urelas | ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248

General

Target

ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe
Size

341KB
MD5

09b5ac695ecb26f5923167783af898a9
SHA1

f78da648815348fd48e1ff6c1ceedae215517e1e
SHA256

ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248
SHA512

0d71c6709e2ec28c5f9b04efefb618f63ec551c2693c5f90cee9658495a46471ae83dc0ae7a2dc63ea0ca036d8cd2dc02aa7df9f05d944e0300de9ad592a1f14
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYRcECHUI:vHW138/iXWlK885rKlGSekcj66ciaC0I

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2328	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2524	leqep.exe
1348	zyqur.exe

Loads dropped DLL 2 IoCs

pid	Process
3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe
2524	leqep.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leqep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zyqur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe
1348	zyqur.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2524	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	30
PID 3056 wrote to memory of 2524	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	30
PID 3056 wrote to memory of 2524	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	30
PID 3056 wrote to memory of 2524	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	30
PID 3056 wrote to memory of 2328	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	31
PID 3056 wrote to memory of 2328	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	31
PID 3056 wrote to memory of 2328	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	31
PID 3056 wrote to memory of 2328	3056	ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe	31
PID 2524 wrote to memory of 1348	2524	leqep.exe	34
PID 2524 wrote to memory of 1348	2524	leqep.exe	34
PID 2524 wrote to memory of 1348	2524	leqep.exe	34
PID 2524 wrote to memory of 1348	2524	leqep.exe	34

C:\Users\Admin\AppData\Local\Temp\ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe
"C:\Users\Admin\AppData\Local\Temp\ca8f7a3df2b8247a527e4c560eb897c746e63d0cb413753e5c0759c0a746c248.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\leqep.exe
  "C:\Users\Admin\AppData\Local\Temp\leqep.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\zyqur.exe
    "C:\Users\Admin\AppData\Local\Temp\zyqur.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b7f738828e7994f6100e64d268f74324

SHA1
eb8d5fb479fc449fed54c2a3f3442ca1eb09e30b

SHA256
c55069323b429916772859606722ad8928ea6ed8a005a649589bed8f7fffd5bf

SHA512
8b1a8e647a6f14ed1cdb403b0eb29659a83fb2928740c373851f37e0fa41fe8ebdf9a313bf98d910fe43f369c806328e88132b9c10cf0199b66e7443d63a0cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
7ae16f7e545a1f3d278097d18ac6af4c

SHA1
c8867aa4b4d83b3f6dd1dd3265894a7645187b75

SHA256
85ddef02d3d77c5192b747a94b7ced6f79bd20bd6997e9fbe25fd09301319e35

SHA512
a4bf9fe89a67d895ec1f51a2d809fafe15572cf755f11f07e9d55c7532c9b0f8a39eb91b8162985de5aaf1a0996f4bc0ad8f4a257d1a3c8260143e1cde86d5ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\leqep.exe

Filesize
341KB

MD5
fbbf4e190684f111bfd358ba44b02302

SHA1
f7e70168b01a37ae810f038983a5afcc79f8ec1a

SHA256
26cc9a5a0aa372cf6c033b9793cfaa182c2481d1de29bce0a383ea19b1ca36c9

SHA512
4c5179d8acb7551f7ae786364beee2044beee4d869863559de9edd2df80afe950a9d44111313078a11faf9fbe7d80756ac45a213897db77a00326949a240691a

Download Submit
\Users\Admin\AppData\Local\Temp\zyqur.exe

Filesize
172KB

MD5
b7e67b6cead8256e7b1bdf34ee7e2eeb

SHA1
17ecc89e33dcc8baaf7c5bf400f6c66158cbe7eb

SHA256
d3b80dc6e60c645c6decb60ecbeeebe614410017e4dc4cafd604e762701e926f

SHA512
601d2807efedc157de98bb3971323c38a1aed8c2ad99a6143c8a4316d3a9d719459bf2cf4fe73a0e5b50847dc5ea7ea01eb0585c11caf22f711c476af55988c6

Download Submit
memory/1348-42-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/1348-40-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/1348-47-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/1348-48-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/2524-11-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/2524-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2524-24-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/2524-45-0x0000000000F30000-0x0000000000FB1000-memory.dmp

Filesize
516KB

Download
memory/2524-39-0x0000000003470000-0x0000000003509000-memory.dmp

Filesize
612KB

Download
memory/3056-10-0x00000000024E0000-0x0000000002561000-memory.dmp

Filesize
516KB

Download
memory/3056-21-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/3056-0-0x0000000001000000-0x0000000001081000-memory.dmp

Filesize
516KB

Download
memory/3056-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing