urelas | c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17e

General

Target

c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
Size

337KB
MD5

bb2fd47ba0745b3048eac29cb2d0e4c0
SHA1

6301acad5ed51e3fc37e71af6328c7d1690ce244
SHA256

c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17e
SHA512

f91810d6129f6d7adfc29b48be049673957b89a05afd494eb4a8295478f19d1fe40e91dd383746cf485371ec72493042a85e615070d28539bb7e035dd00ac965
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWa:vHW138/iXWlK885rKlGSekcj66ciu

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	wumux.exe
3036	exsuh.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
1940	wumux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wumux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exsuh.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe
3036	exsuh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1940	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	30
PID 2440 wrote to memory of 1940	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	30
PID 2440 wrote to memory of 1940	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	30
PID 2440 wrote to memory of 1940	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	30
PID 2440 wrote to memory of 2516	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	31
PID 2440 wrote to memory of 2516	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	31
PID 2440 wrote to memory of 2516	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	31
PID 2440 wrote to memory of 2516	2440	c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe	31
PID 1940 wrote to memory of 3036	1940	wumux.exe	34
PID 1940 wrote to memory of 3036	1940	wumux.exe	34
PID 1940 wrote to memory of 3036	1940	wumux.exe	34
PID 1940 wrote to memory of 3036	1940	wumux.exe	34

C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe
"C:\Users\Admin\AppData\Local\Temp\c9457f10cf4ae06df93304088a646a5aab0bfafa0ba882eb7b19d31e8a03e17eN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\wumux.exe
  "C:\Users\Admin\AppData\Local\Temp\wumux.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\exsuh.exe
    "C:\Users\Admin\AppData\Local\Temp\exsuh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
dee0ff11ade44a6767cb97531821c2fe

SHA1
f303b64693aeee045c07df382da5251cc4352488

SHA256
1207aafa58d23e56206e87897fc849f15ed1e8aa372f265d41cc7227f6e3c32a

SHA512
87ac0dbe3d1fa247b9ed7eb260abe12e4ca35ef3b3263d68f02bcee4242c80421e31eb9a955a4a31c11eeeeecdacb416ef9bb2b5259da9743ff40f6346461b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
04be83830ca0de360e5c2aefae118137

SHA1
720677d76b58e4fafc6079b4bbb67fcc7637e650

SHA256
0db0edab8a761602a40792babb526888ca112660fda337fee714b2ea38671f89

SHA512
15dcd2b54a720e2254ea014f42fcc68f950d15a3f831b7754a8d9e05d7482b82f36683d8651e29a44e1faa901596f196cd1d503ea4381e0270e3f1b6616d13c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wumux.exe

Filesize
337KB

MD5
1058bae2801f5db484e67abe04d7cafe

SHA1
a28c1325aa8405a772b748df2923534f7da7ff21

SHA256
321bb1bca3162e31a2f415ef087943b3fc7fde5bb05dea58982579d3f59796e5

SHA512
3c5b88c1df6626c5a450a888ede6f602a5eecae3e2e3ff555f69258b732082458a37ab8d47aec1beb667a3bf74564ae04a7a80696d2507ed15e2012b677f459d

Download Submit
\Users\Admin\AppData\Local\Temp\exsuh.exe

Filesize
172KB

MD5
fedd3bc47beeb2db6d35f09b9faf8403

SHA1
547a14dfe7f4034e056fbd72e3baaa014703fc4e

SHA256
51355b926239f3b537699b2904fc2999cfcdd79fa159626d343b629cd09836d7

SHA512
006985d2c422e4482a4da6b6f3e234b5d51b6487633e76e9b835315465bc54cb7d169e52a7b9f388fb3edd9f34a55ccd24c678ec654eb3ba6594adb646a78a8d

Download Submit
memory/1940-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1940-20-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/1940-24-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/1940-37-0x0000000003360000-0x00000000033F9000-memory.dmp

Filesize
612KB

Download
memory/1940-41-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/2440-19-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download
memory/2440-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2440-16-0x0000000000E20000-0x0000000000EA1000-memory.dmp

Filesize
516KB

Download
memory/2440-0-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download
memory/3036-43-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3036-42-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3036-47-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download
memory/3036-48-0x00000000002C0000-0x0000000000359000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing