urelas | 0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33ace

General

Target

0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
Size

338KB
MD5

005992c96d9b51f1828729a17ef2e0c0
SHA1

f0a210d71d2e2a47c359cea3de32a12c53dd6664
SHA256

0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33ace
SHA512

3ea63ba128a93b3ee21635b41d39a6a4d1c2dbe05dec98fc7d9ca78eccb7478cdc10b35fe75ff0aa658f907719e9d0a10920f68ccfe96a3fb92bae2ea94d383e
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYWc:vHW138/iXWlK885rKlGSekcj66ciI

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2780	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	xiudn.exe
2816	kideo.exe

Loads dropped DLL 2 IoCs

pid	Process
2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
1952	xiudn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kideo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xiudn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe
2816	kideo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1952	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	30
PID 2132 wrote to memory of 1952	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	30
PID 2132 wrote to memory of 1952	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	30
PID 2132 wrote to memory of 1952	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	30
PID 2132 wrote to memory of 2780	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	31
PID 2132 wrote to memory of 2780	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	31
PID 2132 wrote to memory of 2780	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	31
PID 2132 wrote to memory of 2780	2132	0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe	31
PID 1952 wrote to memory of 2816	1952	xiudn.exe	34
PID 1952 wrote to memory of 2816	1952	xiudn.exe	34
PID 1952 wrote to memory of 2816	1952	xiudn.exe	34
PID 1952 wrote to memory of 2816	1952	xiudn.exe	34

C:\Users\Admin\AppData\Local\Temp\0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe
"C:\Users\Admin\AppData\Local\Temp\0a6025c6ee769270e5acd4b126a6df9231a9009771c6a744fc8993a2aac33aceN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\xiudn.exe
  "C:\Users\Admin\AppData\Local\Temp\xiudn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\kideo.exe
    "C:\Users\Admin\AppData\Local\Temp\kideo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
4d9750146edf68417bfe9c954937c325

SHA1
3c2fdf25a8ff9f714b78dd80b7650046bf2acbde

SHA256
8a9a3dd4b2724cd5a3b408cd6fcef8af8c8b9c7c3748fa505da581401d78dd27

SHA512
06ffa691dd7728df4fdf84a540bf528e693c4262a29469c989402bab7bcb2db4531b7444b9f79f6d7dc114d922233665f89062d889eaaa71a321330eede6010a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
33febb5fec70433f46be687cb3b2f0f4

SHA1
353d3950ba35404e9763fa0182f3600a05c5cebc

SHA256
821c89329bad89bf102b4e38ac201ee660ea93fd6060824a097adcdb92778db0

SHA512
dff379f2ce869dc8f194f362bce8b5335a91a046827bf25d81fe16270fe7331542a77f6936d2fd67209b97a37bbdd059d7a1351dffb7efd5b5cae03c7f0d8377

Download Submit
\Users\Admin\AppData\Local\Temp\kideo.exe

Filesize
172KB

MD5
6c592b7ae54f347d64b02df858fe4321

SHA1
c276501508dab962029973e39bf04806558dc838

SHA256
d6afc9ff40ad445145962803e652fdcccab5017ef5c2a9598031e31524b8a44f

SHA512
a163fc60b2a68b06975b6e1685e6cf12abbad495f3b329de2956ab03519642c82e4158803ad2ff3de927ccdabdf49e338005d3ee2dbc2790b69a23735bb6e4d5

Download Submit
\Users\Admin\AppData\Local\Temp\xiudn.exe

Filesize
338KB

MD5
f8d2bfabc94ef8c050b55b2c53bfa481

SHA1
f0dc9c1245c34770b8fb87fb3c0685a3c5614bb2

SHA256
b650dc61a421a05d852c3e74af37e46fbe7761349fbbf2433cc51c53f061e772

SHA512
911939bc48ef99d2b6d1df44f1c164d82c13fa504a71bc2d1f5412164d64bdbb16675a76134bf2c02966727bdeb0f1930b90cf8b4c172ae537b9087a5aa61a01

Download Submit
memory/1952-17-0x0000000001350000-0x00000000013D1000-memory.dmp

Filesize
516KB

Download
memory/1952-24-0x0000000001350000-0x00000000013D1000-memory.dmp

Filesize
516KB

Download
memory/1952-42-0x0000000001350000-0x00000000013D1000-memory.dmp

Filesize
516KB

Download
memory/1952-40-0x0000000003CE0000-0x0000000003D79000-memory.dmp

Filesize
612KB

Download
memory/1952-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1952-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2132-0-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2132-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2132-21-0x0000000001200000-0x0000000001281000-memory.dmp

Filesize
516KB

Download
memory/2132-9-0x0000000001160000-0x00000000011E1000-memory.dmp

Filesize
516KB

Download
memory/2816-43-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/2816-44-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/2816-48-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download
memory/2816-49-0x0000000000DF0000-0x0000000000E89000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing