000000003E19000-memory.dmp

Filesize
612KB

Download
memory/2968-42-0x0000000000F20000-0x0000000000FA1000-memory.dmp

Filesize
516KB

Download
memory/3024-17-0x0000000002770000-0x00000000027F1000-memory.dmp

Filesize
516KB

Download
memory/3024-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3024-0-0x0000000001130000-0x00000000011B1000-memory.dmp

Filesize
516KB

Download
memory/3024-21-0x0000000001130000-0x00000000011B1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing