urelas | 643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1

General

Target

643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
Size

275KB
MD5

4f484ec903da6d4e4fca1f56b3a0f5e0
SHA1

053c14798282218e84fadacb5b7c06129cc73b38
SHA256

643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1
SHA512

eecafc7fd8acf4f08459150a9e8d1a2a32b6a7e9fc7205c57807209784b6c4a1d967aee842031c8547aaeb4ad50f758f8cf2bc7166ccda2cef835a2d6f4017c8
SSDEEP

6144:YBJz8I3EKuteh0AemMzbUNnWNt+xXEUPW:6B8I0vtHLPUNWv+xXDW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
996	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2620	josis.exe
1572	ohryp.exe

Loads dropped DLL 3 IoCs

pid	Process
2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
2620	josis.exe
2620	josis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohryp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	josis.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe
1572	ohryp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2620	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	31
PID 2396 wrote to memory of 2620	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	31
PID 2396 wrote to memory of 2620	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	31
PID 2396 wrote to memory of 2620	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	31
PID 2396 wrote to memory of 996	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	32
PID 2396 wrote to memory of 996	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	32
PID 2396 wrote to memory of 996	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	32
PID 2396 wrote to memory of 996	2396	643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe	32
PID 2620 wrote to memory of 1572	2620	josis.exe	34
PID 2620 wrote to memory of 1572	2620	josis.exe	34
PID 2620 wrote to memory of 1572	2620	josis.exe	34
PID 2620 wrote to memory of 1572	2620	josis.exe	34

C:\Users\Admin\AppData\Local\Temp\643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe
"C:\Users\Admin\AppData\Local\Temp\643551061bb861652f3ed1c650483526cd40985c09440becd403eb42444b75b1N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\josis.exe
  "C:\Users\Admin\AppData\Local\Temp\josis.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\ohryp.exe
    "C:\Users\Admin\AppData\Local\Temp\ohryp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
9bae44e49d77fbc2921940cbc7782571

SHA1
47a84ce377a7c21c83d69137e73d36d8d177fa31

SHA256
43f4325bb9af60c7b49ad5f132588cf7a8d73a1c6ccadf9265f38c7ee3caa8ea

SHA512
9cf9ec08bcf50a68c2e91e65af2ceba70a7e913389cd1f5ea0e0ad5b04e94fa9e2ed2334be5d1f11fc5b22c604f3e7fcbd35b84fcb875c0fc1e86a957c6dbd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b3906ed3152c90405ddab6561d6ac9f1

SHA1
6d03a73cada1552c84138cf0573a3e68584046ae

SHA256
c37f6fd35276dda30f9d407088736deb5c1559f0066b73b9e3c0b7f6defb3b23

SHA512
8a875ad59002bf9c1a7ddbc6b0bf0302ab75b36851a10ac76a06bd001c70f5e82f97646284fe100a6308a622629e1849369fe028fb3234b92304eed38c902b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohryp.exe

Filesize
303KB

MD5
aac877a86b5767d975165c308ddf8502

SHA1
8a23812097ec0d3b74707462ef7c69bf61545f5a

SHA256
653686e726537d155e5a24bb254bb3fc85c97137dac36706f5f9f4eee3859fe4

SHA512
bad6e962ec40566ef3f2c2f0c948c4a091e673d9e90cde1747d0067ec4408aee93341b3155c60187d17c61df461fc3e8c03f663e6ad7dca4c37384f274b26814

Download Submit
\Users\Admin\AppData\Local\Temp\josis.exe

Filesize
275KB

MD5
59c6ca9ec856c99b0ed0c08f9652b78b

SHA1
83445bb56b0ed654fd21431e9d6f85955ccebd56

SHA256
cbf99c2ac4b9dc17b2a71cc1dcf91773a90e5ac81e586ebce2c0dfb2228ea4bd

SHA512
137de26c9ce90b9954e37e4d58cb7fc607b0110da1aeef07772cbb2175e251504ca037aa2f95f79f919399b2e3a903f698aad68619de219373a88225a2db07cb

Download Submit
memory/2396-0-0x0000000000D40000-0x0000000000DA1000-memory.dmp

Filesize
388KB

Download
memory/2396-18-0x0000000000D40000-0x0000000000DA1000-memory.dmp

Filesize
388KB

Download
memory/2396-14-0x0000000002290000-0x00000000022F1000-memory.dmp

Filesize
388KB

Download
memory/2620-19-0x0000000000CC0000-0x0000000000D21000-memory.dmp

Filesize
388KB

Download
memory/2620-22-0x0000000000CC0000-0x0000000000D21000-memory.dmp

Filesize
388KB

Download
memory/2620-40-0x0000000000CC0000-0x0000000000D21000-memory.dmp

Filesize
388KB

Download

Analysis

Sharing