urelas | 4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3

General

Target

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe
Size

336KB
MD5

362cea37b4515362a69bbdbf1114b700
SHA1

eea2d6bcf28637859873bb040eb63ca183aff830
SHA256

4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3
SHA512

e0a76b767f46ced49414b3ee0d9fb3faa746be5a0133bc06a474d7c5600b769390c1250f2605f514e993794f74ec71a6b7bc9808b48733d116c87576ab4d0ac7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYvRA:vHW138/iXWlK885rKlGSekcj66ci2m

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3052	ofcys.exe
1768	epbii.exe

Loads dropped DLL 2 IoCs

pid	Process
2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe
3052	ofcys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofcys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	epbii.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe
1768	epbii.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 3052	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	30
PID 2332 wrote to memory of 3052	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	30
PID 2332 wrote to memory of 3052	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	30
PID 2332 wrote to memory of 3052	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	30
PID 2332 wrote to memory of 2240	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	31
PID 2332 wrote to memory of 2240	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	31
PID 2332 wrote to memory of 2240	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	31
PID 2332 wrote to memory of 2240	2332	4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe	31
PID 3052 wrote to memory of 1768	3052	ofcys.exe	34
PID 3052 wrote to memory of 1768	3052	ofcys.exe	34
PID 3052 wrote to memory of 1768	3052	ofcys.exe	34
PID 3052 wrote to memory of 1768	3052	ofcys.exe	34

C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe
"C:\Users\Admin\AppData\Local\Temp\4882cc66f5fce7bfe19acd1b3c102d2f9e9f1dfa385873ffe87a0289d29876c3N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\ofcys.exe
  "C:\Users\Admin\AppData\Local\Temp\ofcys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\epbii.exe
    "C:\Users\Admin\AppData\Local\Temp\epbii.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b56b74292202dfbed28d849479409787

SHA1
2b691f862fc8cc967d10f737afb5d453b849df61

SHA256
965fca84d4a3d9fa5bbfd6401caea03e625f0c0accb2613ad485bd8226b05138

SHA512
d272b35d23ac3d395c070d6c3589ae41caba9d50b443f8eb37bf44f550c8768cc11870e5df1ae9e867497247dad0367022977a01a847d2c620255ccd6fe647c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0b5f33664612229b892dd47ba232f155

SHA1
92612f13e17bf02b6ac4c159a2592ba330079314

SHA256
dbe5dff2dfecea8f5eb9f869512cc867813650c43e04606d1749690d5284b24f

SHA512
d3e92008b6b7ac3b0c49fbb1d809847413cb03084c451769069d56a725cdfbdbe829dc38a53f7e812c9e77ad88459c211f0e062583b2e0aba84e06617f6c8c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofcys.exe

Filesize
336KB

MD5
23c402825d2fd2b5a115468b7fb4831a

SHA1
7a6fe928e2fac517e394d945f5bc616f950e9ac3

SHA256
8fbf1f94d3dd699ee884a1f2c3db7f1cb43de3eae4b817f0dae7d5634ba3b733

SHA512
2fb2fb93cc79cc04c862b125f3170bfe6a2681d0a503181b190d1cc3e1a5df401e7622e04184d2327abeab03734608451638836a0dc546b04191e8b0df184912

Download Submit
\Users\Admin\AppData\Local\Temp\epbii.exe

Filesize
172KB

MD5
f86fa09fd54d208811c5b99eb3a40c05

SHA1
9e029330fa3d31ddbb7626e2871b62273a3f5c57

SHA256
de09fe0b176e13251384fd52bc1291de943b9fd5b5f26122270435f993a7b124

SHA512
dc7eb8e7bbb447dde2e261afb10fbdd0a68b0690b4343dd0b7165d96f3dc0502142f7987f8f2eae4c457bd575f0b24493efb28ed6361cf75b4ee738fbeb4500a

Download Submit
\Users\Admin\AppData\Local\Temp\ofcys.exe

Filesize
336KB

MD5
c4ac91137709161586b66ff30032c600

SHA1
92f42716d6dcf0caba864d277868d456f7f6fa76

SHA256
40a6798510ededb9023ee1309f2e9dd31003d44da929b14b93fd2f7e5acc82cd

SHA512
4174885279714c4b4d8af921980dab60613ec1761368c820a5fc7d1a28aed4d25000221e8917f2ae598698d045462e8c619e04575a0c04f3476f3701f06a63e3

Download Submit
memory/1768-48-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1768-47-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/1768-43-0x00000000009C0000-0x0000000000A59000-memory.dmp

Filesize
612KB

Download
memory/2332-9-0x0000000002590000-0x0000000002611000-memory.dmp

Filesize
516KB

Download
memory/2332-21-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download
memory/2332-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2332-0-0x0000000000FB0000-0x0000000001031000-memory.dmp

Filesize
516KB

Download
memory/3052-24-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/3052-17-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/3052-37-0x0000000003300000-0x0000000003399000-memory.dmp

Filesize
612KB

Download
memory/3052-41-0x0000000000CD0000-0x0000000000D51000-memory.dmp

Filesize
516KB

Download
memory/3052-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing