urelas | 9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3

General

Target

9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe
Size

510KB
MD5

b639bc0a212aee9bc09ae316daff5210
SHA1

240e3ec4bc4255de9a585442aebf034a6df69c4c
SHA256

9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3
SHA512

36f549f9e1a4deb187cbd7e2bab8c16cb31078e2d5a503f8949abf077f4389ce96198d3fbdead95632e5c284c6269625fb2bba87bcaf96f6c1641ff61485ad07
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKou:3MUv2LAv9AQ1p4dKb

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2512	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1464	irdau.exe
592	moxot.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe
1464	irdau.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irdau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moxot.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe
592	moxot.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1464	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	30
PID 2160 wrote to memory of 1464	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	30
PID 2160 wrote to memory of 1464	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	30
PID 2160 wrote to memory of 1464	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	30
PID 2160 wrote to memory of 2512	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	31
PID 2160 wrote to memory of 2512	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	31
PID 2160 wrote to memory of 2512	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	31
PID 2160 wrote to memory of 2512	2160	9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe	31
PID 1464 wrote to memory of 592	1464	irdau.exe	34
PID 1464 wrote to memory of 592	1464	irdau.exe	34
PID 1464 wrote to memory of 592	1464	irdau.exe	34
PID 1464 wrote to memory of 592	1464	irdau.exe	34

C:\Users\Admin\AppData\Local\Temp\9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe
"C:\Users\Admin\AppData\Local\Temp\9b4b13dbca371f99fe0defc8d6c2370d7513d923061385636b2f344d0e6e07d3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\irdau.exe
  "C:\Users\Admin\AppData\Local\Temp\irdau.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\moxot.exe
    "C:\Users\Admin\AppData\Local\Temp\moxot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d35772d3dd604dfd49eb86ebaa6f5f1a

SHA1
db915609f0889d7aba69169fb5aa71a9c3bda4b5

SHA256
f64da20470ab784b9e6e9e5056337861abf5972830b06d518d9d8dc2befe508d

SHA512
8c3c6386823a5479fbde39361856153dd2e4baadfc87e95174fdf6d78cf742da7d41521ffcbd736b91ef3046602128900f528dc3bcc86007b6dd6d3ce90aa871

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e153d3bf7fd16075e2ff4f527894c659

SHA1
1fd5d63b131d13906d3c4ae695e47bdb817d65d5

SHA256
44d1e00e7d75e0e13551fd09176d9d83ded33ef992272355befcb1fd72984718

SHA512
27db16195dd417ea780efccde2a87f690fdc5b9528641d18b1be1830b486d24de060e299f9786a018b48170d9449e8fc215bd9b32e45e1443e712a35c22041d1

Download Submit
\Users\Admin\AppData\Local\Temp\irdau.exe

Filesize
510KB

MD5
23d0f1ad4fe4deb342de35d11211ade5

SHA1
b05b55e7756c87c71a760cc7f05cb3d420af50b3

SHA256
75e701cb6be91e29ce9a9a86ee20ab5cd4b4f6f1d3dd79affa6b33a2b578f836

SHA512
0be370d4f1910836b032821d8ca543e55ae75d4fd88c07901ea205c27c1cc91f11406c2ffad713ed24e275ed9bab9022a3f0f23998a2c5c3e343d12726cba587

Download Submit
\Users\Admin\AppData\Local\Temp\moxot.exe

Filesize
172KB

MD5
0d8ae17584ec813617e1e82d49f2e18a

SHA1
f54ed9abb4730d3c464fb05102492291aa172ae9

SHA256
a553b7db746fc939cae4909f334aaaa8efb2a5b3e9310458e0c6ae9be41da2a1

SHA512
31c39e8b764f36e026d35cbd79ae833af7740a2728ddb0ff24b6eda1d2d7eb4d362257c1c3f62c144e617a7e562df03b64789141eb47f73c21d6b0a355d5aa87

Download Submit
memory/592-30-0x00000000013A0000-0x0000000001439000-memory.dmp

Filesize
612KB

Download
memory/592-34-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/592-33-0x00000000013A0000-0x0000000001439000-memory.dmp

Filesize
612KB

Download
memory/592-36-0x00000000013A0000-0x0000000001439000-memory.dmp

Filesize
612KB

Download
memory/592-37-0x00000000013A0000-0x0000000001439000-memory.dmp

Filesize
612KB

Download
memory/1464-17-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/1464-21-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/1464-27-0x00000000036E0000-0x0000000003779000-memory.dmp

Filesize
612KB

Download
memory/1464-29-0x0000000000EC0000-0x0000000000F41000-memory.dmp

Filesize
516KB

Download
memory/2160-15-0x00000000023F0000-0x0000000002471000-memory.dmp

Filesize
516KB

Download
memory/2160-18-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download
memory/2160-0-0x0000000000F60000-0x0000000000FE1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing