urelas | 8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e

General

Target

8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
Size

438KB
MD5

1e16dfa3fe9fc1be28d188c1af4f9051
SHA1

16e6279fcdfa6ffc4f064944223944fc6461a099
SHA256

8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e
SHA512

6662d4e5c6fa37c771a69c051ef764ab8eff924ef38e816fcb2af56e38baf52e73054ce0d39ed6b7f5dc309e044a702860993bae17efb9f345678602a1bff49e
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMMq:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
3032	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	mexug.exe
2140	arruj.exe

Loads dropped DLL 2 IoCs

pid	Process
1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
1708	mexug.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arruj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mexug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe
2140	arruj.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1708	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	30
PID 1920 wrote to memory of 1708	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	30
PID 1920 wrote to memory of 1708	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	30
PID 1920 wrote to memory of 1708	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	30
PID 1920 wrote to memory of 3032	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	31
PID 1920 wrote to memory of 3032	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	31
PID 1920 wrote to memory of 3032	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	31
PID 1920 wrote to memory of 3032	1920	8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe	31
PID 1708 wrote to memory of 2140	1708	mexug.exe	34
PID 1708 wrote to memory of 2140	1708	mexug.exe	34
PID 1708 wrote to memory of 2140	1708	mexug.exe	34
PID 1708 wrote to memory of 2140	1708	mexug.exe	34

C:\Users\Admin\AppData\Local\Temp\8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe
"C:\Users\Admin\AppData\Local\Temp\8296029a63d5a0604a24ef16362475f5b67da642c7fd273d57336cbf7cfbfc4e.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\mexug.exe
  "C:\Users\Admin\AppData\Local\Temp\mexug.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\arruj.exe
    "C:\Users\Admin\AppData\Local\Temp\arruj.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
88707e9bd4771b4235df497a8dbd698b

SHA1
48b28b3b7402cd2fdce6fab599b85ba6bdedb3ad

SHA256
64e2a781d7433b7ba1ec8e25b6423cb5ab97c88d630be869d9fae3e7b9eb882a

SHA512
b1451923ed5e0025bce05761465a02252ac6d20c8f408c82fd1640f8e082fa2fee25fbd2c9ea26107d1065dd6fdac0f5968b3318c9727c834475f25548fd5f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
0522d40e5c949b18961dc959fc07430c

SHA1
834a2ad2a5ffde2a4ede9b2841569468efe97eca

SHA256
e0b9f1ed6ea30dcd15829d43f6f1556f5d1a21a56ed89ab7113028f02a3e73e0

SHA512
746f0e833c210afb3dcd4c11ec55df199ced708645b53f9c85229dbe6b7260b2930138b3d78cfb0d83e127189184a7a574cb4a03b3631650dff7424893c712e4

Download Submit
\Users\Admin\AppData\Local\Temp\arruj.exe

Filesize
230KB

MD5
e2bd1c81e5cfa11caed84e9b84294936

SHA1
56403d92bbd6924317ee9a58a8fe519791082a8c

SHA256
04b19abe9c927a32bb5d05e84ebd766dc8e5c583708f5163898eb76974b25ccd

SHA512
fb056dc41f51f4fbad35f40aaaa2c247971b8fc1f243c7d8452113d7a30f91c416c16ce1fcec08786da06586c3471a97ba76c1c7722945b293f39e400c31a5a1

Download Submit
\Users\Admin\AppData\Local\Temp\mexug.exe

Filesize
438KB

MD5
2573bbe5c2a36470e8d082816b7fabfc

SHA1
86d48085a45d075bdf2509428d43935df6feb09c

SHA256
b4eb85fff34c8ce322cd49f41f7717a7cbfe8b8c8cda2af98b02b4ff212550a5

SHA512
effc67e28055cd2386b952dd3c32d9bea0ded03dc74ea9ba2dc939a674f35788774a2ecf6660d5a16ed7b41b92f567aae4fc55d80d1121946551fcd35e0119a0

Download Submit
memory/1708-17-0x0000000000E10000-0x0000000000E7E000-memory.dmp

Filesize
440KB

Download
memory/1708-21-0x0000000000E10000-0x0000000000E7E000-memory.dmp

Filesize
440KB

Download
memory/1708-26-0x0000000003620000-0x00000000036BE000-memory.dmp

Filesize
632KB

Download
memory/1708-29-0x0000000000E10000-0x0000000000E7E000-memory.dmp

Filesize
440KB

Download
memory/1920-18-0x0000000000F10000-0x0000000000F7E000-memory.dmp

Filesize
440KB

Download
memory/1920-0-0x0000000000F10000-0x0000000000F7E000-memory.dmp

Filesize
440KB

Download
memory/1920-16-0x00000000006D0000-0x000000000073E000-memory.dmp

Filesize
440KB

Download
memory/2140-31-0x0000000001230000-0x00000000012CE000-memory.dmp

Filesize
632KB

Download
memory/2140-30-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2140-33-0x0000000001230000-0x00000000012CE000-memory.dmp

Filesize
632KB

Download
memory/2140-34-0x0000000001230000-0x00000000012CE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing