urelas | b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9b

General

Target

b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe
Size

438KB
MD5

907a7c014075a0d066ad206782bbf680
SHA1

41abe41ffd64ae14464e644b0bffa377307cea9d
SHA256

b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9b
SHA512

3792bff1b27cf0a42263b9bf5d82f94f3d5e1bf91f130e459751caeedd692635c06c01f5c067e1ebdb851e368be1b1247d040a3aa57ed9fb228a65d6d40e75fe
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMMe:rKf1PyKa2H3hOHOHz9JQ6zBk

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2472	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2544	giebk.exe
860	buqiu.exe

Loads dropped DLL 2 IoCs

pid	Process
592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe
2544	giebk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giebk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buqiu.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe
860	buqiu.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2544	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	30
PID 592 wrote to memory of 2544	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	30
PID 592 wrote to memory of 2544	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	30
PID 592 wrote to memory of 2544	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	30
PID 592 wrote to memory of 2472	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	31
PID 592 wrote to memory of 2472	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	31
PID 592 wrote to memory of 2472	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	31
PID 592 wrote to memory of 2472	592	b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe	31
PID 2544 wrote to memory of 860	2544	giebk.exe	34
PID 2544 wrote to memory of 860	2544	giebk.exe	34
PID 2544 wrote to memory of 860	2544	giebk.exe	34
PID 2544 wrote to memory of 860	2544	giebk.exe	34

C:\Users\Admin\AppData\Local\Temp\b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe
"C:\Users\Admin\AppData\Local\Temp\b5739f9f77f4d441e2cafae7e5dba625a8e1af05fc4fe99d0e389e3d54031a9bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592
- C:\Users\Admin\AppData\Local\Temp\giebk.exe
  "C:\Users\Admin\AppData\Local\Temp\giebk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\buqiu.exe
    "C:\Users\Admin\AppData\Local\Temp\buqiu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
8d19743c5c829c96894f6a2dcea73b9e

SHA1
90faceb862f13970e82d9ee0097b47f98083c673

SHA256
4bf053f657a9b4f3661892f31a096764e07d7b4348edfe15a6f7f699adc9e939

SHA512
77bf7c294aa2bc6826cf4fa852e66d967e04cf5af547f98f9a76ef756471a0a1cfaffe95b0a91ab65313c1dc657e53add1a54f9868f0e9648d605aff6f2e54ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2b862832377a71fe15eeccaa13d2827a

SHA1
414a2ab46f86a2a7e5eb5baeaf98431399bbb960

SHA256
d742f6880830c58a9c85a03dc5dc6407128de1e2d23d1a8df5e3d72619e91c29

SHA512
004b6f0ccb285c884a42309397bdc237dad4f0ab2741334b64136aba7669d0c13111a3c6a5d341153f2e5fc9f6f79dc9596904f4c13308724db9a985afd4549f

Download Submit
\Users\Admin\AppData\Local\Temp\buqiu.exe

Filesize
230KB

MD5
fc3764cf1df65f858401f03525ca0c66

SHA1
fae5e5f219303523007844f2d1500b6e625062dc

SHA256
4a4203b0ca2938b4d18337d6f177ce80a7b3921c26a76068668ca58146dc904e

SHA512
353ba8119ba0a65794a5fcde3b7c5600a0db0707ed03fbc9ba2a05acee64bb26228e1b66c6bf3000fc91fdacbb53233bf69c5462e95a663aba415f35da4a456b

Download Submit
\Users\Admin\AppData\Local\Temp\giebk.exe

Filesize
438KB

MD5
4385d51fb44a4f139e06528f94441131

SHA1
32ba468a859a3515853eeecfc429c652dbd9fea9

SHA256
614191ea1b17b4ee4afacaf412ad65b6010b913ed56f800cb0cb60c8c3476b2a

SHA512
0b9375942b8f96a64c2d6e0946947969bd39f2625aae7a4b7ea27231351d8a7e091841b35a196afe9b591ebab1a774bd7ca0a04760d10fc6a954280961118ecb

Download Submit
memory/592-0-0x0000000000CC0000-0x0000000000D2E000-memory.dmp

Filesize
440KB

Download
memory/592-8-0x0000000000B80000-0x0000000000BEE000-memory.dmp

Filesize
440KB

Download
memory/592-18-0x0000000000CC0000-0x0000000000D2E000-memory.dmp

Filesize
440KB

Download
memory/860-31-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/860-30-0x0000000000F30000-0x0000000000FCE000-memory.dmp

Filesize
632KB

Download
memory/860-34-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/860-33-0x0000000000F30000-0x0000000000FCE000-memory.dmp

Filesize
632KB

Download
memory/860-35-0x0000000000F30000-0x0000000000FCE000-memory.dmp

Filesize
632KB

Download
memory/2544-21-0x0000000000EC0000-0x0000000000F2E000-memory.dmp

Filesize
440KB

Download
memory/2544-27-0x00000000031F0000-0x000000000328E000-memory.dmp

Filesize
632KB

Download
memory/2544-29-0x0000000000EC0000-0x0000000000F2E000-memory.dmp

Filesize
440KB

Download
memory/2544-16-0x0000000000EC0000-0x0000000000F2E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing