urelas | 47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f

General

Target

47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
Size

341KB
MD5

9e6a55c7bce3f2efc330ee91283aaac7
SHA1

243ff31193d7d2f618dbe4816e1c6b9a1fbf66b1
SHA256

47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f
SHA512

746aba37d81f1e00b91fadc38b7e8ea4738f3077ae3e030c611d958fcf90c0527bb6ee704e1881ba6510b1cf4ab8b71e70dcc990edbd6b68bd5e5700eab66fc2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYpDyZ:vHW138/iXWlK885rKlGSekcj66ciEOZ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	seecc.exe
1460	ublui.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
2804	seecc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	seecc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ublui.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe
1460	ublui.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2804	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	30
PID 2876 wrote to memory of 2804	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	30
PID 2876 wrote to memory of 2804	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	30
PID 2876 wrote to memory of 2804	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	30
PID 2876 wrote to memory of 2848	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	31
PID 2876 wrote to memory of 2848	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	31
PID 2876 wrote to memory of 2848	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	31
PID 2876 wrote to memory of 2848	2876	47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe	31
PID 2804 wrote to memory of 1460	2804	seecc.exe	34
PID 2804 wrote to memory of 1460	2804	seecc.exe	34
PID 2804 wrote to memory of 1460	2804	seecc.exe	34
PID 2804 wrote to memory of 1460	2804	seecc.exe	34

C:\Users\Admin\AppData\Local\Temp\47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe
"C:\Users\Admin\AppData\Local\Temp\47dc53c76c65a8eb881f2f029335253af1c6838cf458ac90eafebfc30561be0f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\seecc.exe
  "C:\Users\Admin\AppData\Local\Temp\seecc.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\ublui.exe
    "C:\Users\Admin\AppData\Local\Temp\ublui.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
1afa40f14da4e6b164d9537bfc4e11da

SHA1
e0527778ccf6699e6f902875ea797f978ff8c423

SHA256
aa68e594027da4d021e4310d0a965ccea94d85312deb962a42223e8f784e9271

SHA512
146f30b0a11276d32be7638da1a572975830bdcff0ef38ffecdcf8b0ad5d6dbd175a13a30609772df180f2e8811e0598ce46a23c1bdb4c1388ce40f1286a713c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
09f786a73ba7875c8ad385825a716e95

SHA1
073431f1b0fd398ce97558eb27b8997db75feda6

SHA256
f25dd5c5c9f6ad9eb03b85eb2e84be1685968a9a033712f3648e7ebb87f3f921

SHA512
eaffe90a1ff46d06bde8de837090aeb6f3f897b54fe13bc5f2412032d032764876be0c09a6e2a76447a7804017b7c64c48b129a7f15983ff5820cccc77cb9d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\ublui.exe

Filesize
172KB

MD5
91a1ce3fc2772b50a55572ddca73f3ac

SHA1
2cd463c4c94214097dad3771971e9925816b010f

SHA256
a04d1afd9a3658110b7f6e6c11b06f8bb2e51b7b9e6e6abde6450bca2ff9b0b6

SHA512
a2d8e5eadb4a980d50a911c8a17f903d838f264f657c6250d9bdd359a5823e4f657faffbc3dd02973a4a1a9c7bb53e9efa8f8d3fd56b8304003c54386665abb8

Download Submit
\Users\Admin\AppData\Local\Temp\seecc.exe

Filesize
341KB

MD5
247a6a5277183b60c2ba75ce9d88ca69

SHA1
d786c9b359bf2e38626d707f4835706b0e882e7c

SHA256
40770160154285901f9269ad0f74813eb47ed91d933c5a5aac657aaf3cf4009e

SHA512
4d250ac792f43ffc96c0bf1fd5b580461d18e6911c6b231b6faaf58efb47ae7ac5a685bd996f2793c6cd447f0629fd358ad9aad3efdc0ecc204523817f176beb

Download Submit
memory/1460-43-0x00000000001F0000-0x0000000000289000-memory.dmp

Filesize
612KB

Download
memory/1460-49-0x00000000001F0000-0x0000000000289000-memory.dmp

Filesize
612KB

Download
memory/1460-48-0x00000000001F0000-0x0000000000289000-memory.dmp

Filesize
612KB

Download
memory/1460-44-0x00000000001F0000-0x0000000000289000-memory.dmp

Filesize
612KB

Download
memory/2804-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2804-11-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2804-24-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2804-39-0x0000000003200000-0x0000000003299000-memory.dmp

Filesize
612KB

Download
memory/2804-42-0x00000000011A0000-0x0000000001221000-memory.dmp

Filesize
516KB

Download
memory/2804-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2876-0-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/2876-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2876-21-0x0000000000C40000-0x0000000000CC1000-memory.dmp

Filesize
516KB

Download
memory/2876-9-0x0000000000BB0000-0x0000000000C31000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing