urelas | b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691

General

Target

b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
Size

334KB
MD5

48c754b5a0b4931fb08ad6a060c6f3c5
SHA1

3056f95cc54e0a8ee01bb930e279e876c4bc1c45
SHA256

b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691
SHA512

bb175497b013686162ce71fb8112f16b4ab0746357612fd0fa9406b727ff3907ef7ec96459e3e05163e380cb84bd6a737667299c2ccea65df5579df9071d6b94
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XY9U:vHW138/iXWlK885rKlGSekcj66ciIU

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2216	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
304	rokoe.exe
1852	duafh.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
304	rokoe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rokoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	duafh.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe
1852	duafh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 304	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	31
PID 1800 wrote to memory of 304	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	31
PID 1800 wrote to memory of 304	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	31
PID 1800 wrote to memory of 304	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	31
PID 1800 wrote to memory of 2216	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	32
PID 1800 wrote to memory of 2216	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	32
PID 1800 wrote to memory of 2216	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	32
PID 1800 wrote to memory of 2216	1800	b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe	32
PID 304 wrote to memory of 1852	304	rokoe.exe	35
PID 304 wrote to memory of 1852	304	rokoe.exe	35
PID 304 wrote to memory of 1852	304	rokoe.exe	35
PID 304 wrote to memory of 1852	304	rokoe.exe	35

C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe
"C:\Users\Admin\AppData\Local\Temp\b6cf01e063e6370d0ca1455ad65dd58b5aa608779804229e846742b5a12c8691.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\rokoe.exe
  "C:\Users\Admin\AppData\Local\Temp\rokoe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Users\Admin\AppData\Local\Temp\duafh.exe
    "C:\Users\Admin\AppData\Local\Temp\duafh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
fcee18b4f5a4109143fc8d5fb58a648c

SHA1
c5151910f25c710befc931b38730f8ab3119067e

SHA256
148df7dbcaf5f4eab988643544f498c546cbc3ab0eaf32f9897bd85c773c3634

SHA512
85c86921fda408d6826d1af702cd01cc19d63a03b45b31ea40e372921adeef9281a119a8b9faa2924e4fbc6342f924e9f111be071a20fae89771e8a9e288178a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d355512537c553941e785a9f8b6c5be9

SHA1
d88fd3f1abd282ede5798a67ca21d47815e4e2de

SHA256
fed84d7b95c562c53612f2a6d0137b6c2d0f00d6ea164fa59f02dd896b61b248

SHA512
736e24d85287017a8984a9e631310272bad09312ddb14c3b7da7a896e8c5fb1f2a56780aaa6ee5e70770f3b744b39676c285292f4dc848684e78fd1b03081830

Download Submit
\Users\Admin\AppData\Local\Temp\duafh.exe

Filesize
172KB

MD5
31b984189052bfe39124eae24997d8e5

SHA1
33b2515c8243f1a42b6c2e6a02708674a810abc9

SHA256
7f47278a8a2a22fad21879942ab7922d4a9ef66440ca2967b7392db19b09fcaf

SHA512
1da2575e13d600ea7754e482bacac4e7725d625790f86527d7e161dd4004a78978aa224566e7573578b8c5da8b0812feafc9980916b39572d5974312ebca1f77

Download Submit
\Users\Admin\AppData\Local\Temp\rokoe.exe

Filesize
334KB

MD5
2620e8a13b832a6dcca941b43ca42501

SHA1
233506f2d7dd9d58b2c8f370c7a8cd5213eb6e43

SHA256
cf0207da1b6c2e46e9d60af4bf4059f8d97cfd70080a613aa1b363e38a29663a

SHA512
94ead77565b7fce3217ee31a73db885627d6d8a3b1f8049584ebcb08567efaab916644f5b73a68d41aeb2a542eca542604c4141c50f8d254edf60938bd885816

Download Submit
memory/304-22-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/304-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/304-17-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/304-36-0x0000000003FB0000-0x0000000004049000-memory.dmp

Filesize
612KB

Download
memory/304-39-0x00000000002C0000-0x0000000000341000-memory.dmp

Filesize
516KB

Download
memory/1800-19-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/1800-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1800-0-0x0000000000190000-0x0000000000211000-memory.dmp

Filesize
516KB

Download
memory/1852-43-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1852-40-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1852-45-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download
memory/1852-46-0x0000000001150000-0x00000000011E9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing