urelas | 4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535

General

Target

4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe
Size

341KB
MD5

ef13ce416ef6241e97b9204da5a97f80
SHA1

a5a5dc9810661beacbcf7c89f170ba23d13b5ca4
SHA256

4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535
SHA512

1295ce2980a0bc9f98699e76f82621461c0c0683f7a5b46300525fc5f9960d02d2299d5ebdd278cfefb7f3f697423e48284c4507b4047dbafb2c10bd127bef84
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYRcECHUI:vHW138/iXWlK885rKlGSekcj66ciaC0I

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	neevl.exe
1632	qoijh.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe
2860	neevl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoijh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neevl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe
1632	qoijh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2860	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	30
PID 2700 wrote to memory of 2860	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	30
PID 2700 wrote to memory of 2860	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	30
PID 2700 wrote to memory of 2860	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	30
PID 2700 wrote to memory of 2728	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	31
PID 2700 wrote to memory of 2728	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	31
PID 2700 wrote to memory of 2728	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	31
PID 2700 wrote to memory of 2728	2700	4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe	31
PID 2860 wrote to memory of 1632	2860	neevl.exe	34
PID 2860 wrote to memory of 1632	2860	neevl.exe	34
PID 2860 wrote to memory of 1632	2860	neevl.exe	34
PID 2860 wrote to memory of 1632	2860	neevl.exe	34

C:\Users\Admin\AppData\Local\Temp\4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe
"C:\Users\Admin\AppData\Local\Temp\4aa4362ad4585e43505a8c156b04dba550977d3e106677e984e28d26c3304535N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\neevl.exe
  "C:\Users\Admin\AppData\Local\Temp\neevl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\qoijh.exe
    "C:\Users\Admin\AppData\Local\Temp\qoijh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f8547e48c36c345bb295f32db5698194

SHA1
df3724495be98d6dabbfd22941219b2c780b5eb5

SHA256
d3a2a3660f7adceef90ff20a118ff792f53d1c61e56e7c30190681a8820271b6

SHA512
81d519d024247b549710791f0aa12e5079a06722e90118ccb7cbdbff5b6d66680066495e22dc74e56009d8e9db50fa73889b50aeb577392bd34f646ba523b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
14c7bee0c0da04077d4f3a1a58cb6a3a

SHA1
0020646f7248a52175f3d8ec1b7ba1f5449bbdb7

SHA256
09db9806699036917d78078801c248bf249305c74c7152ceaa44f042c1234345

SHA512
ff9080b96e674c415c0af97cc1007741f6d7c5cb8e40e112e36b619f56dca83147d0ce207e3768b7385050fdc7f0e78df226f31520d05edd2a8ce954803535f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\neevl.exe

Filesize
341KB

MD5
b77b846673c4ec8e9bd95f35018a8f2a

SHA1
df24469eadf46e96c9c6d5f1f7a541f6734b4545

SHA256
d06841cb318cb56f908c620280d4ed6829625611d42e1d4d5a0753485483ef84

SHA512
7f8f8b3d7970778ae9fd5e3d3cc6784a308202d7f29a4f097e98131e4537f9b34bda2a3921667d07718f27fc206f0f0065bd5d1270a4b6dec704bf609fa6ddca

Download Submit
\Users\Admin\AppData\Local\Temp\qoijh.exe

Filesize
172KB

MD5
4d8886252d1420fe1325e02290cb8362

SHA1
538591d408ca6b910ddb343caff11748b5550da7

SHA256
10dc9247f4875f68331948b413309a93cc49976ec1ee4104134c43371134b751

SHA512
b04d4e3e868d63e734fd5fc701f682611c56ab1ec3226662e906cfe7fd99a4f202d928cf14456bdd9c5ef7b224edfb93695f218d17c6414f7387d3c73b0e9265

Download Submit
memory/1632-41-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/1632-47-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/1632-46-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/1632-42-0x0000000000CF0000-0x0000000000D89000-memory.dmp

Filesize
612KB

Download
memory/2700-0-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/2700-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2700-10-0x0000000002A40000-0x0000000002AC1000-memory.dmp

Filesize
516KB

Download
memory/2700-20-0x0000000000A40000-0x0000000000AC1000-memory.dmp

Filesize
516KB

Download
memory/2860-18-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/2860-40-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/2860-37-0x00000000021D0000-0x0000000002269000-memory.dmp

Filesize
612KB

Download
memory/2860-23-0x0000000000970000-0x00000000009F1000-memory.dmp

Filesize
516KB

Download
memory/2860-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing