urelas | a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558

General

Target

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Size

271KB
MD5

8dcf36dbac7541e903b39079c481783f
SHA1

4da3e2ba8433500f27405fa79d4c55a7331d4506
SHA256

a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558
SHA512

7ee072cf3b38e8322584516e0909b4cc534f5ab6bcee68c364230b0dd7cbf586c83c319089f393936f5af0860f2e35e3b43f41c6e2709c31228896ab38fc2ec4
SSDEEP

6144:SPdhP7Vq2S8GYlH9LKeu5exdoW7KkYGuH6lY:uhPjSCKeu0oEYGTW

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	qounp.exe
2132	qavec.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
2792	qounp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qounp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qavec.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe
2132	qavec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2792	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	30
PID 2824 wrote to memory of 2792	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	30
PID 2824 wrote to memory of 2792	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	30
PID 2824 wrote to memory of 2792	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	30
PID 2824 wrote to memory of 2848	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2824 wrote to memory of 2848	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2824 wrote to memory of 2848	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2824 wrote to memory of 2848	2824	a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe	31
PID 2792 wrote to memory of 2132	2792	qounp.exe	33
PID 2792 wrote to memory of 2132	2792	qounp.exe	33
PID 2792 wrote to memory of 2132	2792	qounp.exe	33
PID 2792 wrote to memory of 2132	2792	qounp.exe	33

C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe
"C:\Users\Admin\AppData\Local\Temp\a53e69fb084d3b220c7dd6e903fa48484833f303f4590adbdbc869f25424b558.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\qounp.exe
  "C:\Users\Admin\AppData\Local\Temp\qounp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\qavec.exe
    "C:\Users\Admin\AppData\Local\Temp\qavec.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
708d4cab483a659dedbb37738fb4ea21

SHA1
dba1910f9df879daf0939d0bcf18ff430c8020af

SHA256
a918b58f9417c9b57405dc592be62246050dc940b8ddd8861510844b1f6a3d07

SHA512
6832aba9774eb549d59a9055888d403d1c15a2c9b6ab989f7040bc2e599732fc17f20f9b0481ad91ef612cebf64f45902a8352a4b3a7309bbe9565eac3ce1c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0e26808807d7662c734f745323d418d6

SHA1
027a4e8e4cbeb0c4668c6618f1e8dcc7822bcb13

SHA256
894a1319058fcaad6273b5f91baad01f7e5057d6f8ca94d9e7dc83774f7df91c

SHA512
3a96b0aca263eeea57c91adfa54a9daef082318efae7a64070f10c537ea8f2c59079b8238188c24951ad8a943fc082ec19144f7d253446aa818a749ca36e3e45

Download Submit
\Users\Admin\AppData\Local\Temp\qavec.exe

Filesize
291KB

MD5
484822bdecc227920b356eb898342e6e

SHA1
cc4288a71d65b38beaf83ac42a03499c4499a340

SHA256
1e8a79becb6e15ab406e74473af87719c81656e96df793a62c57f6b466401e39

SHA512
792cbeb2388bfe2c2cf38cb639bc5a6f27c027ce41c2d6af3fe6a8b0442a000fc29b2861dbde8f0a9c0729a902153169755aa39a49cabda3243d3cc5ad518f11

Download Submit
\Users\Admin\AppData\Local\Temp\qounp.exe

Filesize
271KB

MD5
925bea40735793d3769dafcd0c611494

SHA1
be7a9393bad8b2151c52dedc869a478ea047cb36

SHA256
df386c02e02043353cedba46695ae961013e24311ef5f92ee9c9d5a3521bdf30

SHA512
ddd90503ffe372131452a0514e9b8d40575bb64e7c7642479c5ab4d618f97e48c787f46539f7f130d3e5260de0c899062f395aae490d57c299c957662e7889a7

Download Submit
memory/2792-17-0x0000000000010000-0x000000000007E000-memory.dmp

Filesize
440KB

Download
memory/2792-23-0x0000000000010000-0x000000000007E000-memory.dmp

Filesize
440KB

Download
memory/2792-40-0x0000000000010000-0x000000000007E000-memory.dmp

Filesize
440KB

Download
memory/2824-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2824-0-0x0000000000AB0000-0x0000000000B1E000-memory.dmp

Filesize
440KB

Download
memory/2824-9-0x00000000009F0000-0x0000000000A5E000-memory.dmp

Filesize
440KB

Download
memory/2824-20-0x0000000000AB0000-0x0000000000B1E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing