urelas | 4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4

General

Target

4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
Size

335KB
MD5

6b6d7280b40ecf8da84985d92247e200
SHA1

1ef07cafa873cdb3e748558ea6a92ff890757612
SHA256

4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4
SHA512

736c7e889bd4a8d957a25c6491532c8420edf0ff6f1f28e573cac3aa17cf11999caa793648d03e4c071f6a8fc63676067f5c67da89ce4604c1e9fc14ea43a3b9
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVV0:vHW138/iXWlK885rKlGSekcj66ciEV0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2316	xofub.exe
1996	dipoa.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
2316	xofub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xofub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dipoa.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe
1996	dipoa.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2316	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	31
PID 2616 wrote to memory of 2316	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	31
PID 2616 wrote to memory of 2316	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	31
PID 2616 wrote to memory of 2316	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	31
PID 2616 wrote to memory of 2844	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	32
PID 2616 wrote to memory of 2844	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	32
PID 2616 wrote to memory of 2844	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	32
PID 2616 wrote to memory of 2844	2616	4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe	32
PID 2316 wrote to memory of 1996	2316	xofub.exe	35
PID 2316 wrote to memory of 1996	2316	xofub.exe	35
PID 2316 wrote to memory of 1996	2316	xofub.exe	35
PID 2316 wrote to memory of 1996	2316	xofub.exe	35

C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe
"C:\Users\Admin\AppData\Local\Temp\4befb8512f82418b0e0aa461dc0f5492863888034f836fe0a63d3b89034915e4N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\xofub.exe
  "C:\Users\Admin\AppData\Local\Temp\xofub.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\dipoa.exe
    "C:\Users\Admin\AppData\Local\Temp\dipoa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
22222a2451e6d34a39b22f51cd34e504

SHA1
84c6c07bb4cea25b2dbe1c2e7d9cc7c67307e028

SHA256
6d2db47ebe8a8e93fbd985a7111986ff83d9a7e900c738840f9d4955be2066c2

SHA512
718ed487f7c7e54a3fccce5a523c11aeb4fb631b03f22bdc477a91a32238d936dd500df477562ab882e2cedee4c49a822a9593126178628c7d14d4b8c28c8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
52e24c2475f3cb1b125d1eb5a240e8e5

SHA1
60c3d7df1d32e2a7c75817e7ed97fdfe6306cf9c

SHA256
9969198077999e0e7579f6f95d248634d656654a727259c405dd97102106217b

SHA512
bcfc95dc3338aab23734fd74ab297fbecca824a44fb5d50b1f52d47969b857683365c4f462d434a54e59642e63bb5c37767c1d9745f42f712d9fabd373b53b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xofub.exe

Filesize
335KB

MD5
756bbff4ba07c2f46efb3fc57223fcc6

SHA1
dff073b27fab0daff2749522aa74f273dd7e5c83

SHA256
adbd1ede0020a29a8171eaa257d21b4f45f1defea088ed6d63d305ccc9f684c2

SHA512
fb5f678e513c2b2d276fe48d8d550a26f5b86fe10d19f5c20c02a076e66d337c26571d3ae5928896db6ef48bbeb95276a8c7b083abaaf9c751813c3b1f9c04bf

Download Submit
\Users\Admin\AppData\Local\Temp\dipoa.exe

Filesize
172KB

MD5
d1102f155a6db7c28bafef8b970bcb19

SHA1
6b69f82a5492c7ec06c83cf96e44ca204e195c0c

SHA256
a542980240ed23f9b548ce3f9872e7a7e0a2d08602e9bf1fd774378ce18e2593

SHA512
410520deb8365d59aa5a6e52f24597c29a50f8c22e97b9490391068b801dd2f9f0f4332396f798d87b0474d6aae614a85580952574ae160ee94dd3f52463aa10

Download Submit
\Users\Admin\AppData\Local\Temp\xofub.exe

Filesize
335KB

MD5
177ef0c4eb71072eb864e0b032970858

SHA1
54de48d76ddb734a1d53a296744ffbff07895919

SHA256
ebf42eec797350c8b4e90a353f636b415f304454900b8f857f9232bccc2350b4

SHA512
3cf645ea1ca7ed863befccf02d681ea6f76eb2353827d75a9e14ab6741614e79bb90c5ae167233ffd233267c23a7d85387e6b46e6bd41bef0dc9b34a6e474dd5

Download Submit
memory/1996-43-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/1996-50-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/1996-49-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/1996-44-0x00000000002B0000-0x0000000000349000-memory.dmp

Filesize
612KB

Download
memory/2316-42-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/2316-25-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/2316-40-0x0000000003400000-0x0000000003499000-memory.dmp

Filesize
612KB

Download
memory/2316-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2316-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2316-19-0x0000000000CF0000-0x0000000000D71000-memory.dmp

Filesize
516KB

Download
memory/2616-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2616-21-0x00000000009B0000-0x0000000000A31000-memory.dmp

Filesize
516KB

Download
memory/2616-0-0x00000000009B0000-0x0000000000A31000-memory.dmp

Filesize
516KB

Download
memory/2616-17-0x00000000008B0000-0x0000000000931000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing