urelas | 11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4

General

Target

11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe
Size

335KB
MD5

cf747d9922dedadfabbff197a7bac2ee
SHA1

13415f88d5302eef54c966a0096dea92a9b83c17
SHA256

11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4
SHA512

d7e2d7f9d7d0fede4f2b4e3bfd4697c573e854615bd19d4550ad20919fe40b0e7e767023f9c3efb9b96da9e76542cf5699d3c4f9fd9c0e18ee59498678f8b293
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYVV0:vHW138/iXWlK885rKlGSekcj66ciEV0

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2516	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3068	jukuc.exe
1772	izfoh.exe

Loads dropped DLL 2 IoCs

pid	Process
2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe
3068	jukuc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jukuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izfoh.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe
1772	izfoh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 3068	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	30
PID 2076 wrote to memory of 3068	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	30
PID 2076 wrote to memory of 3068	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	30
PID 2076 wrote to memory of 3068	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	30
PID 2076 wrote to memory of 2516	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	31
PID 2076 wrote to memory of 2516	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	31
PID 2076 wrote to memory of 2516	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	31
PID 2076 wrote to memory of 2516	2076	11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe	31
PID 3068 wrote to memory of 1772	3068	jukuc.exe	34
PID 3068 wrote to memory of 1772	3068	jukuc.exe	34
PID 3068 wrote to memory of 1772	3068	jukuc.exe	34
PID 3068 wrote to memory of 1772	3068	jukuc.exe	34

C:\Users\Admin\AppData\Local\Temp\11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe
"C:\Users\Admin\AppData\Local\Temp\11bba91dfbe9291e380a9316f12cd2b696a9a1ada8da9d2aa0090a2425d118b4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\jukuc.exe
  "C:\Users\Admin\AppData\Local\Temp\jukuc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\izfoh.exe
    "C:\Users\Admin\AppData\Local\Temp\izfoh.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
3da01ee4e2f23c6f9fd3a06fe05e2327

SHA1
aba2280fdd10853d31ee8cd22a973a01b40e1bf3

SHA256
2b809766d6c5f533d936985d2213e0a02f9a2af356bf512e60b9638916554f9c

SHA512
a371abbcd019a8be54ca4ae0a77f16bbd9466f6a55bb99605f0bd7afa185f0cc153cb79fcd0be91a2272c3d73ea6a30d90c646eb637ea05beb6e326d2c78695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
a6f0d474f8af69abccabe1ddae8234df

SHA1
35d0be7646820aabf00cfc60c984813843b1bca1

SHA256
7e94767a8d35ad3cf7946bb406785378789d5644b75438bbe19e6a60b1f87791

SHA512
673a3925ee1e714d1b6eb3de3bdd6184ac01f9e57f00ccea8454abedb26f6f8e814c7af631bcee1026987559e2d1648b3444bd443b987bf6e56f5ad2db469431

Download Submit
C:\Users\Admin\AppData\Local\Temp\izfoh.exe

Filesize
172KB

MD5
bba55196ccf3da8f285278cf8202d807

SHA1
4e69d1982e3c217500fac5a98d3e8023a489fd22

SHA256
5e9f328fef8a504be0fbd3700143b05bf2a3d684cf26b67c0dc693697070423a

SHA512
d03c1d23e697500011387b0011f7452c5ea097b35c84364df8a623a252961df734cb53e048053bfbc543ecac53f16f3903511d296d6bf01e7f30ea4212188418

Download Submit
\Users\Admin\AppData\Local\Temp\jukuc.exe

Filesize
335KB

MD5
d322c953da62d7e4d511ba343fada87d

SHA1
044cf030dc64800e86b32aacd47e12a5d06b97d1

SHA256
5f5985b107ea2671628907325de83512083ddf735094d92b5c63e08eec701c66

SHA512
14b487a36d7016d35d33ff4b35baaf5179cbbd2cfa4691d7e5b29d1f5aa06591ec7575d46472f02763294ce2a6887ac8d44ae0d106260f41abbbcfe80a8c9a1c

Download Submit
memory/1772-46-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1772-49-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1772-48-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/1772-43-0x0000000000AD0000-0x0000000000B69000-memory.dmp

Filesize
612KB

Download
memory/2076-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2076-0-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2076-21-0x0000000000AF0000-0x0000000000B71000-memory.dmp

Filesize
516KB

Download
memory/2076-10-0x00000000024C0000-0x0000000002541000-memory.dmp

Filesize
516KB

Download
memory/3068-24-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/3068-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3068-40-0x0000000003720000-0x00000000037B9000-memory.dmp

Filesize
612KB

Download
memory/3068-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3068-42-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download
memory/3068-11-0x00000000008A0000-0x0000000000921000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing