urelas | ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81

General

Target

ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
Size

512KB
MD5

ade6d6f7f467d686639210f197f53340
SHA1

dde698446fb9a96fa5fdd7dd496d2306c2d8c8a0
SHA256

ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81
SHA512

7658ab7f82c6080a3c43d185f84b68142765fa1679cb88c3def0dd8fec1b606f2dbdd263dbff78f48465e852bc22fc896ce9df48de8689e9c70976c12cd311e3
SSDEEP

12288:3o7CGWcQSyYI2VrFKH5RBv9AQ1pEDdKo0:3MUv2LAv9AQ1p4dKV

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
1196	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2884	unzul.exe
3048	rebuc.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
2884	unzul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unzul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rebuc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe
3048	rebuc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2884	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	31
PID 2464 wrote to memory of 2884	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	31
PID 2464 wrote to memory of 2884	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	31
PID 2464 wrote to memory of 2884	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	31
PID 2464 wrote to memory of 1196	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	32
PID 2464 wrote to memory of 1196	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	32
PID 2464 wrote to memory of 1196	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	32
PID 2464 wrote to memory of 1196	2464	ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe	32
PID 2884 wrote to memory of 3048	2884	unzul.exe	35
PID 2884 wrote to memory of 3048	2884	unzul.exe	35
PID 2884 wrote to memory of 3048	2884	unzul.exe	35
PID 2884 wrote to memory of 3048	2884	unzul.exe	35

C:\Users\Admin\AppData\Local\Temp\ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe
"C:\Users\Admin\AppData\Local\Temp\ece26131038c913431cc219007176d4fe8351fb4c20f78c05e93e4bc71370f81N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\unzul.exe
  "C:\Users\Admin\AppData\Local\Temp\unzul.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\rebuc.exe
    "C:\Users\Admin\AppData\Local\Temp\rebuc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
0ae46872747e9bb1c11a1237b624aac0

SHA1
4516b8b0ce75ea48913a3f113f80b50c47838d2a

SHA256
1114839d3fa80c1e35f79c4b5792ef15cad30f66f27e529516adb55b9b7de7a4

SHA512
055f99365ed6ff2dd3ae98befce7c337a49bb6fab9816099190c72f566d185df6264aebaf704551bebf0066a68c1453ae9f5334173502ad2e7e06c6208f55f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
fa34bbc14bcd3be0af5d913faa6babe0

SHA1
cb3706390dd84c9d1ab97050b6e44a8e9ecd864e

SHA256
680e3dcd97d4310b84d80741202c5688aca03fab60f3300e4b31d7ee58fb090f

SHA512
ae2901859d611ec758b09a2c4ab1449ee06805fcc7e26224c52a9ecdddbc905acda5846481ec53ad0bcca4133c1ce184060d6511c95fb33950377b6fb007859d

Download Submit
\Users\Admin\AppData\Local\Temp\rebuc.exe

Filesize
172KB

MD5
330da4035b3230ace9937997bd9518ec

SHA1
ccf89c53e2cb22d865408d59ae0f1725274c75d9

SHA256
c655f4b72e6dfa0c4beab4b921d92e7f6449d9cdb112aac597454f849c83a15e

SHA512
6a8c743a96f504e813a4e7e0520918ad1614429f0e636e8d31b6748cbf908673a0b222881d5138bbae2e8d9b328782c2ba28a9043d2f6b0b58322f96cda5aa20

Download Submit
\Users\Admin\AppData\Local\Temp\unzul.exe

Filesize
512KB

MD5
5eacfdbd98c88250072c4968b99436ef

SHA1
9e25a7ba706b513047403bf50d6af5d063e452a5

SHA256
341316bd2bd29830886d6a1a4db124b9ecf00dd9f4a42a2d1f7d0bb9e5fb5f00

SHA512
995ab9e001b657b91caeb40b99489ad5e9b535eb5db5c5e54686bdfa57cfa6a69188275c397a9918d0b5f076f784f86588ce89b6cfd3986241f5bca3dec331a9

Download Submit
memory/2464-8-0x00000000024C0000-0x0000000002541000-memory.dmp

Filesize
516KB

Download
memory/2464-18-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/2464-0-0x0000000000D80000-0x0000000000E01000-memory.dmp

Filesize
516KB

Download
memory/2884-21-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2884-16-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2884-30-0x0000000000D50000-0x0000000000DD1000-memory.dmp

Filesize
516KB

Download
memory/2884-27-0x0000000003D80000-0x0000000003E19000-memory.dmp

Filesize
612KB

Download
memory/3048-31-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3048-29-0x0000000000830000-0x00000000008C9000-memory.dmp

Filesize
612KB

Download
memory/3048-32-0x0000000000830000-0x00000000008C9000-memory.dmp

Filesize
612KB

Download
memory/3048-37-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3048-36-0x0000000000830000-0x00000000008C9000-memory.dmp

Filesize
612KB

Download
memory/3048-38-0x0000000000830000-0x00000000008C9000-memory.dmp

Filesize
612KB

Download

Analysis

Sharing