urelas | 580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec

General

Target

580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe
Size

335KB
MD5

306a25f7a1b018a8e5c7d1b25eb747aa
SHA1

b6e1e08204c8a582f115165238c4da65d2c00d41
SHA256

580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec
SHA512

e3f54f453618d86ee36816a6b07b3d5b9ef09c627e87d8f6e7b492eb74369aff4105044cb2df96a6d50ad2e0d17747a8e359843188df288fd841b0f057e309b7
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcz:vHW138/iXWlK885rKlGSekcj66ciE

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	hezyn.exe
1096	ikfya.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe
2576	hezyn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hezyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikfya.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe
1096	ikfya.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2576	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	30
PID 2156 wrote to memory of 2576	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	30
PID 2156 wrote to memory of 2576	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	30
PID 2156 wrote to memory of 2576	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	30
PID 2156 wrote to memory of 2448	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	31
PID 2156 wrote to memory of 2448	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	31
PID 2156 wrote to memory of 2448	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	31
PID 2156 wrote to memory of 2448	2156	580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe	31
PID 2576 wrote to memory of 1096	2576	hezyn.exe	34
PID 2576 wrote to memory of 1096	2576	hezyn.exe	34
PID 2576 wrote to memory of 1096	2576	hezyn.exe	34
PID 2576 wrote to memory of 1096	2576	hezyn.exe	34

C:\Users\Admin\AppData\Local\Temp\580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe
"C:\Users\Admin\AppData\Local\Temp\580e7e7073aaf40b8e8dfca018543e534f44bf9ad3a620a7e727925fc7eb8eec.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\hezyn.exe
  "C:\Users\Admin\AppData\Local\Temp\hezyn.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\ikfya.exe
    "C:\Users\Admin\AppData\Local\Temp\ikfya.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
81fffa0d66564602675b8339fbac145d

SHA1
647854d073091d0b5040f1267b2651f7f1de0e07

SHA256
bd6f62f398f5c2645153ec3d0261892298b7f409022ea39e43d3cb8b93816a93

SHA512
be45562b8d2a69e66a9700dfd377cf878169c820cc9ac67d32a19007a5d7899e42f3cd4d76d2e8cd785afe98fcb2b649f23e131972e539defd35f544112669f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
017c96b21cc977826f3022ebf692e185

SHA1
be4dcec8eb4aa1a04563e59009509048997ef6c7

SHA256
c813e196fad8881fe555cf00fc307ec84e38816b72cf698680a3e764c8fbd4d9

SHA512
86f3156b1aca319e6a9fa7e66da07c47d5e6918eb3f1d3ca4f398f6a1e810601ad0c5f36ec26a633b8227e861592316a78b8a56bf187177aec12ff7dae77ef59

Download Submit
C:\Users\Admin\AppData\Local\Temp\hezyn.exe

Filesize
335KB

MD5
14fd3eb8e8fa6dbc59d6ee9d9b46fbf7

SHA1
8bfce647e61ce3e2cd3446331e63870b720350e8

SHA256
1667e15cbbce6c1807251183fc6baf52ae13fb635096fdddc2da061618b6e7e7

SHA512
e1736c3286245c92c107cf05e2de14f3f8a783d33df6d68cd1d84854720e921d187937f35417f13b571162987d814734ba48922f26c98b24884972026c4015b0

Download Submit
\Users\Admin\AppData\Local\Temp\hezyn.exe

Filesize
335KB

MD5
d915262ab8e9dce472bc085674374839

SHA1
8fb64c25465025521bd36b61832446ae9f15d181

SHA256
67e3730c4a2c5643e0528be2f7e6e5a7d96c82e6c22d7c7772aa79abb611ab20

SHA512
48f2a2fcc341eecc154bae9110baae6c45d4677e27451cc578e63add7b89ab4f54ed8eec4b6ff5935ef75135b18bd3b3ab38aec1852d9511ea8270972baa36ec

Download Submit
\Users\Admin\AppData\Local\Temp\ikfya.exe

Filesize
172KB

MD5
a8d8fa8671b6806e4067929925a41087

SHA1
8562886b0be8cccff2b9c26f4ab0cc3eb792e32d

SHA256
ee1aaa084af244e2c2a1a7b2828bb8b620400cfbaf28a7cf6a8f8eb2ce510024

SHA512
e54aba7b8abfc79b61d4496d65ddc2c66f8a4ca5a8abdf2db547581ab81f073c809472f2a6d19a7642b2f275fff28726495dd08d3e00a91f18a65c34300f8c8b

Download Submit
memory/1096-41-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/1096-42-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/1096-47-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/1096-48-0x0000000000BD0000-0x0000000000C69000-memory.dmp

Filesize
612KB

Download
memory/2156-8-0x0000000000D10000-0x0000000000D91000-memory.dmp

Filesize
516KB

Download
memory/2156-21-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2156-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2156-0-0x00000000010F0000-0x0000000001171000-memory.dmp

Filesize
516KB

Download
memory/2576-18-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/2576-24-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download
memory/2576-19-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2576-39-0x0000000000120000-0x00000000001A1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing