urelas | d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d

General

Target

d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
Size

337KB
MD5

b3e04f64c052ce0a4066e6b823a0c14a
SHA1

551d1f5fddb0d3fd6305bcc205602b40b7d02503
SHA256

d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d
SHA512

832a304a2194587a2f6594031e2fd1b1e9c5eebe3c4304136dd9834820420daf84365e246d429f1079ca2dfe21aa55dda16a1f7351dc6ba56815c0d5ae6aad5e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYT:vHW138/iXWlK885rKlGSekcj66ciC

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2504	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	egpon.exe
1148	liezv.exe

Loads dropped DLL 2 IoCs

pid	Process
1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
2952	egpon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liezv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	egpon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe
1148	liezv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 2952	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	30
PID 1112 wrote to memory of 2952	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	30
PID 1112 wrote to memory of 2952	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	30
PID 1112 wrote to memory of 2952	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	30
PID 1112 wrote to memory of 2504	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	31
PID 1112 wrote to memory of 2504	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	31
PID 1112 wrote to memory of 2504	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	31
PID 1112 wrote to memory of 2504	1112	d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe	31
PID 2952 wrote to memory of 1148	2952	egpon.exe	34
PID 2952 wrote to memory of 1148	2952	egpon.exe	34
PID 2952 wrote to memory of 1148	2952	egpon.exe	34
PID 2952 wrote to memory of 1148	2952	egpon.exe	34

C:\Users\Admin\AppData\Local\Temp\d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe
"C:\Users\Admin\AppData\Local\Temp\d27b5e5dd4fe7125e776430f7a53eb50943af88c0ae6124c5a1d28802d5e6f4d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\egpon.exe
  "C:\Users\Admin\AppData\Local\Temp\egpon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\liezv.exe
    "C:\Users\Admin\AppData\Local\Temp\liezv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
e46cf7e666d496b2bc96b11f748ea53d

SHA1
2009952e58300f07ce220f2af11d1cb47b8731dc

SHA256
4dab5a4d91f0f463ba842ae4165553d916fed59900c56ec48450186976a1249f

SHA512
206d489e0ba005e452c15d3d9fc9461b5c63960476254035081c334388bc4a31aa39553bc08d3f8fc4516a2f1e8be87f399d9dd8431376558406bb501d2d24d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\egpon.exe

Filesize
337KB

MD5
c441a38d26fe138d291454422004e696

SHA1
c5f94d6728f696ede88fdcf71d819b2c4710d587

SHA256
9aad4da4bbbed7542b582c9840018399e11e9407547bed1a44e95dbfab050795

SHA512
e1b45f20e95498a4ac720985af9a5de862a31eb8ae74e24be6b2eb330f4641ce4fe171aa71a02c8cae7eb781c7b6644584cef54aadc6395b2bc25073ce761993

Download Submit
C:\Users\Admin\AppData\Local\Temp\egpon.exe

Filesize
337KB

MD5
802d2f6bf8aec2230a8b322291a95c51

SHA1
b6706696cd573f7c30f4708a8d94df628109ba79

SHA256
57df86c11145b5c8d65e6d7516353c5bfc88181f8bccf139debefb9ee0a005d5

SHA512
7d150388ae73edb2fabc5fc15122e00d338cb54808f4c5eb618b9dafab8537d2b42e64237fb68ec37bc12e7818fb06b136617bd70b6dfe6ab9b39e0999268cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1ad97e1f3c9c63fc936a5e8958e32bf4

SHA1
0a1c1549b03395b15fee90bba7ef76c5dee47116

SHA256
d53b0951eaf257538d533a5b33c82ef8294bf8483cd34843b764eb670e76788b

SHA512
44d6ff4caa91afce97232d407f2324333a9a2fbd0528f53c7eafab702539d8702d3dc3e580cf45c31de271de698f3e68ef26328246a47315d411b358d42dd14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\liezv.exe

Filesize
172KB

MD5
2c67d9a37ce0a2e2884e624682cbc8f6

SHA1
bd96fb08347ee09ed9d70bea6d287d7641df1c2c

SHA256
a9648ea1d0f407e480aded5c5b6ed096bd74135a790f55d00eae277cb4eef9a0

SHA512
b7ea002fe2b3af2624a64d733d1d8d024e808e7905e25fdb3794f9f815595cdf6021afab0f2f46cdab273680db285eb307a9041de607fa3268bc60df628a1353

Download Submit
memory/1112-17-0x0000000000C10000-0x0000000000C91000-memory.dmp

Filesize
516KB

Download
memory/1112-19-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/1112-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1112-0-0x00000000013E0000-0x0000000001461000-memory.dmp

Filesize
516KB

Download
memory/1148-42-0x00000000012C0000-0x0000000001359000-memory.dmp

Filesize
612KB

Download
memory/1148-43-0x00000000012C0000-0x0000000001359000-memory.dmp

Filesize
612KB

Download
memory/1148-48-0x00000000012C0000-0x0000000001359000-memory.dmp

Filesize
612KB

Download
memory/1148-49-0x00000000012C0000-0x0000000001359000-memory.dmp

Filesize
612KB

Download
memory/2952-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2952-24-0x00000000013D0000-0x0000000001451000-memory.dmp

Filesize
516KB

Download
memory/2952-20-0x00000000013D0000-0x0000000001451000-memory.dmp

Filesize
516KB

Download
memory/2952-41-0x00000000013D0000-0x0000000001451000-memory.dmp

Filesize
516KB

Download
memory/2952-38-0x0000000003290000-0x0000000003329000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing