urelas | 604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589

General

Target

604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
Size

333KB
MD5

2cc1c91da4b72fd5328644f18b3514a0
SHA1

1a8d4ebd5eff3bfd7df53a62ee8fee648589843b
SHA256

604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589
SHA512

122440ace5368f4b9a912998a1cb62b6d0b26a487aee1f4ec89b8eeeb4d3dfa84bdf003405c926e3737e745f89d77ecb49b6ee1362861d24dde021df982083df
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYG:vHW138/iXWlK885rKlGSekcj66ci3

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1708	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2764	koguf.exe
2336	quuco.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
2764	koguf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	koguf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quuco.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe
2336	quuco.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2764	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	28
PID 2900 wrote to memory of 2764	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	28
PID 2900 wrote to memory of 2764	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	28
PID 2900 wrote to memory of 2764	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	28
PID 2900 wrote to memory of 1708	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	29
PID 2900 wrote to memory of 1708	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	29
PID 2900 wrote to memory of 1708	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	29
PID 2900 wrote to memory of 1708	2900	604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe	29
PID 2764 wrote to memory of 2336	2764	koguf.exe	33
PID 2764 wrote to memory of 2336	2764	koguf.exe	33
PID 2764 wrote to memory of 2336	2764	koguf.exe	33
PID 2764 wrote to memory of 2336	2764	koguf.exe	33

C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe
"C:\Users\Admin\AppData\Local\Temp\604a68b6ac45b1e2f629cd7e6bca51fff46ee1c02df955d888aec0362b109589N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\koguf.exe
  "C:\Users\Admin\AppData\Local\Temp\koguf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\quuco.exe
    "C:\Users\Admin\AppData\Local\Temp\quuco.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
ceb84504f175f405c77ff6588a2d2592

SHA1
7b63056cd33b6b5c40ccdfea828d20a962fc9113

SHA256
a81ff24fbda9d44d5721e0cc33a6cfa85c716e4459a05f41cd6416e1ebd67f9c

SHA512
9c10a0dd7c90fd78eb47a4c949dcabacdf097eabf231a65db365547456ef26d37b1be80d51b75c5f45ee56cc089d2e433d4ea6fee16c524b4202458467e36d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4ecf93b96e0ff6758e5b495d46d4b5f3

SHA1
1a9f01da6d25d159182f5651cdf8be95f1c776a6

SHA256
563b291969738bd971a3ddb3321b6e05e5a19c2006df44ebd527e810dadd9416

SHA512
b6e16637c107c5b301c12b759026244a24ff6f7696f31aecbd7ae0618472659b6fc25d3fb8bed866b3c2ed69a4f44af0dbfd265a54104dda1993ecdd598e3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\quuco.exe

Filesize
172KB

MD5
70bc01a95452c035d85765cf315b6c19

SHA1
89b03df5fd4e5cfaa6ad49a1d8d3f93b4f614f86

SHA256
3c8ee432d1268890dd4a5f3924949ece36d9c993b927e1be08393487837817d9

SHA512
3e868ff61284b3ccb7b464f6ff1dfc508706fbc18f1f297ac10ccf9c6a0f2998746611c6c82968f687a6c82449a8b3b91abbb3d218062059595b72a27fdd8e64

Download Submit
\Users\Admin\AppData\Local\Temp\koguf.exe

Filesize
334KB

MD5
1e5c1d7c2962768bdc078e73895ed6df

SHA1
0cee9ae0f4d94f29e011526aaeb12e9f9347faec

SHA256
d369b0431aac83a28c8bcdb205e37efd4cb1cb112efd79b39812e4fb113e7355

SHA512
1c6d2cb2f38c03e9499d19e06f2f035745c7c2b737bb7736efd011c5e12e3e44218a513e0123fb2571d8a00a9e1ab2a0712194e074363af4fce90176905e4a5d

Download Submit
memory/2336-49-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2336-48-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2336-44-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2336-42-0x0000000001330000-0x00000000013C9000-memory.dmp

Filesize
612KB

Download
memory/2764-21-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2764-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2764-25-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2764-39-0x0000000003F90000-0x0000000004029000-memory.dmp

Filesize
612KB

Download
memory/2764-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2764-43-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2900-10-0x0000000002740000-0x00000000027C1000-memory.dmp

Filesize
516KB

Download
memory/2900-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2900-19-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download
memory/2900-0-0x0000000000280000-0x0000000000301000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing