urelas | dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8

General

Target

dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
Size

336KB
MD5

e29710494d400a64651a10de4fd82fe0
SHA1

21dd2c7eee2fb406b1078ee2df2bde1094713022
SHA256

dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8
SHA512

244dd69cb51333474809d322b97e0afb5b90736ada760ecd6fef838eb97c6cabc94dc7d686e4538ba9ba067f33664be95e968dfd3c10a74aae1201debb1cfe66
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYIcKN:vHW138/iXWlK885rKlGSekcj66cil

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Deletes itself 1 IoCs

pid	Process
2332	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
792	vuteb.exe
2240	oncuw.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
792	vuteb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oncuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuteb.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe
2240	oncuw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 792	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	29
PID 3004 wrote to memory of 792	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	29
PID 3004 wrote to memory of 792	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	29
PID 3004 wrote to memory of 792	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	29
PID 3004 wrote to memory of 2332	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	30
PID 3004 wrote to memory of 2332	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	30
PID 3004 wrote to memory of 2332	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	30
PID 3004 wrote to memory of 2332	3004	dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe	30
PID 792 wrote to memory of 2240	792	vuteb.exe	32
PID 792 wrote to memory of 2240	792	vuteb.exe	32
PID 792 wrote to memory of 2240	792	vuteb.exe	32
PID 792 wrote to memory of 2240	792	vuteb.exe	32

C:\Users\Admin\AppData\Local\Temp\dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe
"C:\Users\Admin\AppData\Local\Temp\dbe5cea0d34cfdcad6cdb6f75900bc8e82751b17372d464f5f2ff446b6d245e8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\vuteb.exe
  "C:\Users\Admin\AppData\Local\Temp\vuteb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\oncuw.exe
    "C:\Users\Admin\AppData\Local\Temp\oncuw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
b0827e331ad9f8e0e4413158805e0656

SHA1
24094d926508d9b1ee6f49e448b1162cd5712e02

SHA256
61762aeeba1a0087c515e5edc89f0afa9f77f71843e5ca2d0bea90aa6836979e

SHA512
4776265b3860a07b33b190cff6f1fe945ec03b02a111e6ac648f32fcebfdaf9cdd25cca8c3dedde6af1750022eef9cbe1aa00a8ec06c56b9ea51e5a61d746f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
48a6843edf262c2b4c4b843005a393e0

SHA1
2ac5cbb8247aeb8b55952dd37fb413936853adfd

SHA256
87227f496854687f39791b0d28f7c2e69db1ea2a1aacf84151f66703a07e690a

SHA512
5a60e61298d5715ced816c65df853c51eb0fa09304eed4d9a040b5b19c0440aec19806a896d5909b51c23ba86986c1a666287592f157f4ba719d2d794617a753

Download Submit
C:\Users\Admin\AppData\Local\Temp\vuteb.exe

Filesize
336KB

MD5
e4213a4cd498485e05fa815aed640786

SHA1
b1a76765b813daaecd54abaf19abcd6eb4b98b81

SHA256
9a2457e3548492f5986805ac53d60811bfbf04954349abe0892d018f2642e584

SHA512
25020ce44e0e051df5749a158d9858bf08782d0d248532d74cda00b40f5bca8feaa95b41eacd72064567ad4bafd289420c875a5c5fa7ab60c4830f015f784535

Download Submit
\Users\Admin\AppData\Local\Temp\oncuw.exe

Filesize
172KB

MD5
5b54c856cbd3ad7a63d7803a26ae57cb

SHA1
525bc93dc3c1d516bbfe8facc13929d2a30cb827

SHA256
ad59fcb855c6c3083174760e20ea5d8781d886082aa911c4c1a6617cff72976c

SHA512
918e42cfed6d8a72686e02331e63b4a1e80ef86405a219609b7e2d050cb91d7793c7e99eed1fce5f4ecb10f0f2bc97adeccd0feb7c2039ef83fa6a65cdea3340

Download Submit
\Users\Admin\AppData\Local\Temp\vuteb.exe

Filesize
336KB

MD5
5d65637e4aad213013b45ed85633e787

SHA1
9daa07bbf12d2d89bcf62758fe4fc4f9e226975e

SHA256
b66bddd0eb534c96078bbd88f362a34844a964b5e38997be466d27c9a7ec67c7

SHA512
53cc74a08c76748fad9ac3d3f86273b1053a6cdfbb20187d72aff55db5fad5cb2edf6bda099b00ac3664cc9e7553f14087f54a2823f47691e523fcec1c34034c

Download Submit
memory/792-12-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/792-11-0x0000000001110000-0x0000000001191000-memory.dmp

Filesize
516KB

Download
memory/792-24-0x0000000001110000-0x0000000001191000-memory.dmp

Filesize
516KB

Download
memory/792-41-0x0000000001110000-0x0000000001191000-memory.dmp

Filesize
516KB

Download
memory/792-39-0x00000000037F0000-0x0000000003889000-memory.dmp

Filesize
612KB

Download
memory/2240-42-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/2240-43-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/2240-48-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/2240-49-0x00000000011D0000-0x0000000001269000-memory.dmp

Filesize
612KB

Download
memory/3004-21-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3004-0-0x0000000000AC0000-0x0000000000B41000-memory.dmp

Filesize
516KB

Download
memory/3004-7-0x0000000002210000-0x0000000002291000-memory.dmp

Filesize
516KB

Download
memory/3004-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing