urelas | 5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5

General

Target

5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
Size

334KB
MD5

aae5733bb4ed466d348eb25664f48520
SHA1

94bb4c32f47fd90713f29669a96446d2d09a31db
SHA256

5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5
SHA512

8c7372c3a0f08727c2a5600ae1f4f8384a6c0348c0e6702992ef722791f5808a046b243e6ea8f7528b93f45aab9b1eca5b5bca6b382ff49d5170f2c3afbacf62
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOcF:vHW138/iXWlK885rKlGSekcj66cin

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2836	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1996	bewoo.exe
2764	giviu.exe

Loads dropped DLL 2 IoCs

pid	Process
2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
1996	bewoo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giviu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bewoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe
2764	giviu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1996	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	31
PID 2980 wrote to memory of 1996	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	31
PID 2980 wrote to memory of 1996	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	31
PID 2980 wrote to memory of 1996	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	31
PID 2980 wrote to memory of 2836	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	32
PID 2980 wrote to memory of 2836	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	32
PID 2980 wrote to memory of 2836	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	32
PID 2980 wrote to memory of 2836	2980	5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe	32
PID 1996 wrote to memory of 2764	1996	bewoo.exe	35
PID 1996 wrote to memory of 2764	1996	bewoo.exe	35
PID 1996 wrote to memory of 2764	1996	bewoo.exe	35
PID 1996 wrote to memory of 2764	1996	bewoo.exe	35

C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe
"C:\Users\Admin\AppData\Local\Temp\5d5dec0508d48e421d735f3f50ea787460dc7db1ed77285d1152bb44719712e5N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\bewoo.exe
  "C:\Users\Admin\AppData\Local\Temp\bewoo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\giviu.exe
    "C:\Users\Admin\AppData\Local\Temp\giviu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
6cc0a0f85e04a320a865639a8416b503

SHA1
856723f3b651c5aa3eae579152a689133656723c

SHA256
104a99d9ac9258a2b7dccb5bb28a849cc22743fa370169e327626227afec2555

SHA512
7cd76b3422bfcd0dea7f5e821192e40000d5efda8a3d584e59a12a7f7e0b2b666553f4e2e394803621d36f2e4279056171badeb2568af4358ada1c3f2151b7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bewoo.exe

Filesize
334KB

MD5
cce4c1ae12cfb43ab9191099d4617bea

SHA1
b07ec3ef5a187a3db6c9eac17c43035f2a629806

SHA256
78354c7f2a9e2bd3f3a9b83197a53f77a89373a89e6aa691b473208d17b8a875

SHA512
656d90203cf71d947990c1a38ff0a5a03dc09a47ce277bb5bae800584d9e125d044639a37221032079e5701b3f967dfb2e7a05e459fc1ef732b596bd4160f2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
ec1521d565542fa8adbac634cd261d27

SHA1
4be395194ea91c496c7bcd241ffe09b4d6c93797

SHA256
49356e97514977b468618a7f826abd7b4a18820f2ec3300852a4719207dc8a39

SHA512
d0932d372722947c48a9b2a728aea44d54f61831aa00be7ce50c53025225b8d6137356ed38bd179e1fe2ff79017d9a2dec7f548dfb1295a10f2a65adbd6e6090

Download Submit
\Users\Admin\AppData\Local\Temp\bewoo.exe

Filesize
334KB

MD5
c240f3745097d55a9fc1f9c35f0de4a1

SHA1
0e8f892e09b2f2473ca0fec7b0c93c19da185b85

SHA256
622c0cd2780f98389c2ed08f068fe86819af07ed749bc22f87f20da5d0309eb5

SHA512
eaa523840af0acaca5e0480662b89c121f7c7bdb5787a99e2af948e00e3fb2b49bc02ab1364a40559e261105d0e976daac072bdf1f34e1e45ef50164a06fa1f5

Download Submit
\Users\Admin\AppData\Local\Temp\giviu.exe

Filesize
172KB

MD5
9702f42c8991678e6186e788d222d0b8

SHA1
e31a99280d465718f4e66929aa46322e29055dd2

SHA256
799245d8f24243bade95fcdbe0d99acaedb7926052a7f08c07ff07b78283ddf9

SHA512
4a7b6e516ec9ac4655eff922fefcf26fd918a856960b8eff6232895369cde1d005932058749df87eb76f184ca6d74f34b74e90db284c140505e57f748da23c5e

Download Submit
memory/1996-23-0x00000000012C0000-0x0000000001341000-memory.dmp

Filesize
516KB

Download
memory/1996-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1996-16-0x00000000012C0000-0x0000000001341000-memory.dmp

Filesize
516KB

Download
memory/1996-35-0x0000000003310000-0x00000000033A9000-memory.dmp

Filesize
612KB

Download
memory/1996-40-0x00000000012C0000-0x0000000001341000-memory.dmp

Filesize
516KB

Download
memory/2764-44-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/2764-41-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/2764-47-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/2764-48-0x0000000000200000-0x0000000000299000-memory.dmp

Filesize
612KB

Download
memory/2980-19-0x0000000001100000-0x0000000001181000-memory.dmp

Filesize
516KB

Download
memory/2980-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2980-0-0x0000000001100000-0x0000000001181000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing