urelas | 5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757

General

Target

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
Size

537KB
MD5

d20fee1a424647bee9f78e3942ba37f9
SHA1

a2c0bf2a4ce15eb5a151eadd37a1d51e9e87e3ac
SHA256

5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757
SHA512

9bb9a502cee133b023d26d23e28a1037cb41f896e5c80e7e97f6e78eec42e53dceae1fa7600a9cd0bb9adb73b06f28be6442cb1eaada08de9afff8571a2b0e5f
SSDEEP

12288:q0nPhglq2Uyt4R/b2G/0hznQGoexBU/NPH:q0P/k4lb2wKatH

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2200	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2536	puwyy.exe
2952	lebeb.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
2536	puwyy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	puwyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lebeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe
2952	lebeb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2536	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2268 wrote to memory of 2536	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2268 wrote to memory of 2536	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2268 wrote to memory of 2536	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	30
PID 2268 wrote to memory of 2200	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2268 wrote to memory of 2200	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2268 wrote to memory of 2200	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2268 wrote to memory of 2200	2268	5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe	31
PID 2536 wrote to memory of 2952	2536	puwyy.exe	33
PID 2536 wrote to memory of 2952	2536	puwyy.exe	33
PID 2536 wrote to memory of 2952	2536	puwyy.exe	33
PID 2536 wrote to memory of 2952	2536	puwyy.exe	33

C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe
"C:\Users\Admin\AppData\Local\Temp\5a25b6a022c98a9c70a3b38394370dd1c94a9f56593b5e8a167b0c6290e7c757.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Users\Admin\AppData\Local\Temp\puwyy.exe
  "C:\Users\Admin\AppData\Local\Temp\puwyy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\lebeb.exe
    "C:\Users\Admin\AppData\Local\Temp\lebeb.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c2eb983e8ced9ab28290b9e78fa44f80

SHA1
051ec107b9b7f56da21bd418b07489c414162000

SHA256
ad3ec2686dea0acd066b44085130ef74ac8fc02ac49452d000045557bade23b8

SHA512
df30a2c2b746442b37e4280e56605b0380a3f98bd0af45abb800f34cfd4fea33ace316131f1be74d0c1dcc720c29b4502d6a897a184ce9c89462b97d5a880332

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a90d14a5648d5f56fc3899c1ccf61a30

SHA1
bffeee16f7f4519fd4b679a70497c42f7c6e58f8

SHA256
40affd3ed54968b857d99cd9ed29b0846b9ce5531a2349444b258fdfca86cb4d

SHA512
fa9c4804acb63ed582fad4f7493fde862a6f5f3c8b16856fadc3f1d7a2a9e8e4257260d368aa2c1037bfd196919b61b8e6b901992c34ccff904a90da39335f6f

Download Submit
\Users\Admin\AppData\Local\Temp\lebeb.exe

Filesize
236KB

MD5
6758d35c59abb13298bb42bcceba81c7

SHA1
ef285704aa4d5aef4a3ebfd239fe8d5d53c31eb7

SHA256
67db9e3422450497e7465b838b128390df45facc38a7fb3efbdbd519985554fd

SHA512
1adbb9844e878862c496f6010f28f136364098fcd20a9f2bfb122b52b60e95e282aa6c082be0ebef9f95f5bc3cd2fab2076d270c269a9792d501083ea7d46feb

Download Submit
\Users\Admin\AppData\Local\Temp\puwyy.exe

Filesize
537KB

MD5
8c8c393b5ddf8e96eb65eb7a09f566e5

SHA1
77b27a74aa5f0d77a795bea0e8c37a3a8490f1c1

SHA256
0d0b8a091ddaae8cae9563c8db6aa2b2b0db4fa971d4800844bfba990d2109fe

SHA512
c5bd8e2fc6b1e412f08e679be90b703d6aca08c19015a7f75c15323034c40cd2108304d63ac6cc7967357c101e4bf8ba4fbba5a48292825d5d35a497ee28c91a

Download Submit
memory/2268-15-0x0000000002760000-0x00000000027EC000-memory.dmp

Filesize
560KB

Download
memory/2268-18-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2268-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2536-21-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2536-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2536-29-0x0000000003700000-0x00000000037A3000-memory.dmp

Filesize
652KB

Download
memory/2536-28-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2952-30-0x00000000003C0000-0x0000000000463000-memory.dmp

Filesize
652KB

Download
memory/2952-32-0x00000000003C0000-0x0000000000463000-memory.dmp

Filesize
652KB

Download
memory/2952-33-0x00000000003C0000-0x0000000000463000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing