urelas | 847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8d

General

Target

847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
Size

335KB
MD5

a22fbfce60dfe222e0b61763b913d860
SHA1

d19007a17a6a53bdd96a70a6172f25a0e2009595
SHA256

847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8d
SHA512

b642e2885b8dfca1bdbdd81dbc402e3aa20950c22ca1de9bf3905784877128a33cdb3948d8ce328c65bfab74961006ab073f2de65309a8cfa3141c27e5fb9953
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIo:vHW138/iXWlK885rKlGSekcj66cii

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	wosik.exe
2804	dabyo.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
2564	wosik.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wosik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dabyo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe
2804	dabyo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2564	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	30
PID 2672 wrote to memory of 2564	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	30
PID 2672 wrote to memory of 2564	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	30
PID 2672 wrote to memory of 2564	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	30
PID 2672 wrote to memory of 3068	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	31
PID 2672 wrote to memory of 3068	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	31
PID 2672 wrote to memory of 3068	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	31
PID 2672 wrote to memory of 3068	2672	847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe	31
PID 2564 wrote to memory of 2804	2564	wosik.exe	34
PID 2564 wrote to memory of 2804	2564	wosik.exe	34
PID 2564 wrote to memory of 2804	2564	wosik.exe	34
PID 2564 wrote to memory of 2804	2564	wosik.exe	34

C:\Users\Admin\AppData\Local\Temp\847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe
"C:\Users\Admin\AppData\Local\Temp\847061db7914b63a72f8ac0b3bbb0726e2e35cdd97ffc9c12158e585a2f83b8dN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\wosik.exe
  "C:\Users\Admin\AppData\Local\Temp\wosik.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\dabyo.exe
    "C:\Users\Admin\AppData\Local\Temp\dabyo.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
d3e628636d94363250cfdd3c2e1dfa2f

SHA1
c5628eb2dfd37c4860f1f4b391e98acbe64e203e

SHA256
614408851b02ce04b30b00b36902f756c4197503dbf857bfef18affc34d04698

SHA512
78d7d27021a271a7c33a6837ad3f333511341295b9e1730943d7550aa8cd410dcfddec872f5a954b7e058df8ceaabdd73587728bad2eebe7cf19fd555dc51670

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2715e7fe625e1149250e169c927cd36c

SHA1
d365a4bdf6f823ab58bc9a3db5f328fa923cad1d

SHA256
cd775576389fcc3609541bb7b975b465b8ce51ab2dbbaaa0104ef38ca1cd6a0a

SHA512
c79a13d5f329b660221ec61bcb82a31bd4bbdf36fc78b2bc8002a3974cd50f7bbc64de29fb169cd0b959b2a8adc3a9f92e1f208dac375f201d321349cf2ffdc6

Download Submit
\Users\Admin\AppData\Local\Temp\dabyo.exe

Filesize
172KB

MD5
272c70bff90e7f792dc07f8f165ababb

SHA1
6811bed4f94546229f803c6cb6c01cf5efd2fa5c

SHA256
fc5b068398c13bc8f2a6a45bfedf371c1666405fa180b1f04118e76cf755432b

SHA512
fdcc95c7faa43d949ba36b11fb9839fbbd992752f64b039c3e35118f40f9e7fb000395a3a3168cc1372ddd37a51382705c455ea1dcfa2571849d78af2eb0513f

Download Submit
\Users\Admin\AppData\Local\Temp\wosik.exe

Filesize
335KB

MD5
7641fe33a343b7bf8bfc85a233c1b1e4

SHA1
902b3c51be672e25d070e1b4994286bace37f176

SHA256
a7478843d4ea175b59a8db503e7df61d9e5ade86b21fdce7befd8b3a03506062

SHA512
2b03420433df064a9583a9ef40fdbe11678df09e18b6f0face50ae718e6813da7a35f484023e099d11ed4f3b00add7978018808f9e0e265fc22415280957f72d

Download Submit
memory/2564-11-0x0000000000E70000-0x0000000000EF1000-memory.dmp

Filesize
516KB

Download
memory/2564-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2564-24-0x0000000000E70000-0x0000000000EF1000-memory.dmp

Filesize
516KB

Download
memory/2564-37-0x0000000003290000-0x0000000003329000-memory.dmp

Filesize
612KB

Download
memory/2564-41-0x0000000000E70000-0x0000000000EF1000-memory.dmp

Filesize
516KB

Download
memory/2672-9-0x00000000025B0000-0x0000000002631000-memory.dmp

Filesize
516KB

Download
memory/2672-0-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/2672-21-0x0000000000E50000-0x0000000000ED1000-memory.dmp

Filesize
516KB

Download
memory/2672-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2804-43-0x0000000000D90000-0x0000000000E29000-memory.dmp

Filesize
612KB

Download
memory/2804-42-0x0000000000D90000-0x0000000000E29000-memory.dmp

Filesize
612KB

Download
memory/2804-47-0x0000000000D90000-0x0000000000E29000-memory.dmp

Filesize
612KB

Download
memory/2804-48-0x0000000000D90000-0x0000000000E29000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing