urelas | a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23

General

Target

a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
Size

335KB
MD5

6b666dfa833ec6d0c62fb67a7ae87418
SHA1

e77f30d849a146b729de8854af4585a39367d7e7
SHA256

a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23
SHA512

c24e16a81378194d8c2369019b40d2da28ed72bb58e4cd39e990f4fbc22ab8bb87d3e4372567874d815490043c594c956e3cc2921d987d567bf1b6836ebd844f
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66cip

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1796	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2500	zuguf.exe
2316	sagyv.exe

Loads dropped DLL 2 IoCs

pid	Process
796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
2500	zuguf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zuguf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sagyv.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe
2316	sagyv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2500	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	31
PID 796 wrote to memory of 2500	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	31
PID 796 wrote to memory of 2500	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	31
PID 796 wrote to memory of 2500	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	31
PID 796 wrote to memory of 1796	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	32
PID 796 wrote to memory of 1796	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	32
PID 796 wrote to memory of 1796	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	32
PID 796 wrote to memory of 1796	796	a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe	32
PID 2500 wrote to memory of 2316	2500	zuguf.exe	35
PID 2500 wrote to memory of 2316	2500	zuguf.exe	35
PID 2500 wrote to memory of 2316	2500	zuguf.exe	35
PID 2500 wrote to memory of 2316	2500	zuguf.exe	35

C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe
"C:\Users\Admin\AppData\Local\Temp\a17ca6775c94fe3d03ed353614f126697cbda28a1b0e3ee349e5463f3b940e23.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\zuguf.exe
  "C:\Users\Admin\AppData\Local\Temp\zuguf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Users\Admin\AppData\Local\Temp\sagyv.exe
    "C:\Users\Admin\AppData\Local\Temp\sagyv.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
685536c0e1272446d2a40581313063da

SHA1
7ad7c85993b9969bb5262960be99ac1b5b35eaa7

SHA256
05edf07daa1cb8ad2f4362f1240218f1759dcc2ff1e8f843d751c46aaf385636

SHA512
6e584327e2aa9d1f6395b015e348f3b97dff9e617a22bcae11be4866b481d9ce32d8adc9306d1529341e631f161e48109ca5569882b4fb82bb5e80ef09dc629c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d4af985dd74f9fa582e8bac8ebf18163

SHA1
9ac73f3819fd221c4bb402363aa11220c42c5da7

SHA256
d202d1e8aba0446aa92bdb16f4cda7f2c5235263cf9efb25fd14106dc256cbf8

SHA512
75303672e9fa7ffe48028ddb29ded45c2f87c9829e057b0cdd0f2e54707f5bf3469f49f739bfefabb4084f0e5ca8f98ad523775345001ea890cc387866508995

Download Submit
C:\Users\Admin\AppData\Local\Temp\sagyv.exe

Filesize
172KB

MD5
b5e1eaeca07113d184f03fd1d94f07b7

SHA1
0024aae5be7bae2cf7694d585726991d09a8e2d0

SHA256
ec6215b004c13a498025dab5d2288ea1df518e0d6085f3be6044f0651d21799d

SHA512
210fade9e53eafa05df8ea6c2f450357277d3cbcf4005ed3689ccf6befcd60b8968fd05ba57ffac01e30d8bedf96f15c602b42a8d436b8b6c9d772b960121984

Download Submit
\Users\Admin\AppData\Local\Temp\zuguf.exe

Filesize
335KB

MD5
0148a93e589389894b6d859d614d8912

SHA1
ec8699cf63411054747f5afe41494c0c6bbacf87

SHA256
b23b229a3cf8b01cd09f16ed51930462ec3873d1f7842dac172a60ee44283c0e

SHA512
d649da7d5a6b511b03d2b4eb9a159ee7d2a2f24762cdadd7d1b506773f3903a36e8e6715305f4c1e8afd2ba7d784b02457c234967cc08ccde75fb58e72fe5673

Download Submit
memory/796-0-0x0000000000890000-0x0000000000911000-memory.dmp

Filesize
516KB

Download
memory/796-8-0x0000000000500000-0x0000000000581000-memory.dmp

Filesize
516KB

Download
memory/796-20-0x0000000000890000-0x0000000000911000-memory.dmp

Filesize
516KB

Download
memory/796-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2316-48-0x0000000000390000-0x0000000000429000-memory.dmp

Filesize
612KB

Download
memory/2316-47-0x0000000000390000-0x0000000000429000-memory.dmp

Filesize
612KB

Download
memory/2316-43-0x0000000000390000-0x0000000000429000-memory.dmp

Filesize
612KB

Download
memory/2316-42-0x0000000000390000-0x0000000000429000-memory.dmp

Filesize
612KB

Download
memory/2500-23-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/2500-41-0x0000000000BF0000-0x0000000000C71000-memory.dmp

Filesize
516KB

Download
memory/2500-37-0x0000000003BD0000-0x0000000003C69000-memory.dmp

Filesize
612KB

Download
memory/2500-24-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2500-11-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing