urelas | ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc

General

Target

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Size

335KB
MD5

a382b347737bdb4bd2bf3ac26c34ba03
SHA1

0ba6c6f58880260c32eb733350f7634eb245890c
SHA256

ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc
SHA512

390d29133ae5d769573875024024140790154290d0db373ca0181129886c332627f98e574d44500ba768848882b9fe90e7cc8732f448b9574ae642852dffe6b2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYV9MC:vHW138/iXWlK885rKlGSekcj66ciE9MC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2720	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2464	naqus.exe
2912	pohyr.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
2464	naqus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	naqus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pohyr.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe
2912	pohyr.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2464	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 2136 wrote to memory of 2464	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 2136 wrote to memory of 2464	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 2136 wrote to memory of 2464	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	31
PID 2136 wrote to memory of 2720	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	32
PID 2136 wrote to memory of 2720	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	32
PID 2136 wrote to memory of 2720	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	32
PID 2136 wrote to memory of 2720	2136	ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe	32
PID 2464 wrote to memory of 2912	2464	naqus.exe	34
PID 2464 wrote to memory of 2912	2464	naqus.exe	34
PID 2464 wrote to memory of 2912	2464	naqus.exe	34
PID 2464 wrote to memory of 2912	2464	naqus.exe	34

C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe
"C:\Users\Admin\AppData\Local\Temp\ae6e994645be52a6ac170b4d95308b431ac529bff1bbbd5b6ec793a0b9b1b5fc.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\naqus.exe
  "C:\Users\Admin\AppData\Local\Temp\naqus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\pohyr.exe
    "C:\Users\Admin\AppData\Local\Temp\pohyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
2327ead2b68b0439df68905a99174378

SHA1
04ebca76b854ae1a856e304d4ec9486322779513

SHA256
7fe90d95840f59e20765937b8c0f56231ec0e3582bf3c4e53fff1ff527b6f3d7

SHA512
2e9f26a14e31b968995305e6464afe2625679b99e3aeb28dd1b218a2630e78b9c9e6ab32bd597a17ad55cda4cd24701e2c3a7ccbf48cd0b26fe4e75c439ce6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
5b2d6633d00662971311a345e63b09fb

SHA1
00835ecd52c9496c16d2b20fae98dafae84819e0

SHA256
4377dbe2f479e6263bcfb5fb843f088fac5391cce379fdc8c53a7127e7a2d836

SHA512
c2174b6c0006515161550551a518ed24ae37ce21b2216ccda82e304a3856d5fee91d73b5b3be3640071d3100e3872cbedf013d048bbdad7727ada26236596bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\naqus.exe

Filesize
335KB

MD5
e422dbcfedd82d7326f39553a4f40ae6

SHA1
3a184e27e11239f2f5e0e5ee86f710a59c40ea9f

SHA256
ea1c49eb5862a6397f4d6b61ab741d062ffe2f4f83c31497ca07eccd406e331f

SHA512
077bbc66265eac3fdd58e800c2fcb22f6577f7502a0650b7506b16bd75e0add2c5a43801c95ca16df70b04b7eebccdd1453a1706a9ff138e33d959ef6b933a29

Download Submit
\Users\Admin\AppData\Local\Temp\pohyr.exe

Filesize
172KB

MD5
bf562051f2386d882964270b2cd91b41

SHA1
520b63692a05e1e29cde65229a778c066e51811a

SHA256
2d916b9db2ff82ac9d0303715f478329c608bc796d863c1af7defe502b006927

SHA512
c549407cad1fb44a395a095c0d15a7a6348667c09dc55f3c2da6581c23ab85308c85ea034236e3f09599af5b709d55a2f25829f7d45cd340b66e99f33a1a7b3d

Download Submit
memory/2136-10-0x0000000001EB0000-0x0000000001F31000-memory.dmp

Filesize
516KB

Download
memory/2136-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2136-20-0x0000000000150000-0x00000000001D1000-memory.dmp

Filesize
516KB

Download
memory/2136-0-0x0000000000150000-0x00000000001D1000-memory.dmp

Filesize
516KB

Download
memory/2464-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2464-11-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2464-24-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2464-39-0x0000000000840000-0x00000000008C1000-memory.dmp

Filesize
516KB

Download
memory/2464-40-0x0000000002CC0000-0x0000000002D59000-memory.dmp

Filesize
612KB

Download
memory/2912-42-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download
memory/2912-43-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download
memory/2912-47-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download
memory/2912-48-0x00000000000F0000-0x0000000000189000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing