urelas | 832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223

General

Target

832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe
Size

334KB
MD5

cfc55c938e4f32fe0f7362217096ace0
SHA1

ad0e85e005c0f9f85a0123d006f2725352460ac5
SHA256

832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223
SHA512

7b1457ec3bdba8e219a700632d15665d37b6c7ff28852b032755a8dbac02aba9026320e429828bfacfddc9c96ddf74be44516f7f4082d0a2f2ff4ef8c2c747e1
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIg:vHW138/iXWlK885rKlGSekcj66ciO

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2300	xeadi.exe
2632	xobun.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe
2300	xeadi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeadi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xobun.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe
2632	xobun.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2300	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	30
PID 2876 wrote to memory of 2300	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	30
PID 2876 wrote to memory of 2300	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	30
PID 2876 wrote to memory of 2300	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	30
PID 2876 wrote to memory of 2744	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	31
PID 2876 wrote to memory of 2744	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	31
PID 2876 wrote to memory of 2744	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	31
PID 2876 wrote to memory of 2744	2876	832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe	31
PID 2300 wrote to memory of 2632	2300	xeadi.exe	34
PID 2300 wrote to memory of 2632	2300	xeadi.exe	34
PID 2300 wrote to memory of 2632	2300	xeadi.exe	34
PID 2300 wrote to memory of 2632	2300	xeadi.exe	34

C:\Users\Admin\AppData\Local\Temp\832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe
"C:\Users\Admin\AppData\Local\Temp\832b6c5c5f428326d0d91bec3665acc9ce2cb3201bcc3bd305e53a9c778ba223N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\xeadi.exe
  "C:\Users\Admin\AppData\Local\Temp\xeadi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\xobun.exe
    "C:\Users\Admin\AppData\Local\Temp\xobun.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
1b58450c497037d1f78422223c116118

SHA1
b6db67d91dd6c69bb454c478544c9cd201f0c2b2

SHA256
3938fe08703c8802dcd11667531cd7204fb994b148eb133336796c014ddfdc22

SHA512
647ce7765460e4ca6558196ab836da8c161f4296c968075237df1cac92c815ce5ccae70b6a2abcf8179514be9b65f08dbc8c0593f5c75c2dbbadb1755e51dc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b8988316012086a6b63186c0506dc535

SHA1
84ff835bf4fe1119eb5f21c29dc59a5a8f46a5b5

SHA256
8b2282b550059b7c92413322931a0bae784cd3f66cf76cb790b6064cc7a186e7

SHA512
e36b35acb164d3e3132f3378bd41cbd7810d8ee6f1c4d55fbf329015ac670142a55e2b209c59bf8bcee54d4416eea40ea7f74d3898c1342295d9f7ded30d9e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeadi.exe

Filesize
334KB

MD5
c22aacb2796c3fbeb660136c1ff8336f

SHA1
5dbd21eb0a32299dff903f240bc52b13481d5ed7

SHA256
d285ae3360cfeb286ecaf13ba1a1b993f16cf53d25d0410946c1dc803c998b23

SHA512
9c1fef698abfdca57ac26b2c77bb4b87910d8a384e1e1ade4a4ee09d370d2df720724fb9e15b3fc858147041b146c1be941ef5e61fe3b5feaf9166c36ebce571

Download Submit
\Users\Admin\AppData\Local\Temp\xobun.exe

Filesize
172KB

MD5
2eaee090e227b1f6d1aa6f2ea81fef3e

SHA1
02c172c2c1373f1fa444f78ec08a463028ed5089

SHA256
9e463d81ea9a2ddc4256fe648ddda8adf64d712fa7c420fb8334d5809fd74d0a

SHA512
30c2d865053e8eabbe95c637691d00042afed663f1d0f0f0b56f4c65a57dc71c1ce646df3c000115f80660ca8bf0ff0f787b2bba3583bdadb0fe70f8e93e26f3

Download Submit
memory/2300-23-0x0000000001340000-0x00000000013C1000-memory.dmp

Filesize
516KB

Download
memory/2300-18-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2300-37-0x00000000037F0000-0x0000000003889000-memory.dmp

Filesize
612KB

Download
memory/2300-40-0x0000000001340000-0x00000000013C1000-memory.dmp

Filesize
516KB

Download
memory/2632-41-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/2632-42-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/2632-46-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/2632-47-0x0000000000E90000-0x0000000000F29000-memory.dmp

Filesize
612KB

Download
memory/2876-20-0x00000000013D0000-0x0000000001451000-memory.dmp

Filesize
516KB

Download
memory/2876-6-0x0000000001340000-0x00000000013C1000-memory.dmp

Filesize
516KB

Download
memory/2876-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2876-0-0x00000000013D0000-0x0000000001451000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing