urelas | 867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475

General

Target

867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
Size

334KB
MD5

df6e60a4cbcb0faa1896dafa79456ec4
SHA1

0ce30fa510455d1760194695c392da1fc98b1bf7
SHA256

867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475
SHA512

d95c746b28cefa538321e321d032a365cc85f9281b89a60c32a9512087cfc87db939373d9477118f1e943b34eda8a0b6df8e8241522904e5913b8b9c235b03d2
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYm:vHW138/iXWlK885rKlGSekcj66ciz

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1100	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2068	eltun.exe
2988	ylkos.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
2068	eltun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eltun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ylkos.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe
2988	ylkos.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2068	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	30
PID 2296 wrote to memory of 2068	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	30
PID 2296 wrote to memory of 2068	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	30
PID 2296 wrote to memory of 2068	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	30
PID 2296 wrote to memory of 1100	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	31
PID 2296 wrote to memory of 1100	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	31
PID 2296 wrote to memory of 1100	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	31
PID 2296 wrote to memory of 1100	2296	867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe	31
PID 2068 wrote to memory of 2988	2068	eltun.exe	34
PID 2068 wrote to memory of 2988	2068	eltun.exe	34
PID 2068 wrote to memory of 2988	2068	eltun.exe	34
PID 2068 wrote to memory of 2988	2068	eltun.exe	34

C:\Users\Admin\AppData\Local\Temp\867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe
"C:\Users\Admin\AppData\Local\Temp\867bc8dab98e5bcff1eb1efc0f2607b716bc6c50c164ff60f9aa0b62dd13a475.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\eltun.exe
  "C:\Users\Admin\AppData\Local\Temp\eltun.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\ylkos.exe
    "C:\Users\Admin\AppData\Local\Temp\ylkos.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
6649b6d4d8755191c1f70e65c96ac4ac

SHA1
6d86a5bae8d4343cf2130840adcd9ebdd2ddfa75

SHA256
e866af4db3ac056f2dda0cdd0f88a52449c8a154570d685ea6e8e7a8db068ad5

SHA512
88def5293ba16105fd6c273d0c330d095152d1d0d5021a5755165347e91d424e7215b323382c5d5e8cec37571a2f6304fd9e69f8b7968b9278e6b8f2cdd43681

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
24206c5dbb065e02b23cb0350fb8a9ee

SHA1
ed5ded80bd0679a811b7c4d7d76a8842cb206d08

SHA256
b7863ebd4a8a53735dee09e28c3dde230507d5df9cf68dfa48d42aecddd10c18

SHA512
6fad0a86b9f3a2b363d0dcaab2b3cf6a0b1c7ead9e40efebf60940185f6240c76a8c059de06ef9a2ceb75d771c2320151ff76fcc2104fc971114821ceac3ece6

Download Submit
\Users\Admin\AppData\Local\Temp\eltun.exe

Filesize
334KB

MD5
56b2b7fceab04ca0b03f37320b772d1b

SHA1
d07e68fa613eaa6046035039ac9da06c1ec3ef49

SHA256
f2a2697480f3aa5115ffe920a830455033be68b18d5b687ccee204ac012c3675

SHA512
10cca12f7f4595b6edfedb8b202e8e2c28c48b208e99af0eac26a1d8d028f4e31ec017925e2055f6803070b38d09f52a83f293901541b67f8401c8ad36c2bab7

Download Submit
\Users\Admin\AppData\Local\Temp\ylkos.exe

Filesize
172KB

MD5
9984362df70bdeef974e66d0642b76bf

SHA1
0f566cefc4a3615d8f2d0a8a7d995813a55f8e55

SHA256
fca815b4ece0a08fcf2a9032318c4b6adfacbbc5828866ea5769bb162c4694b8

SHA512
02222bbef45ad1873eeca9e3be6bea37bd1365eec8a25f1646b06436b443a280a00f70a24182a3a5807f49463f1a333e7f8beddb0c3cd9eae0341c223abee892

Download Submit
memory/2068-17-0x00000000012E0000-0x0000000001361000-memory.dmp

Filesize
516KB

Download
memory/2068-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2068-24-0x00000000012E0000-0x0000000001361000-memory.dmp

Filesize
516KB

Download
memory/2068-39-0x0000000003CE0000-0x0000000003D79000-memory.dmp

Filesize
612KB

Download
memory/2068-41-0x00000000012E0000-0x0000000001361000-memory.dmp

Filesize
516KB

Download
memory/2296-0-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/2296-9-0x0000000000D70000-0x0000000000DF1000-memory.dmp

Filesize
516KB

Download
memory/2296-21-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/2296-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2988-42-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2988-45-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2988-47-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download
memory/2988-48-0x00000000001E0000-0x0000000000279000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing