urelas | a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4

General

Target

a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
Size

336KB
MD5

b45c2b558660b3980a3d28bd0a3e5d3d
SHA1

83c94266393e4acbac9c18e91a650ae358a78f99
SHA256

a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4
SHA512

6f53de692a3fcbaa8146411787f6654f1d6b64ba239f18a6cd1e132a75a3950c64f229dbe8ef7716f002877032de7d903dd84b63bd1ea4bd0e7174420f3b4774
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRQ:vHW138/iXWlK885rKlGSekcj66ci2i

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2340	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2676	fiboe.exe
2456	aswat.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
2676	fiboe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fiboe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aswat.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe
2456	aswat.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2676	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	31
PID 2924 wrote to memory of 2676	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	31
PID 2924 wrote to memory of 2676	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	31
PID 2924 wrote to memory of 2676	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	31
PID 2924 wrote to memory of 2340	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	32
PID 2924 wrote to memory of 2340	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	32
PID 2924 wrote to memory of 2340	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	32
PID 2924 wrote to memory of 2340	2924	a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe	32
PID 2676 wrote to memory of 2456	2676	fiboe.exe	35
PID 2676 wrote to memory of 2456	2676	fiboe.exe	35
PID 2676 wrote to memory of 2456	2676	fiboe.exe	35
PID 2676 wrote to memory of 2456	2676	fiboe.exe	35

C:\Users\Admin\AppData\Local\Temp\a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe
"C:\Users\Admin\AppData\Local\Temp\a5dcef05390011cec11500cf04cf823843f69f7bab0b0124d9ddf021d885daa4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\fiboe.exe
  "C:\Users\Admin\AppData\Local\Temp\fiboe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Users\Admin\AppData\Local\Temp\aswat.exe
    "C:\Users\Admin\AppData\Local\Temp\aswat.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
8e0be38d08ee74b109930690d08106b8

SHA1
329f116d83c325dc6acfa34e63e80c5801821f33

SHA256
c9d35c975cb0708f48ca9a61ed3ac06d4a150ba71127206813d62e18f20a5ef2

SHA512
774d9e0fa5768577a5ed33c607c50786474b794486e5094cac7d53e98014aa9cada813e0ec085d14e333f2acff85c5951d96d044f8551c7e2a17a4bd65b1b091

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
32513c7bcb2724afa15b2d33af52abf2

SHA1
1202ce65bc213978106a4fc143cdba8ff6ba834b

SHA256
d9891f0ff18cbe5767f84639cc17e37d868b34aadfbe8becba8f40fb228c5f38

SHA512
e7c081bf0795ca03c214245d2f85cee11c00eb094efd9cc9bb7b5ac4c4468400b6170ad800aec93e4ba4ab075c68df66e9df882bcea0bf9c7f003ecdb669ca3b

Download Submit
\Users\Admin\AppData\Local\Temp\aswat.exe

Filesize
172KB

MD5
205a8eb0e3050a12a15943ef922de359

SHA1
3f96427cc64fb2200e3fedcf4e18a29a88a287b6

SHA256
648cff1d78fa895d27b1c634526a23102a9a878269575dee5e9e0a8fca56f045

SHA512
06d151b3f7dbee48c76e9a6697dcc208b7f6a7da664263066814be39c089190f9e5aa33e1a3d76d83371e25e488debd697f83e87c473eeb763124b0a02bb6e74

Download Submit
\Users\Admin\AppData\Local\Temp\fiboe.exe

Filesize
336KB

MD5
9894de2d91bf6f9cc59a143c7db47bbc

SHA1
1b1168700d69ef077d4ffe4aa334eb6caef659b5

SHA256
a08295146eb3803895f5e3ac18341d98c63f0873ce16b7b3b2afb521417f9ed9

SHA512
57c8f3164bc1bd0d46721a813f3de061bebd8df0b5a87391d454be9b0b7f2fb3b1153ad21fed30f2fed39e24d91d6ba76bcf019ef7db8f9525e4073fb958ad4e

Download Submit
memory/2456-48-0x00000000009D0000-0x0000000000A69000-memory.dmp

Filesize
612KB

Download
memory/2456-47-0x00000000009D0000-0x0000000000A69000-memory.dmp

Filesize
612KB

Download
memory/2456-42-0x00000000009D0000-0x0000000000A69000-memory.dmp

Filesize
612KB

Download
memory/2456-43-0x00000000009D0000-0x0000000000A69000-memory.dmp

Filesize
612KB

Download
memory/2676-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2676-24-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2676-37-0x0000000000BA0000-0x0000000000C39000-memory.dmp

Filesize
612KB

Download
memory/2676-41-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2676-19-0x0000000000C80000-0x0000000000D01000-memory.dmp

Filesize
516KB

Download
memory/2924-21-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/2924-17-0x00000000024C0000-0x0000000002541000-memory.dmp

Filesize
516KB

Download
memory/2924-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2924-0-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing