urelas | 4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1

General

Target

4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe
Size

335KB
MD5

656c52672acd38b367c7e81c9523160e
SHA1

aeec37f8fb38a07b7e9cb06fd99d7b0f0ca40863
SHA256

4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1
SHA512

bd07a8019ef70e6a8e05f495abb04341cf5f887e7148d1e8ad0128671684e157f0850e0edcde1ef24a98234c2d19f884a1aefa2bfa73010c528a5d11ef2d7d2f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYy:vHW138/iXWlK885rKlGSekcj66ciD

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2376	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	wuqeg.exe
1380	helov.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe
2312	wuqeg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	helov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuqeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe
1380	helov.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2312	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	28
PID 2868 wrote to memory of 2312	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	28
PID 2868 wrote to memory of 2312	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	28
PID 2868 wrote to memory of 2312	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	28
PID 2868 wrote to memory of 2376	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	29
PID 2868 wrote to memory of 2376	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	29
PID 2868 wrote to memory of 2376	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	29
PID 2868 wrote to memory of 2376	2868	4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe	29
PID 2312 wrote to memory of 1380	2312	wuqeg.exe	33
PID 2312 wrote to memory of 1380	2312	wuqeg.exe	33
PID 2312 wrote to memory of 1380	2312	wuqeg.exe	33
PID 2312 wrote to memory of 1380	2312	wuqeg.exe	33

C:\Users\Admin\AppData\Local\Temp\4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe
"C:\Users\Admin\AppData\Local\Temp\4cf7b941b444e78dc4bf2ec2e8fc9fdf7e165a80a718be8d4bad1510dafe4bf1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\wuqeg.exe
  "C:\Users\Admin\AppData\Local\Temp\wuqeg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\helov.exe
    "C:\Users\Admin\AppData\Local\Temp\helov.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
e3aef9da755fc2c331152df0a7f489da

SHA1
98b36755e9ef9e55ab9fa332777aaa4de09b487f

SHA256
ed4248cfb3200367bb9da58dda79fe97861dae2a6548acf1b5a921719c9fc005

SHA512
f228d6eb815b07c67452d7575118e1b2f105dc74fd4ec3523fd1be5660c2356d36abc5002612fa671901156d39c832d3c0f5b109c8f6636e8d6ad59113d06ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
e813ad94baefe35743816eee6b0e6f09

SHA1
3d225f1620b5bf5071897ef6246704eb4a35cf7a

SHA256
a26838ad24e50b5487d6dee17829534bfce999f6d3c9b4e55360f39e5dd9c146

SHA512
003f52287644a6c3e1e5859a85b891ed1b01865441cd3e8178418b4070d3893466ac19f96c0cc8a18acca2edb5e5b054a8cc93a8f3819523eed4dc95832105da

Download Submit
\Users\Admin\AppData\Local\Temp\helov.exe

Filesize
172KB

MD5
0f0bd3de2c7f3f6cd0d0e8757908c488

SHA1
671794d47dd56aa73ea7daed12602cfd6162f7b3

SHA256
dadd1529edfbec7e395063ce0a7e7de91163b59a54a96cc108f8cc2dd5d74890

SHA512
caa8abc93f61a17b9c6b703e2678805dd179553ad66978df7aeb1d24e201e7091bf4593e25e7cdf52b408d7bddfec51d0ad9d706267f7e40f1fbb15c7e550f13

Download Submit
\Users\Admin\AppData\Local\Temp\wuqeg.exe

Filesize
335KB

MD5
15b04fe99bc4f4b985b71367bde7a77b

SHA1
24940c728ab1480ab6348d6d8a4a99d1bb3d048d

SHA256
f1a89ad7121769cc9077aae2a470bd814da5fd989a34b3faff18cb5b9b2d49a1

SHA512
6011f41c2bbde77f4a00afa6f8a0f99c9e4cecfa5cf497fb3cd095172ff0af5a4d5dd6025e505221c9e3da2034ee89d45d42984416c29965f4b89b3ad4d25218

Download Submit
memory/1380-48-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/1380-47-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/1380-42-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/1380-43-0x00000000000E0000-0x0000000000179000-memory.dmp

Filesize
612KB

Download
memory/2312-24-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download
memory/2312-18-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download
memory/2312-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2312-41-0x0000000003520000-0x00000000035B9000-memory.dmp

Filesize
612KB

Download
memory/2312-40-0x00000000003D0000-0x0000000000451000-memory.dmp

Filesize
516KB

Download
memory/2868-21-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2868-17-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/2868-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2868-0-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing