urelas | 44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989

General

Target

44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
Size

338KB
MD5

b3fb6f09ebec35e48c26bf051c0223d0
SHA1

237c8b112c29eca3214ef00b48cb6e2d939a5682
SHA256

44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989
SHA512

f7bcab1432f8367095d9047df0055629233e80b8710c0bc1120535e9d679f46f099c02cfb4877f33fcf062976ff888519388acf8a22c85d53e40b49d8daeee38
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYMOTf:vHW138/iXWlK885rKlGSekcj66cic

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1540	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	qucol.exe
2268	ruyjj.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
2488	qucol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ruyjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qucol.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe
2268	ruyjj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2488	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	30
PID 2132 wrote to memory of 2488	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	30
PID 2132 wrote to memory of 2488	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	30
PID 2132 wrote to memory of 2488	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	30
PID 2132 wrote to memory of 1540	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	31
PID 2132 wrote to memory of 1540	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	31
PID 2132 wrote to memory of 1540	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	31
PID 2132 wrote to memory of 1540	2132	44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe	31
PID 2488 wrote to memory of 2268	2488	qucol.exe	34
PID 2488 wrote to memory of 2268	2488	qucol.exe	34
PID 2488 wrote to memory of 2268	2488	qucol.exe	34
PID 2488 wrote to memory of 2268	2488	qucol.exe	34

C:\Users\Admin\AppData\Local\Temp\44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe
"C:\Users\Admin\AppData\Local\Temp\44b26a94ddc2af51829d5b9add83a7235552166e779e0023f191da5d20e4d989N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\qucol.exe
  "C:\Users\Admin\AppData\Local\Temp\qucol.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\ruyjj.exe
    "C:\Users\Admin\AppData\Local\Temp\ruyjj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
f59121540301e5ff5b2eb2b0e4375c42

SHA1
53f84995c3c14a3409c0fddd16679ab31dc8e6f5

SHA256
5c22b6941aa5e2da45e2b1811ff39b085a68329360d53ac5f4d26139dc55f5ff

SHA512
06ba6f358682915293f3426990b7235d64c13d7b8e5424160d573173aec95f016db67fed1bcdcd52f4bb5094822bd5580190dc8c481a7c9fe181c5a4cdfb2bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4266b70e81d3ac917b934212e39693ef

SHA1
6264a0bb80783f3c48e8ffd342f6f0822bbc2735

SHA256
74370d493da650b9926290a980b62056ce3eea52c6ff1a45da65054253d5db0d

SHA512
6c6cda636b01ab75126f9b28d5c69e91e3f655781f694bd5277b15cc78ee8c79c13f1a38676764d53873dd77a18e46217071e10d8c7c989a2dd47fb68e0c0d76

Download Submit
\Users\Admin\AppData\Local\Temp\qucol.exe

Filesize
338KB

MD5
55980bd1ff0f714f0c32f825dac22ab5

SHA1
1b81e312de75d28a2aec1faf7534d0ed494e6873

SHA256
b0d39a3e0047df59c3abd70aea9d851377d039796f918bf9f9569ea5fcde6822

SHA512
647d422f200ccb98858955bf25a4cc97ebf2e241093721d5776e53a2ae12204901de18f5a25f0adb1415cf6b4278ca20fb0c55e07cdc6abb5a3a073367a7b68e

Download Submit
\Users\Admin\AppData\Local\Temp\ruyjj.exe

Filesize
172KB

MD5
afa9db86e97701dcae0d4bd5e9fdf407

SHA1
e18b3c7f0d9bcc6fc1a93f9ddc0cc87a6aff1484

SHA256
ad24019315ea2e8aad738f5082f2e7e2348326928c5b267963b292adc96760fc

SHA512
b499e2a1a5da92ee8a4d90b8c76932ee8c14e11f53d74179f938f0ef6e27af057f783f3fc61440d9f138fea5ab90f8f4b56322194a7e2a800f9e9cb516506474

Download Submit
memory/2132-16-0x0000000002AD0000-0x0000000002B51000-memory.dmp

Filesize
516KB

Download
memory/2132-0-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/2132-18-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/2132-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2268-42-0x0000000001350000-0x00000000013E9000-memory.dmp

Filesize
612KB

Download
memory/2268-43-0x0000000001350000-0x00000000013E9000-memory.dmp

Filesize
612KB

Download
memory/2268-47-0x0000000001350000-0x00000000013E9000-memory.dmp

Filesize
612KB

Download
memory/2268-48-0x0000000001350000-0x00000000013E9000-memory.dmp

Filesize
612KB

Download
memory/2488-19-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/2488-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2488-23-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/2488-20-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2488-41-0x00000000012D0000-0x0000000001351000-memory.dmp

Filesize
516KB

Download
memory/2488-39-0x0000000003680000-0x0000000003719000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing