urelas | 3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2

General

Target

3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
Size

336KB
MD5

a1246170ccb42139318a969ff4076a48
SHA1

3d745e381c7bcec28799299b36c0350468e67916
SHA256

3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2
SHA512

8fdc34d068efc06cab9653b9d7df49ad60d2980acc1731b4b9ddefb1f84da9971657c7d3bc5509d9dbf6ee3b0185c838115c11247caa4cbedb68efa75ed461ee
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKofw:vHW138/iXWlK885rKlGSekcj66ciN

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
328	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1704	azucs.exe
1912	ujjeu.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
1704	azucs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azucs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujjeu.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe
1912	ujjeu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1704	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	30
PID 2520 wrote to memory of 1704	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	30
PID 2520 wrote to memory of 1704	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	30
PID 2520 wrote to memory of 1704	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	30
PID 2520 wrote to memory of 328	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	31
PID 2520 wrote to memory of 328	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	31
PID 2520 wrote to memory of 328	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	31
PID 2520 wrote to memory of 328	2520	3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe	31
PID 1704 wrote to memory of 1912	1704	azucs.exe	34
PID 1704 wrote to memory of 1912	1704	azucs.exe	34
PID 1704 wrote to memory of 1912	1704	azucs.exe	34
PID 1704 wrote to memory of 1912	1704	azucs.exe	34

C:\Users\Admin\AppData\Local\Temp\3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe
"C:\Users\Admin\AppData\Local\Temp\3bf856787265c276f1b387260490a624c695a89acd8ad13224921c74b35ca6e2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\azucs.exe
  "C:\Users\Admin\AppData\Local\Temp\azucs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\ujjeu.exe
    "C:\Users\Admin\AppData\Local\Temp\ujjeu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c6ffa1886e4fb80512dc295bd920ecbc

SHA1
934851d66d387eb58a4f03b5e4d37d5863a4b4f5

SHA256
a1b5496d280a7d1de2c1eeccd0050e77ebaca75afc0977f3ccee9d743e36a8fc

SHA512
720a8d3997d192d0809852dfb7f99e17945cf58384d50b668a666dc094f5a7d6829ba9d90571198b4b5e9025f82c8bac7a6bca604cfa8c2c5a7aed2395b14a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
cc16a3f4452183b9ebbed134c816bdd3

SHA1
788bb12871346ecea14d51faea8bf9fea3fa3790

SHA256
37a8394a71ee574473e387dcc0d35f0ed36fea9f7d4906710df174498df92da0

SHA512
52b7d223434e58c5e435a5bc2547b884939985c3cd4ce84859a1f788d235c68c64248f6a5cb04deb00c54ec5b0489394fcfb49594a93b3ac274925dd8193cc58

Download Submit
\Users\Admin\AppData\Local\Temp\azucs.exe

Filesize
336KB

MD5
6284ce9f5ae2be93f0eb860c566ef68f

SHA1
294698159e1609f92db75ad17cbc95b45a217b49

SHA256
06f2b7aa0ada20dcc664317ad788db0a0a280235948e0122b52fb4bb53cb3311

SHA512
55f900dc7622799632cc215ee01f4a890a955c1db93c340928702ce818e21357fc22264654256840b291aa715292dd84ad6f0fc26c0b4b1950edcbcbd63b0957

Download Submit
\Users\Admin\AppData\Local\Temp\ujjeu.exe

Filesize
172KB

MD5
e7d644ed1bd94ce01296eec8bc27c94f

SHA1
a5f16bfaafaf9c39e851e870ba43ec0a65e0169c

SHA256
acedb560754410e2e15c85227eed32f97a6a0030433a1b51d0650f45cafbede0

SHA512
71dd66782779b0cc5e2a4b6d8e8d9b2823e7ae4e460ee5d8f7d155efad40e1348c9882c13afb5b538c2bb8cdea0ec8b13275ce8acf5acce7298e4b09427f389f

Download Submit
memory/1704-24-0x00000000010E0000-0x0000000001161000-memory.dmp

Filesize
516KB

Download
memory/1704-39-0x0000000000EB0000-0x0000000000F49000-memory.dmp

Filesize
612KB

Download
memory/1704-20-0x00000000010E0000-0x0000000001161000-memory.dmp

Filesize
516KB

Download
memory/1704-42-0x00000000010E0000-0x0000000001161000-memory.dmp

Filesize
516KB

Download
memory/1704-21-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1704-25-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1912-46-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/1912-43-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/1912-48-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/1912-49-0x0000000000D00000-0x0000000000D99000-memory.dmp

Filesize
612KB

Download
memory/2520-0-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download
memory/2520-17-0x0000000002780000-0x0000000002801000-memory.dmp

Filesize
516KB

Download
memory/2520-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2520-19-0x0000000000D60000-0x0000000000DE1000-memory.dmp

Filesize
516KB

Download

Analysis

Sharing