urelas | 0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3

General

Target

0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
Size

593KB
MD5

9474fecc38dce4cd41032608f2ceb528
SHA1

8f5ab9143beadf50ac100f9acc972b255f668055
SHA256

0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3
SHA512

db95e17a11b74ee77a8ab15118a39ed677e84d8456c0b2a051592a6428a543ef611abed3c48c975c222332f53b86338080c95b8cec0eca1746cd576dadfdefa6
SSDEEP

6144:CZKHKSIl0SatLPTUrjBpAs/mpYIqaaUN44Iq766ztAkOHn0LHZRF:C4jm0Sat7Az/gZvTIq2WKkw0FT

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2704	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2652	agboy.exe
2000	wicic.exe

Loads dropped DLL 3 IoCs

pid	Process
2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
2652	agboy.exe
2652	agboy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agboy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wicic.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe
2000	wicic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2652	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2232 wrote to memory of 2652	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2232 wrote to memory of 2652	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2232 wrote to memory of 2652	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	31
PID 2232 wrote to memory of 2704	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 2232 wrote to memory of 2704	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 2232 wrote to memory of 2704	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 2232 wrote to memory of 2704	2232	0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe	32
PID 2652 wrote to memory of 2000	2652	agboy.exe	35
PID 2652 wrote to memory of 2000	2652	agboy.exe	35
PID 2652 wrote to memory of 2000	2652	agboy.exe	35
PID 2652 wrote to memory of 2000	2652	agboy.exe	35

C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe
"C:\Users\Admin\AppData\Local\Temp\0c6c40a2fdb6c1cfbd1affbe96e2db4ee097e24452b4542c7ebcd7cb5df9daa3.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\agboy.exe
  "C:\Users\Admin\AppData\Local\Temp\agboy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\wicic.exe
    "C:\Users\Admin\AppData\Local\Temp\wicic.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b8238cf0c1a9e2cb268143e19df5b714

SHA1
e71395251a8f69a5ce312aa47b2cd4d73576e16f

SHA256
830d361f3d638a7a707d4c3ffdb37cae095102707b4d043f5220a5acae15ba4d

SHA512
d76d26dbf1a107f26adde7f12b8b0a818427ae8fb4bd72f5a9113d3bbb4c26745784dfb8a0a4704f9ff417ea33630d6ae08c88b272a538975baf1147e6132cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\agboy.exe

Filesize
593KB

MD5
adcec109186612ac975a50a67cfc9d86

SHA1
b8519fc69a86b621a1ea9b25329a7087dbeeaba5

SHA256
349eef7cf71cc3d2538629d3b32eac65eca1ecfe9361a4988c1f4e7ebd3df10c

SHA512
13a07b35bdb520dddd9d00d686f803f861cb6fe66146a8eee85191e710981451a3fb078556284bb08f99eecb6c9eaf60c95d92f7ba5f283416a79cb8bf2fbf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
1813211c3f87098edb2403395923273e

SHA1
09fcc143658ed9021d09f673188922502ad86e05

SHA256
b73c73e337942705a708e25226b3e3ae6b92d5220baa8c0119ff96386d6ff173

SHA512
ce08e2b00471f8e53e4dca011ebebb60f0af14db6bbf596f9e2f7f3557ece1fa023769b2c894259040a5eae3cf8736e896600a978ae702a11f895026a312c7a2

Download Submit
\Users\Admin\AppData\Local\Temp\agboy.exe

Filesize
593KB

MD5
73f37a3f8449354a8f9588d6a58345a7

SHA1
5be6d3696b2551f9b58b1d7d925d8cff8a7281eb

SHA256
adf5a511a6a84193aaa252bca2e1283a83bfd6f5777f165f528361be12b71647

SHA512
2980af8e890aeb578bea3e710483a3a768c42933fe81f0b8d3e57635443859632a0518ee4a98fdf2c44e85c839318ec614e22381e9497c4965ca9bf330b24477

Download Submit
\Users\Admin\AppData\Local\Temp\wicic.exe

Filesize
323KB

MD5
3f96034d2780ba1e6a67b61b30e2ab34

SHA1
f139d88c3e2a019138eaf2bf22ba2ce3292b2294

SHA256
77703c2c24b73d2a64d187245bd5c1c4c12bf3f8cb55ad32b5d085fc2677fef0

SHA512
0212865ccbd8898b05691089175ee36dc8c59d7b522410a8fd4f2bc2eead18caa3862b41affc30116e0a87d2dd9a54adced1fd07b09d3c97e7a4023a01f8cfbd

Download Submit
memory/2000-32-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2000-31-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2000-35-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2000-34-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2000-36-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2232-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2652-29-0x0000000003B80000-0x0000000003C17000-memory.dmp

Filesize
604KB

Download
memory/2652-28-0x0000000003B80000-0x0000000003C17000-memory.dmp

Filesize
604KB

Download

Analysis

Sharing